nixos/doc/rl-2511: move nixpkgs entries to nixpkgs manual

- `buildGoModule` now warns if `<pkg>.passthru.overrideModAttrs` is lost during the overriding of its result packages.

- `cardboard` has been removed due to the package having been broken since at least November 2024.

- `carla` no longer support `gtk2` override.

- `chatgpt-retrieval-plugin` has been removed due to the package having been broken since at least November 2024.

- `conduwuit` was removed due to upstream ceasing development and deleting their repository. For existing data, a migration to `matrix-conduit`, `matrix-continuwuity` or `matrix-tuwunel` may be possible.

- `conftest` since `0.60.0` has moved to use rego `v1` as default. To continue using `v0` use `--rego-version v0`. For more information about upgrading to Rego v1 syntax, see the [upstream docs](https://www.openpolicyagent.org/docs/latest/v0-upgrade/).

- `opensoldat` binaries and user configuration directory names have been prefixed by 'open', becoming opensoldat and opensoldatserver. Configuration will be moved automatically before launch when possible.

- `orjail` package has been removed as it is broken by the latest firejail release and seems unmaintained.

- `pcp` has been removed because the upstream repo was archived and it hasn't been updated since 2021.

- `podofo` has been updated from `0.9.8` to `1.0.0`. These releases are by nature very incompatible due to major API changes. The legacy versions can be found under `podofo_0_10` and `podofo_0_9`.

- `reaction` has been updated to version 2, which includes some breaking changes.

  For more information, [check the release article](https://blog.ppom.me/en-reaction-v2).

- `renovate` was updated to v41. See the upstream release notes for [v40](https://github.com/renovatebot/renovate/releases/tag/40.0.0) and [v41](https://github.com/renovatebot/renovate/releases/tag/41.0.0) for breaking changes.

- `river` 0.3.x has been renamed to `river-classic` following an upstream decision.

- `rocmPackages.triton` has been removed in favor of `python3Packages.triton`.

- `rofi` has been updated to `2.0.0`. `rofi-wayland` and `rofi-wayland-unwrapped` have been merged into `rofi` and `rofi-unwrapped` respectively. For more information and instructions see the [v2.0.0 changelog entry](https://github.com/davatorium/rofi/releases/tag/2.0.0).

- `sail-riscv` 0.8 follows [upstream](https://github.com/riscv/sail-riscv/blob/7cc4620eb1a57bfe04832baccdcf5727e9459bd4/doc/ChangeLog.md) and provides only a single binary, `sail_riscv_sim`.

- `sing-box` has been updated to 1.12.3, which includes a number of breaking changes, old configurations may need updating or they will cause the tool to fail to run.

  See the [change log](https://sing-box.sagernet.org/changelog/#1123) for details and [migration](https://sing-box.sagernet.org/migration/#1120) for how to update old configurations.

- `space-orbit` package has been removed due to lack of upstream maintenance. Debian upstream stopped tracking it in 2011.

- `spidermonkey_91` has been removed, as it has been EOL since September 2022.

- `telegram-desktop` packages now uses `Telegram` for its binary. The previous name was `telegram-desktop`. This is due to [an upstream decision](https://github.com/telegramdesktop/tdesktop/commit/56ff5808a3d766f892bc3c3305afb106b629ef6f) to make the name consistent with other platforms.

- `teleport` has been upgraded from major version 17 to major version 18.

Refer to [upstream upgrade instructions](https://goteleport.com/docs/upgrading/overview/)

and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).

- The `asterisk-lts` package was changed to v22 from v18. The default `asterisk` package was changed to v22 from v20. Asterisk version 18 has been dropped due to being EOL. The `asterisk-stable` (v20) package was unchanged. You may need to update /var/lib/asterisk to match the template files in `${asterisk-...}/var/lib/asterisk`.

- The `archipelago-minecraft` package was removed, as upstream no longer provides support for the Minecraft APWorld.

- The default Android NDK version has been raised to 27, and the default SDK version to 35.

- The `haskellPackages.mkDerivation` builder now converts packages' cabal files to Unix line endings before `patchPhase`. This behavior can be disabled using `dontConvertCabalFileToUnix`.

- The default `kops` version is now 1.33.0 and versions 1.30 and older have been dropped. See [Upgrading Kubernetes](https://kops.sigs.k8s.io/tutorial/upgrading-kubernetes/) for instructions on how to update kOps.

