configuration.nix - Man Page
NixOS system configuration specification
Description
The file /etc/nixos/configuration.nix contains the declarative specification of your NixOS system configuration. The command nixos-rebuild takes this file and realises the system configuration specified therein.
Options
You can use the following options in configuration.nix.
- appstream.enable
Whether to install files to support the AppStream metadata specification.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/config/appstream.nix>
- boot.enableContainers
Whether to enable support for NixOS containers. Defaults to true (at no cost if containers are not actually used).
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- boot.binfmt.emulatedSystems
List of systems to emulate. Will also configure Nix to support your new systems. Warning: the builder can execute all emulated systems within the same build, which introduces impurities in the case of cross compilation.
Type: list of strings
Default: [ ]
Example: [ "wasm32-wasi" "x86_64-windows" "aarch64-linux" ]
Declared by:
<nixpkgs/nixos/modules/system/boot/binfmt.nix>
- boot.binfmt.registrations
Extra binary formats to register with the kernel. See https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.html for more details.
Type: attribute set of submodules
Default: { }
Declared by:
<nixpkgs/nixos/modules/system/boot/binfmt.nix>
- boot.binfmt.registrations.<name>.fixBinary
Whether to open the interpreter file as soon as the registration is loaded, rather than waiting for a relevant file to be invoked.
See the description of the 'F' flag in the kernel docs for more details.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/binfmt.nix>
- boot.binfmt.registrations.<name>.interpreter
The interpreter to invoke to run the program.
Note that the actual registration will point to /run/binfmt/${name}, so the kernel interpreter length limit doesn't apply.
Type: path
Declared by:
<nixpkgs/nixos/modules/system/boot/binfmt.nix>
- boot.binfmt.registrations.<name>.magicOrExtension
The magic number or extension to match on.
Type: string
Declared by:
<nixpkgs/nixos/modules/system/boot/binfmt.nix>
- boot.binfmt.registrations.<name>.mask
A mask to be ANDed with the byte sequence of the file before matching
Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/system/boot/binfmt.nix>
- boot.binfmt.registrations.<name>.matchCredentials
Whether to launch with the credentials and security token of the binary, not the interpreter (e.g. setuid bit).
See the description of the 'C' flag in the kernel docs for more details.
Implies/requires openBinary = true.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/binfmt.nix>
- boot.binfmt.registrations.<name>.offset
The byte offset of the magic number used for recognition.
Type: null or signed integer
Default: null
Declared by:
<nixpkgs/nixos/modules/system/boot/binfmt.nix>
- boot.binfmt.registrations.<name>.openBinary
Whether to pass the binary to the interpreter as an open file descriptor, instead of a path.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/binfmt.nix>
- boot.binfmt.registrations.<name>.preserveArgvZero
Whether to pass the original argv[0] to the interpreter.
See the description of the 'P' flag in the kernel docs for more details;
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/binfmt.nix>
- boot.binfmt.registrations.<name>.recognitionType
Whether to recognize executables by magic number or extension.
Type: one of "magic", "extension"
Default: "magic"
Declared by:
<nixpkgs/nixos/modules/system/boot/binfmt.nix>
- boot.blacklistedKernelModules
List of names of kernel modules that should not be loaded automatically by the hardware probing code.
Type: list of strings
Default: [ ]
Example: [ "cirrusfb" "i2c_piix4" ]
Declared by:
<nixpkgs/nixos/modules/system/boot/modprobe.nix>
- boot.cleanTmpDir
Whether to delete all files in /tmp during boot.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/tmp.nix>
- boot.consoleLogLevel
The kernel console loglevel. All Kernel Messages with a log level smaller than this setting will be printed to the console.
Type: signed integer
Default: 4
Declared by:
<nixpkgs/nixos/modules/system/boot/kernel.nix>
- boot.crashDump.enable
If enabled, NixOS will set up a kernel that will boot on crash, and leave the user in systemd rescue to be able to save the crashed kernel dump at /proc/vmcore. It also activates the NMI watchdog.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/misc/crashdump.nix>
- boot.crashDump.kernelParams
Parameters that will be passed to the kernel kexec-ed on crash.
Type: list of strings
Default: [ "1" "boot.shell_on_fail" ]
Declared by:
<nixpkgs/nixos/modules/misc/crashdump.nix>
- boot.crashDump.reservedMemory
The amount of memory reserved for the crashdump kernel. If you choose a too high value, dmesg will mention "crashkernel reservation failed".
Type: string
Default: "128M"
Declared by:
<nixpkgs/nixos/modules/misc/crashdump.nix>
- boot.devShmSize
Size limit for the /dev/shm tmpfs. Look at mount(8), tmpfs size option, for the accepted syntax.
Type: string
Default: "50%"
Example: "256m"
Declared by:
<nixpkgs/nixos/modules/system/boot/stage-2.nix>
- boot.devSize
Size limit for the /dev tmpfs. Look at mount(8), tmpfs size option, for the accepted syntax.
Type: string
Default: "5%"
Example: "32m"
Declared by:
<nixpkgs/nixos/modules/system/boot/stage-2.nix>
- boot.extraModprobeConfig
Any additional configuration to be appended to the generated modprobe.conf. This is typically used to specify module options. See modprobe.d(5) for details.
Type: strings concatenated with "\n"
Default: ""
Example:
'' options parport_pc io=0x378 irq=7 dma=1 ''
Declared by:
<nixpkgs/nixos/modules/system/boot/modprobe.nix>
- boot.extraModulePackages
A list of additional packages supplying kernel modules.
Type: list of packages
Default: [ ]
Example: [ config.boot.kernelPackages.nvidia_x11 ]
Declared by:
<nixpkgs/nixos/modules/system/boot/kernel.nix>
- boot.extraSystemdUnitPaths
Additional paths that get appended to the SYSTEMD_UNIT_PATH environment variable that can contain mutable unit files.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/system/boot/stage-2.nix>
- boot.growPartition
Whether to enable grow the root partition on boot.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/system/boot/grow-partition.nix>
- boot.hardwareScan
Whether to try to load kernel modules for all detected hardware. Usually this does a good job of providing you with the modules you need, but sometimes it can crash the system or cause other nasty effects.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/hardware/udev.nix>
- boot.initrd.enable
Whether to enable the NixOS initial RAM disk (initrd). This may be needed to perform some initialisation tasks (like mounting network/encrypted file systems) before continuing the boot process.
Type: boolean
Default: !config.boot.isContainer
Declared by:
<nixpkgs/nixos/modules/system/boot/stage-1.nix>
- boot.initrd.availableKernelModules
The set of kernel modules in the initial ramdisk used during the boot process. This set must include all modules necessary for mounting the root device. That is, it should include modules for the physical device (e.g., SCSI drivers) and for the file system (e.g., ext3). The set specified here is automatically closed under the module dependency relation, i.e., all dependencies of the modules list here are included automatically. The modules listed here are available in the initrd, but are only loaded on demand (e.g., the ext3 module is loaded automatically when an ext3 filesystem is mounted, and modules for PCI devices are loaded when they match the PCI ID of a device in your system). To force a module to be loaded, include it in boot.initrd.kernelModules.
Type: list of strings
Default: [ ]
Example: [ "sata_nv" "ext3" ]
Declared by:
<nixpkgs/nixos/modules/system/boot/kernel.nix>
- boot.initrd.checkJournalingFS
Whether to run fsck on journaling filesystems such as ext3.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/system/boot/stage-1.nix>
- boot.initrd.compressor
The compressor to use on the initrd image. May be any of:
- The name of one of the predefined compressors, see pkgs/build-support/kernel/initrd-compressor-meta.nix for the definitions.
- A function which, given the nixpkgs package set, returns the path to a compressor tool, e.g. pkgs: "${pkgs.pigz}/bin/pigz"
- (not recommended, because it does not work when cross-compiling) the full path to a compressor tool, e.g. "${pkgs.pigz}/bin/pigz"
The given program should read data from stdin and write it to stdout compressed.
Type: unspecified
Default: zstd if the kernel supports it (5.9+), gzip if not
Example: "xz"
Declared by:
<nixpkgs/nixos/modules/system/boot/stage-1.nix>
- boot.initrd.compressorArgs
Arguments to pass to the compressor for the initrd image, or null to use the compressor's defaults.