- The license of duckstation has changed from `gpl3Only` to `cc-by-nc-nd-40` making it unfree in newer releases. The `duckstation` package has been overhauled to support the new releases and `duckstation-bin` has been aliased to `duckstation` to support darwin binary builds.

- The main binary of `tomlq` has been renamed from `tomlq` to `tq`.

- The minimum version of Nix required to evaluate Nixpkgs has been raised from 2.3 to 2.18.

- The `no-broken-symlink` build hook now also fails builds whose output derivation contains links to $TMPDIR (typically /build, which contains the build directory).

- The non-LTS Forgejo package (`forgejo`) has been updated to 12.0.0. This release contains breaking changes, see the [release blog post](https://forgejo.org/2025-07-release-v12-0/)

  for all the details and how to ensure smooth upgrades.

- The `offrss` package was removed due to lack of upstream maintenance since 2012. It's recommended for users to migrate to another RSS reader.

- The `pie` hardening flag has been removed. Compilers are expected to enable PIE by default, as has been common practice since 2016 outside of Nixpkgs. If a package needs `pie` disabled pass `-no-pie` in `CFLAGS`. It is unlikely this will be necessary in many cases; due to the prevalence of default PIE toolchains, most packages incompatible with PIE already pass `-no-pie`.

- `webkitgtk_4_0` has been removed because it depends on an unmaintained version of security-critical libsoup library (`libsoup_2`) and the support will be [dropped upstream soon](https://webkitgtk.org/2025/10/07/webkitgtk-soup2-deprecation.html).

- `yehawn` was removed due to the package being broken and unmaintained upstream.

- `yggdrasil-jumper` has been updated to v0.4, changing traversal protocol. See [release notes](https://github.com/one-d-wide/yggdrasil-jumper/releases/tag/v0.4.0).

- `zig_0_12` has been removed.

- `zigbee2mqtt` was updated to version 2.x, which contains breaking changes. See the [discussion](https://github.com/Koenkk/zigbee2mqtt/discussions/24198) for further information.

## Other Notable Changes {#sec-nixpkgs-release-25.11-notable-changes}

<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- `cloudflare-ddns` has been added.

- Direct use of `pkgs.formats.systemd` has been deprecated, and should now be instantiated with `pkgs.formats.systemd { }` similarly to other items in `pkgs.formats`.

- `dragonflydb` has been updated from version 0.1.0 to version 1.34.2.

- `emacs` now disables the GC mark trace buffer by default. This improves GC performance by 5%, but can make GC issues harder to debug. This is configurable with `withGcMarkTrace`.

- `etcd` package was upgraded to 3.6, see [migration notes](https://etcd.io/docs/v3.6/upgrades/upgrade_3_6/) for incompatibilities and upgrade procedure.

- `fetchgit` now accepts a `gitConfigFile` argument to set a git config (via `$GIT_CONFIG_GLOBAL`) for the fetcher.

- `fetchgit` now accepts a `rootDir` argument to limit the resulting source to one subdirectory of the whole Git repository. Corresponding `--root-dir` option added to `nix-prefetch-git`.

- GIMP now defaults to version 3. Use `gimp2` for the old version.

- `gitversion` was updated to 6.3.0, which includes a number of breaking changes, old configurations may need updating or they will cause the tool to fail to run.

  See the [6.0.0 release notes for GitVersion](https://github.com/GitTools/GitVersion/releases/tag/6.0.0) for details on the breaking changes, [the documentation on the configuration format](https://gitversion.net/docs/reference/configuration) for the new configuration specification, and [the documentation on version variables](https://gitversion.net/docs/reference/variables) for what is now supported.

- `gramps` has been updated to 6.0.0

  Upstream recommends [backing up your Family Trees](https://gramps-project.org/wiki/index.php/Gramps_6.0_Wiki_Manual_-_Manage_Family_Trees#Backing_up_a_Family_Tree) before upgrading.

- [`homebox` 0.20.0](https://github.com/sysadminsmedia/homebox/releases/tag/v0.20.0) changed how assets are stored and hashed. It is recommended to back up your database before this update. In particular, `--storage-data` was replaced with `--storage-conn-string` and `--storage-prefix-path`. If your configuration set `HBOX_STORAGE_DATA` manually, you must migrate it to `HBOX_STORAGE_CONN_STRING` and `HBOX_STORAGE_PREFIX_PATH`.