Type: null or list of strings
Default: null
Declared by:
<nixpkgs/nixos/modules/system/boot/stage-1.nix>
- boot.initrd.extraFiles
Extra files to link and copy in to the initrd.
Type: attribute set of submodules
Default: { }
Declared by:
<nixpkgs/nixos/modules/system/boot/stage-1.nix>
- boot.initrd.extraFiles.<name>.source
The object to make available inside the initrd.
Type: package
Declared by:
<nixpkgs/nixos/modules/system/boot/stage-1.nix>
- boot.initrd.includeDefaultModules
This option, if set, adds a collection of default kernel modules to boot.initrd.availableKernelModules and boot.initrd.kernelModules.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/system/boot/kernel.nix>
- boot.initrd.kernelModules
List of modules that are always loaded by the initrd.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/system/boot/kernel.nix>
- boot.initrd.luks.cryptoModules
A list of cryptographic kernel modules needed to decrypt the root device(s). The default includes all common modules.
Type: list of strings
Default: [ "aes" "aes_generic" "blowfish" "twofish" "serpent" "cbc" "xts" "lrw" "sha1" "sha256" "sha512" "af_alg" "algif_skcipher" ]
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices
The encrypted disk that should be opened before the root filesystem is mounted. Both LVM-over-LUKS and LUKS-over-LVM setups are supported. The unencrypted devices can be accessed as /dev/mapper/name.
Type: attribute set of submodules
Default: { }
Example: { luksroot = { device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; } ; }
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.allowDiscards
Whether to allow TRIM requests to the underlying device. This option has security implications; please read the LUKS documentation before activating it. This option is incompatible with authenticated encryption (dm-crypt stacked over dm-integrity).
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.bypassWorkqueues
Whether to bypass dm-crypt's internal read and write workqueues. Enabling this should improve performance on SSDs; see here for more information. Needs Linux 5.9 or later.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.device
Path of the underlying encrypted block device.
Type: string
Example: "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.fallbackToPassword
Whether to fallback to interactive passphrase prompt if the keyfile cannot be found. This will prevent unattended boot should the keyfile go missing.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.fido2.credential
The FIDO2 credential ID.
Type: null or string
Default: null
Example: "f1d00200d8dc783f7fb1e10ace8da27f8312d72692abfca2f7e4960a73f48e82e1f7571f6ebfcee9fb434f9886ccc8fcc52a6614d8d2"
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.fido2.gracePeriod
Time in seconds to wait for the FIDO2 key.
Type: signed integer
Default: 10
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.fido2.passwordLess
Defines whatever to use an empty string as a default salt.
Enable only when your device is PIN protected, such as Trezor.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.gpgCard
The option to use this LUKS device with a GPG encrypted luks password by the GPG Smartcard. If null (the default), GPG-Smartcard will be disabled for this device.
Type: null or submodule
Default: null
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.gpgCard.encryptedPass
Path to the GPG encrypted passphrase.
Type: path
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.gpgCard.gracePeriod
Time in seconds to wait for the GPG Smartcard.
Type: signed integer
Default: 10
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.gpgCard.publicKey
Path to the Public Key.
Type: path
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.header
The name of the file or block device that should be used as header for the encrypted device.
Type: null or string
Default: null
Example: "/root/header.img"
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.keyFile
The name of the file (can be a raw device or a partition) that should be used as the decryption key for the encrypted device. If not specified, you will be prompted for a passphrase instead.
Type: null or string
Default: null
Example: "/dev/sdb1"
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.keyFileOffset
The offset of the key file. Use this in combination with keyFileSize to use part of a file as key file (often the case if a raw device or partition is used as a key file). If not specified, the key begins at the first byte of keyFile.
Type: null or signed integer
Default: null
Example: 4096
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.keyFileSize
The size of the key file. Use this if only the beginning of the key file should be used as a key (often the case if a raw device or partition is used as key file). If not specified, the whole keyFile will be used decryption, instead of just the first keyFileSize bytes.
Type: null or signed integer
Default: null
Example: 4096
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.postOpenCommands
Commands that should be run right after we have mounted our LUKS device.
Type: strings concatenated with "\n"
Default: ""
Example:
'' umount /tmp/persistent ''
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.preLVM
Whether the luksOpen will be attempted before LVM scan or after it.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.preOpenCommands
Commands that should be run right before we try to mount our LUKS device. This can be useful, if the keys needed to open the drive is on another partion.
Type: strings concatenated with "\n"
Default: ""
Example:
'' mkdir -p /tmp/persistent mount -t zfs rpool/safe/persistent /tmp/persistent ''
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.yubikey
The options to use for this LUKS device in YubiKey-PBA. If null (the default), YubiKey-PBA will be disabled for this device.
Type: null or submodule
Default: null
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.yubikey.gracePeriod
Time in seconds to wait for the YubiKey.
Type: signed integer
Default: 10
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.yubikey.iterationStep
How much the iteration count for PBKDF2 is increased at each successful authentication.
Type: signed integer
Default: 0
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.yubikey.keyLength
Length of the LUKS slot key derived with PBKDF2 in byte.
Type: signed integer
Default: 64
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.yubikey.saltLength
Length of the new salt in byte (64 is the effective maximum).
Type: signed integer
Default: 16
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.yubikey.slot
Which slot on the YubiKey to challenge.
Type: signed integer
Default: 2
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.yubikey.storage.device
An unencrypted device that will temporarily be mounted in stage-1. Must contain the current salt to create the challenge for this LUKS device.
Type: path
Default: "/dev/sda1"
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.yubikey.storage.fsType
The filesystem of the unencrypted device.
Type: string
Default: "vfat"
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.yubikey.storage.path
Absolute path of the salt on the unencrypted device with that device's root directory as "/".
Type: string
Default: "/crypt-storage/default"
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.devices.<name>.yubikey.twoFactor
Whether to use a passphrase and a YubiKey (true), or only a YubiKey (false).
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.fido2Support
Enables support for authenticating with FIDO2 devices.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.gpgSupport
Enables support for authenticating with a GPG encrypted password.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.mitigateDMAAttacks
Unless enabled, encryption keys can be easily recovered by an attacker with physical access to any machine with PCMCIA, ExpressCard, ThunderBolt or FireWire port. More information is available at http://en.wikipedia.org/wiki/DMA_attack.
This option blacklists FireWire drivers, but doesn't remove them. You can manually load the drivers if you need to use a FireWire device, but don't forget to unload them!
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.reusePassphrases
When opening a new LUKS device try reusing last successful passphrase.
Useful for mounting a number of devices that use the same passphrase without retyping it several times.
Such setup can be useful if you use cryptsetup luksSuspend. Different LUKS devices will still have different master keys even when using the same passphrase.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.luks.yubikeySupport
Enables support for authenticating with a YubiKey on LUKS devices. See the NixOS wiki for information on how to properly setup a LUKS device and a YubiKey to work with this feature.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
- boot.initrd.mdadmConf
Contents of /etc/mdadm.conf in stage 1.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/system/boot/stage-1.nix>
- boot.initrd.network.enable
Add network connectivity support to initrd. The network may be configured using the ip kernel parameter, as described in the kernel documentation. Otherwise, if networking.useDHCP is enabled, an IP address is acquired using DHCP.
You should add the module(s) required for your network card to boot.initrd.availableKernelModules. lspci -v | grep -iA8 'network\|ethernet' will tell you which.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/initrd-network.nix>
- boot.initrd.network.flushBeforeStage2
Whether to clear the configuration of the interfaces that were set up in the initrd right before stage 2 takes over. Stage 2 will do the regular network configuration based on the NixOS networking options.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/system/boot/initrd-network.nix>
- boot.initrd.network.openvpn.enable
Starts an OpenVPN client during initrd boot. It can be used to e.g. remotely accessing the SSH service controlled by boot.initrd.network.ssh or other network services included. Service is killed when stage-1 boot is finished.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/initrd-openvpn.nix>
- boot.initrd.network.openvpn.configuration
The configuration file for OpenVPN.