- HTTP3 support has been enabled in in `nginx`, `openresty`, `angie` and `tengine`. The `nginxQuic` and `angieQuic` package flavors have been removed.

- `idris2` supports being instantiated with a package environment with `idris.withPackages (p: [ ])`.

- `installShellCompletion` now supports Nushell completion files.

  Instead, you should _override_ the python build helper, e.g., `(buildPythonPackage.override { stdenv = customStdenv; })`.

  See [](#overriding-python-build-helpers).

- `php81` was removed.

- `plasma6`: Fixed the `ksycoca` cache not being re-built when `$XDG_CACHE_HOME` is set to something that isn't `$HOME/.cache`.

- `prl-tools` has been moved out of `linuxPackages` because Parallels Guest Tools become driverless since 26.1.0.

- `searx` was updated to use `envsubst` instead of `sed` for parsing secrets from environment variables.

- `sftpman` has been updated to version 2, a rewrite in Rust which is mostly backward compatible but does include some changes to the CLI.

  For more information, [check the project's README](https://github.com/spantaleev/sftpman-rs#is-sftpman-v2-compatible-with-sftpman-v1).

- `slurm` no longer supports gtk2.

- `sparkleshare` has been removed as it no longer builds and has been abandoned upstream.

- `strongSwan` has been updated to 6.0. See [strongSwan 6.0.0 release notes](https://github.com/strongswan/strongswan/releases/tag/6.0.0) for a complete list of changes.

- `simplesamlphp` has been removed since the package was severely outdated, unmaintained in Nixpkgs and having known vulnerabilities.

- The `clickhouse` package now track the stable upstream version per [upstream's

  recommendation](https://clickhouse.com/docs/faq/operations/production). Users

  can continue to use the `clickhouse-lts` package if desired.

- The `dockerTools.streamLayeredImage` builder now uses a better algorithm for generating layered docker images, such that much more sharing is possible when the number of store paths exceeds the layer limit. It gives each of the largest store paths its own layer and adds dependencies to those layers when they aren't used elsewhere.

- The `open-webui` package's postgres support have been moved to optional dependencies to comply with upstream changes in 0.6.26.

- The systemd initrd will now respect `x-systemd.wants` and `x-systemd.requires` for reliably unlocking multi-disk bcachefs volumes.

- The third-party `ant-contrib` is no longer included in the `ant` package.

- Packages using `versionCheckHook` that previously relied solely on `pname` to locate the program used to version check, but have a differing `meta.mainProgram` entry, might now fail.

- `waydroid-nftables` is a new variant of `waydroid` that supports nftables instead of iptables.

- `command-not-found` package is now disabled by default; it works only for nix-channels based systems, and requires setup for it to work.

- Direct use of `pkgs.formats.systemd` has been deprecated, and should now be instantiated with `pkgs.formats.systemd { }` similarly to other items in `pkgs.formats`.

- `hardware.amdgpu.amdvlk` and the `amdvlk` package have been removed, as they have been deprecated by AMD. These have been replaced with the RADV driver from Mesa, which is enabled by default.

- HTTP3 support has been enabled in in `nginx`, `openresty`, `angie` and `tengine`. The `nginxQuic` and `angieQuic` package flavors have been removed.

- `etcd` package was upgraded to 3.6, see [migration notes](https://etcd.io/docs/v3.6/upgrades/upgrade_3_6/) for incompatibilities and upgrade procedure.

- `firezone` has changed how the `Everyone` group behaves. Service Accounts are no longer considered part of `Everyone`.

- `gitversion` was updated to 6.3.0, which includes a number of breaking changes, old configurations may need updating or they will cause the tool to fail to run.

  See the [6.0.0 release notes for GitVersion](https://github.com/GitTools/GitVersion/releases/tag/6.0.0) for details on the breaking changes, [the documentation on the configuration format](https://gitversion.net/docs/reference/configuration) for the new configuration specification, and [the documentation on version variables](https://gitversion.net/docs/reference/variables) for what is now supported.

- `i18n.inputMethod.fcitx5.plasma6Support` has been removed because qt6 is the only one used for fcitx5-configtool now.

- Linux 5.4 and all its variants have been removed since mainline will reach its end of life within the support-span of 25.11.

- NixOS display manager modules now strictly use tty1, where many of them previously used tty7. Options to configure display managers' VT have been dropped. A configuration with a display manager enabled will not start `getty@tty1.service`, even if the system is forced to boot into `multi-user.target` instead of `graphical.target`.

- `orjail` package has been removed as it is broken by the latest firejail release and seems unmaintained.

- [private-gpt](https://github.com/zylon-ai/private-gpt) service has been removed by lack of maintenance upstream.

- `programs.cardboard` was removed due to the package having been broken since at least November 2024.

- `programs.goldwarden` has been removed, due to the software not working with newer versions of the Bitwarden and Vaultwarden servers, as well as it being abandoned upstream.

  - The `mime_types_file` setting is now set to `"${pkgs.mailcap}/etc/mime.types"` to prevent errors.

  For a complete list of changes, please see [their announcement](https://blog.prosody.im/prosody-13.0.0-released/).

- `renovate` was updated to v41. See the upstream release notes for [v40](https://github.com/renovatebot/renovate/releases/tag/40.0.0) and [v41](https://github.com/renovatebot/renovate/releases/tag/41.0.0) for breaking changes.

- `programs.river` has been renamed to `programs.river-classic` following an upstream decision.

- `river` 0.3.x has been renamed to `river-classic` upstream, and the package renamed accordingly. `programs.river` has been renamed to `programs.river-classic`.

- `services.chatgpt-retrieval-plugin` was removed due to the package having been broken since at least November 2024.

- `services.dwm-status.extraConfig` was replaced by [RFC0042](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md)-compliant [](#opt-services.dwm-status.settings), which is used to generate the config file. `services.dwm-status.order` is now moved to [](#opt-services.dwm-status.settings.order), as it's a part of the config file.

- `services.parsoid` and the `nodePackages.parsoid` package have been removed, as the JavaScript-based version this module uses is not compatible with modern MediaWiki versions.

- `services.private-gpt` has been removed by lack of maintenance upstream.

- `services.quorum` has been removed as the `quorum` package was broken and abandoned upstream.

- `services.seafile` has been removed, as it is unmaintained and outdated.

- `services.tor.torsocks.enable` no longer defaults to true if Tor and Tor client functionality is enabled.

- `sing-box` has been updated to 1.12.3, which includes a number of breaking changes, old configurations may need updating or they will cause the tool to fail to run.

  See the [change log](https://sing-box.sagernet.org/changelog/#1123) for details and [migration](https://sing-box.sagernet.org/migration/#1120) for how to update old configurations.

- `teleport` has been upgraded from major version 17 to major version 18.

Refer to [upstream upgrade instructions](https://goteleport.com/docs/upgrading/overview/)

and [release notes for v18](https://goteleport.com/docs/changelog/#1800-070325).

- The `asterisk-lts` package was changed to v22 from v18. The default `asterisk` package was changed to v22 from v20. Asterisk version 18 has been dropped due to being EOL. The `asterisk-stable` (v20) package was unchanged. You may need to update /var/lib/asterisk to match the template files in `${asterisk-...}/var/lib/asterisk`.

- The `boot.readOnlyNixStore` has been removed. Control over bind mount options on `/nix/store` is now offered by the `boot.nixStoreMountOpts` option.

- The `cardboard` package and `programs.cardboard` module were removed due to the package having been broken since at least November 2024.

- The `chatgpt-retrieval-plugin` package and `services.chatgpt-retrieval-plugin` module were removed due to the package having been broken since at least November 2024.

- The default `kops` version is now 1.33.0 and versions 1.30 and older have been dropped. See [Upgrading Kubernetes](https://kops.sigs.k8s.io/tutorial/upgrading-kubernetes/) for instructions on how to update kOps.

- The `dovecot` systemd service was renamed from `dovecot2` to `dovecot`. The former is now just an alias. Update any overrides on the systemd unit to the new name.

- The `NIXOS_EXTRA_MODULE_PATH` variable from configuration evaluation has been deprecated.

- The `file-roller` module has been removed due to not being required for function, file roller itself has also been removed from the `services.desktopManager.gnome` module as it's not part of GNOME core applications.

- The `no-broken-symlink` build hook now also fails builds whose output derivation contains links to $TMPDIR (typically /build, which contains the build directory).