Warning
Unless your bootloader supports initrd secrets, this configuration is stored insecurely in the global Nix store.Type: path
Example: ./configuration.ovpn
Declared by:
<nixpkgs/nixos/modules/system/boot/initrd-openvpn.nix>
- boot.initrd.network.postCommands
Shell commands to be executed after stage 1 of the boot has initialised the network.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/system/boot/initrd-network.nix>
- boot.initrd.network.ssh.enable
Start SSH service during initrd boot. It can be used to debug failing boot on a remote server, enter pasphrase for an encrypted partition etc. Service is killed when stage-1 boot is finished.
The sshd configuration is largely inherited from services.openssh.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
- boot.initrd.network.ssh.authorizedKeys
Authorized keys for the root user on initrd.
Type: list of strings
Default: config.users.users.root.openssh.authorizedKeys.keys
Declared by:
<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
- boot.initrd.network.ssh.extraConfig
Verbatim contents of sshd_config.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
- boot.initrd.network.ssh.hostKeys
Specify SSH host keys to import into the initrd.
To generate keys, use ssh-keygen(1):
# ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key # ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
Warning
Unless your bootloader supports initrd secrets, these keys are stored insecurely in the global Nix store. Do NOT use your regular SSH host private keys for this purpose or you'll expose them to regular users!Additionally, even if your initrd supports secrets, if you're using initrd SSH to unlock an encrypted disk then using your regular host keys exposes the private keys on your unencrypted boot partition.
Type: list of string or paths
Default: [ ]
Example: [ "/etc/secrets/initrd/ssh_host_rsa_key" "/etc/secrets/initrd/ssh_host_ed25519_key" ]
Declared by:
<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
- boot.initrd.network.ssh.port
Port on which SSH initrd service should listen.
Type: signed integer
Default: 22
Declared by:
<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
- boot.initrd.network.ssh.shell
Login shell of the remote user. Can be used to limit actions user can do.
Type: string
Default: "/bin/ash"
Declared by:
<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
- boot.initrd.network.udhcpc.extraArgs
Additional command-line arguments passed verbatim to udhcpc if boot.initrd.network.enable and networking.useDHCP are enabled.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/system/boot/initrd-network.nix>
- boot.initrd.postDeviceCommands
Shell commands to be executed immediately after stage 1 of the boot has loaded kernel modules and created device nodes in /dev.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/system/boot/stage-1.nix>
- boot.initrd.postMountCommands
Shell commands to be executed immediately after the stage 1 filesystems have been mounted.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/system/boot/stage-1.nix>
- boot.initrd.preDeviceCommands
Shell commands to be executed before udev is started to create device nodes.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/system/boot/stage-1.nix>
- boot.initrd.preFailCommands
Shell commands to be executed before the failure prompt is shown.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/system/boot/stage-1.nix>
- boot.initrd.preLVMCommands
Shell commands to be executed immediately before LVM discovery.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/system/boot/stage-1.nix>
- boot.initrd.prepend
Other initrd files to prepend to the final initrd we are building.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/system/boot/stage-1.nix>
- boot.initrd.secrets
Secrets to append to the initrd. The attribute name is the path the secret should have inside the initrd, the value is the path it should be copied from (or null for the same path inside and out).
Type: attribute set of null or paths
Default: { }
Example:
{ "/etc/dropbear/dropbear_rsa_host_key" = ./secret-dropbear-key; }
Declared by:
<nixpkgs/nixos/modules/system/boot/stage-1.nix>
- boot.initrd.supportedFilesystems
Names of supported filesystem types in the initial ramdisk.
Type: list of strings
Default: [ ]
Example: [ "btrfs" ]
Declared by:
<nixpkgs/nixos/modules/system/boot/stage-1.nix>
- boot.initrd.verbose
Verbosity of the initrd. Please note that disabling verbosity removes only the mandatory messages generated by the NixOS scripts. For a completely silent boot, you might also want to set the two following configuration options:
- boot.consoleLogLevel = 0;
- boot.kernelParams = [ "quiet" "udev.log_level=3" ];
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/system/boot/stage-1.nix>
- boot.isContainer
Whether this NixOS machine is a lightweight container running in another NixOS system.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- boot.iscsi-initiator.discoverPortal
iSCSI portal to boot from.
Type: null or string
Default: null
Example: "192.168.1.1:3260"
Declared by:
<nixpkgs/nixos/modules/services/networking/iscsi/root-initiator.nix>
- boot.iscsi-initiator.extraConfig
Extra lines to append to /etc/iscsid.conf
Type: null or strings concatenated with "\n"
Default: null
Declared by:
<nixpkgs/nixos/modules/services/networking/iscsi/root-initiator.nix>
- boot.iscsi-initiator.extraConfigFile
Append an additional file's contents to `/etc/iscsid.conf`. Use a non-store path and store passwords in this file. Note: the file specified here must be available in the initrd, see: `boot.initrd.secrets`.
Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/services/networking/iscsi/root-initiator.nix>
- boot.iscsi-initiator.extraIscsiCommands
Extra iscsi commands to run in the initrd.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/networking/iscsi/root-initiator.nix>
- boot.iscsi-initiator.logLevel
Higher numbers elicits more logs.
Type: signed integer
Default: 1
Example: 8
Declared by:
<nixpkgs/nixos/modules/services/networking/iscsi/root-initiator.nix>
- boot.iscsi-initiator.loginAll
Do not log into a specific target on the portal, but to all that we discover. This overrides setting target.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/iscsi/root-initiator.nix>
- boot.iscsi-initiator.name
Name of the iSCSI initiator to boot from. Note, booting from iscsi requires networkd based networking.
Type: null or string
Default: null
Example: "iqn.2020-08.org.linux-iscsi.initiatorhost:example"
Declared by:
<nixpkgs/nixos/modules/services/networking/iscsi/root-initiator.nix>
- boot.iscsi-initiator.target
Name of the iSCSI target to boot from.
Type: null or string
Default: null
Example: "iqn.2020-08.org.linux-iscsi.targethost:example"
Declared by:
<nixpkgs/nixos/modules/services/networking/iscsi/root-initiator.nix>
- boot.kernel.randstructSeed
Provides a custom seed for the RANDSTRUCT security option of the Linux kernel. Note that RANDSTRUCT is only enabled in NixOS hardened kernels. Using a custom seed requires building the kernel and dependent packages locally, since this customization happens at build time.
Type: string
Default: ""
Example: "my secret seed"
Declared by:
<nixpkgs/nixos/modules/system/boot/kernel.nix>
- boot.kernel.sysctl
Runtime parameters of the Linux kernel, as set by sysctl(8). Note that sysctl parameters names must be enclosed in quotes (e.g. "vm.swappiness" instead of vm.swappiness). The value of each parameter may be a string, integer, boolean, or null (signifying the option will not appear at all).
Type: attribute set of sysctl option values
Default: { }
Example:
{ "net.ipv4.tcp_syncookies" = false; "vm.swappiness" = 60; }
Declared by:
<nixpkgs/nixos/modules/config/sysctl.nix>
- boot.kernelModules
The set of kernel modules to be loaded in the second stage of the boot process. Note that modules that are needed to mount the root file system should be added to boot.initrd.availableKernelModules or boot.initrd.kernelModules.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/system/boot/kernel.nix>
- boot.kernelPackages
This option allows you to override the Linux kernel used by NixOS. Since things like external kernel module packages are tied to the kernel you're using, it also overrides those. This option is a function that takes Nixpkgs as an argument (as a convenience), and returns an attribute set containing at the very least an attribute kernel. Additional attributes may be needed depending on your configuration. For instance, if you use the NVIDIA X driver, then it also needs to contain an attribute nvidia_x11.
Type: unspecified
Default: pkgs.linuxPackages
Example: pkgs.linuxKernel.packages.linux_5_10
Declared by:
<nixpkgs/nixos/modules/system/boot/kernel.nix>
- boot.kernelParams
Parameters added to the kernel command line.
Type: list of string, with spaces inside double quotess
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/system/boot/kernel.nix>
- boot.kernelPatches
A list of additional patches to apply to the kernel.