- The non-LTS Forgejo package (`forgejo`) has been updated to 12.0.0. This release contains breaking changes, see the [release blog post](https://forgejo.org/2025-07-release-v12-0/)

  for all the details and how to ensure smooth upgrades.

- The Perl implementation of the `switch-to-configuration` program is removed. All switchable systems now use the Rust rewrite. Any prior usage of `system.switch.enableNg` must now be removed. If you have any outstanding issues with the new implementation, please open an issue on GitHub.

- The Pocket ID module ([`services.pocket-id`][#opt-services.pocket-id.enable]) and package (`pocket-id`) has been updated to 1.0.0. Some environment variables have been changed or removed, see the [migration guide](https://pocket-id.org/docs/setup/migrate-to-v1/).

- The `wstunnel` module was converted to RFC42-style settings, you will need to update your NixOS config if you make use of this module.

- The `yeahwm` package and `services.xserver.windowManager.yeahwm` module were removed due to the package being broken and unmaintained upstream.

- The `zigbee2mqtt` package was updated to version 2.x, which contains breaking changes. See the [discussion](https://github.com/Koenkk/zigbee2mqtt/discussions/24198) for further information.

- `services.xserver.windowManager.yeahwm` was removed due to the package being broken and unmaintained upstream.

- The zookeeper project changed their logging tool to logback, therefore `services.zookeeper.logging` option has been updated to expect a logback compatible string.

- Options under [networking.getaddrinfo](#opt-networking.getaddrinfo.enable) are now allowed to declaratively configure address selection and sorting behavior of `getaddrinfo` in dual-stack networks.

- `php81` was removed.

- Potential race conditions in the network setup when using `networking.interfaces` have been fixed by disabling duplicate address detection (DAD)

  for statically configured IPv6 addresses.

- `prl-tools` has been moved out of `linuxPackages` because Parallels Guest Tools become driverless since 26.1.0.

- `prosody` gained a config check option named `services.prosody.checkConfig` which runs `prosodyctl check config` and is turned on by default.

- Revamp of the ACME certificate acquisition and renewal process to help scale systems with lots (100+) of certificates.

- `services.xserver.desktopManager.deepin` and associated packages have been removed due to being unmaintained. See issue [#422090](https://github.com/NixOS/nixpkgs/issues/422090) for more details.

- `simplesamlphp` has been removed since the package was severely outdated, unmaintained in nixpkgs and having known vulnerabilities.

- `slurm` no longer supports gtk2.

- `sparkleshare` has been removed as it no longer builds and has been abandoned upstream.

- `strongSwan` has been updated to 6.0. See [strongSwan 6.0.0 release notes](https://github.com/strongswan/strongswan/releases/tag/6.0.0) for a complete list of changes.

- `systemd.extraConfig` and `boot.initrd.systemd.extraConfig` was converted to RFC42-style `systemd.settings.Manager` and `boot.initrd.systemd.settings.Manager` respectively.

  - `systemd.watchdog.runtimeTime` was renamed to `systemd.settings.Manager.RuntimeWatchdogSec`

  - `systemd.watchdog.device` was renamed to `systemd.settings.Manager.WatchdogDevice`

- The new option [networking.ipips](#opt-networking.ipips) has been added to create IP within IP kind of tunnels (including 4in6, ip6ip6 and ipip).

  With the existing [networking.sits](#opt-networking.sits) option (6in4), it is now possible to create all combinations of IPv4 and IPv6 encapsulation.

- The `open-webui` package's postgres support have been moved to optional dependencies to comply with upstream changes in 0.6.26.

- The third-party `ant-contrib` is no longer included in the `ant` package.

- [tpm2-totp](https://github.com/tpm2-software/tpm2-totp) can now be used to show a TOTP during boot using Plymouth. Available as [boot.plymouth.tpm2-totp](#opt-boot.plymouth.tpm2-totp.enable).

- `users.users.*.linger` now defaults to `null` rather than `false`, meaning NixOS will not attempt to enable or disable lingering for that user account, instead allowing for imperative control over lingering using the `loginctl` commands. In practice, this is unlikely to make a difference for most people, as new users are created without lingering configured. There is a new, related option, `users.manageLingering`, which can be used to prevent NixOS attempting to manage lingering entirely.