Type: list of attribute sets
Default: [ ]
Example: [ pkgs.kernelPatches.ubuntu_fan_4_4 ]
Declared by:
<nixpkgs/nixos/modules/system/boot/kernel.nix>
- boot.loader.efi.canTouchEfiVariables
Whether the installation process is allowed to modify EFI boot variables.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/efi.nix>
- boot.loader.efi.efiSysMountPoint
Where the EFI System Partition is mounted.
Type: string
Default: "/boot"
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/efi.nix>
- boot.loader.generationsDir.enable
Whether to create symlinks to the system generations under /boot. When enabled, /boot/default/kernel, /boot/default/initrd, etc., are updated to point to the current generation's kernel image, initial RAM disk, and other bootstrap files.
This optional is not necessary with boot loaders such as GNU GRUB for which the menu is updated to point to the latest bootstrap files. However, it is needed for U-Boot on platforms where the boot command line is stored in flash memory rather than in a menu file.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/generations-dir/generations-dir.nix>
- boot.loader.generationsDir.copyKernels
Whether copy the necessary boot files into /boot, so /nix/store is not needed by the boot loader.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/generations-dir/generations-dir.nix>
- boot.loader.generic-extlinux-compatible.enable
Whether to generate an extlinux-compatible configuration file under /boot/extlinux.conf. For instance, U-Boot's generic distro boot support uses this file format.
See U-boot's documentation for more information.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/generic-extlinux-compatible>
- boot.loader.generic-extlinux-compatible.configurationLimit
Maximum number of configurations in the boot menu.
Type: signed integer
Default: 20
Example: 10
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/generic-extlinux-compatible>
- boot.loader.generic-extlinux-compatible.populateCmd
Contains the builder command used to populate an image, honoring all options except the -c <path-to-default-configuration> argument. Useful to have for sdImage.populateRootCommands
Type: string (read only)
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/generic-extlinux-compatible>
- boot.loader.grub.enable
Whether to enable the GNU GRUB boot loader.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.enableCryptodisk
Enable support for encrypted partitions. GRUB should automatically unlock the correct encrypted partition and look for filesystems.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.backgroundColor
Background color to be used for GRUB to fill the areas the image isn't filling.
Note
This options has no effect for GRUB 1.Type: null or string
Default: null
Example: "#7EBAE4"
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.configurationLimit
Maximum of configurations in boot menu. GRUB has problems when there are too many entries.
Type: signed integer
Default: 100
Example: 120
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.configurationName
GRUB entry name instead of default.
Type: string
Default: ""
Example: "Stable 2.6.21"
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.copyKernels
Whether the GRUB menu builder should copy kernels and initial ramdisks to /boot. This is done automatically if /boot is on a different partition than /.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.default
Index of the default menu item to be booted. Can also be set to "saved", which will make GRUB select the menu item that was used at the last boot.
Type: signed integer or string
Default: "0"
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.device
The device on which the GRUB boot loader will be installed. The special value nodev means that a GRUB boot menu will be generated, but GRUB itself will not actually be installed. To install GRUB on multiple devices, use boot.loader.grub.devices.
Type: string
Default: ""
Example: "/dev/disk/by-id/wwn-0x500001234567890a"
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.devices
The devices on which the boot loader, GRUB, will be installed. Can be used instead of device to install GRUB onto multiple devices.
Type: list of strings
Default: [ ]
Example: [ "/dev/disk/by-id/wwn-0x500001234567890a" ]
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.efiInstallAsRemovable
Whether to invoke grub-install with --removable.
Unless you turn this on, GRUB will install itself somewhere in boot.loader.efi.efiSysMountPoint (exactly where depends on other config variables). If you've set boot.loader.efi.canTouchEfiVariables *AND* you are currently booted in UEFI mode, then GRUB will use efibootmgr to modify the boot order in the EFI variables of your firmware to include this location. If you are *not* booted in UEFI mode at the time GRUB is being installed, the NVRAM will not be modified, and your system will not find GRUB at boot time. However, GRUB will still return success so you may miss the warning that gets printed ("efibootmgr: EFI variables are not supported on this system.").
If you turn this feature on, GRUB will install itself in a special location within efiSysMountPoint (namely EFI/boot/boot$arch.efi) which the firmwares are hardcoded to try first, regardless of NVRAM EFI variables.
To summarize, turn this on if:
- You are installing NixOS and want it to boot in UEFI mode, but you are currently booted in legacy mode
- You want to make a drive that will boot regardless of the NVRAM state of the computer (like a USB "removable" drive)
- You simply dislike the idea of depending on NVRAM state to make your drive bootable
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.efiSupport
Whether GRUB should be built with EFI support. EFI support is only available for GRUB v2. This option is ignored for GRUB v1.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.extraConfig
Additional GRUB commands inserted in the configuration file just before the menu entries.
Type: strings concatenated with "\n"
Default: ""
Example:
'' serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1 terminal_input --append serial terminal_output --append serial ''
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.extraEntries
Any additional entries you want added to the GRUB boot menu.
Type: strings concatenated with "\n"
Default: ""
Example:
'' # GRUB 1 example (not GRUB 2 compatible) title Windows chainloader (hd0,1)+1 # GRUB 2 example menuentry "Windows 7" { chainloader (hd0,4)+1 } # GRUB 2 with UEFI example, chainloading another distro menuentry "Fedora" { set root=(hd1,1) chainloader /efi/fedora/grubx64.efi } ''
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.extraEntriesBeforeNixOS
Whether extraEntries are included before the default option.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.extraFiles
A set of files to be copied to /boot. Each attribute name denotes the destination file name in /boot, while the corresponding attribute value specifies the source file.
Type: attribute set of paths
Default: { }
Example:
{ "memtest.bin" = "${pkgs.memtest86plus}/memtest.bin"; }
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.extraGrubInstallArgs
Additional arguments passed to grub-install.
A use case for this is to build specific GRUB2 modules directly into the GRUB2 kernel image, so that they are available and activated even in the grub rescue shell.
They are also necessary when the BIOS/UEFI is bugged and cannot correctly read large disks (e.g. above 2 TB), so GRUB2's own nativedisk and related modules can be used to use its own disk drivers. The example shows one such case. This is also useful for booting from USB. See the GRUB source code for which disk modules are available.
The list elements are passed directly as argv arguments to the grub-install program, in order.
Type: list of strings
Default: [ ]
Example: [ "--modules=nativedisk ahci pata part_gpt part_msdos diskfilter mdraid1x lvm ext2" ]
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.extraInstallCommands
Additional shell commands inserted in the bootloader installer script after generating menu entries.
Type: strings concatenated with "\n"
Default: ""
Example:
'' # the example below generates detached signatures that GRUB can verify # https://www.gnu.org/software/grub/manual/grub/grub.html#Using-digital-signatures ''${pkgs.findutils}/bin/find /boot -not -path "/boot/efi/*" -type f -name '*.sig' -delete old_gpg_home=$GNUPGHOME export GNUPGHOME="$(mktemp -d)" ''${pkgs.gnupg}/bin/gpg --import ''${priv_key} > /dev/null 2>&1 ''${pkgs.findutils}/bin/find /boot -not -path "/boot/efi/*" -type f -exec ''${pkgs.gnupg}/bin/gpg --detach-sign "{}" \; > /dev/null 2>&1 rm -rf $GNUPGHOME export GNUPGHOME=$old_gpg_home ''
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.extraPerEntryConfig
Additional GRUB commands inserted in the configuration file at the start of each NixOS menu entry.
Type: strings concatenated with "\n"
Default: ""
Example: "root (hd0)"
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.extraPrepareConfig
Additional bash commands to be run at the script that prepares the GRUB menu entries.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.font
Path to a TrueType, OpenType, or pf2 font to be used by Grub.
Type: null or path
Default: "${pkgs.grub2}/share/grub/unicode.pf2"
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.fontSize
Font size for the grub menu. Ignored unless font is set to a ttf or otf font.
Type: null or signed integer
Default: null
Example: 16
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.forceInstall
Whether to try and forcibly install GRUB even if problems are detected. It is not recommended to enable this unless you know what you are doing.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.forcei686
Whether to force the use of a ia32 boot loader on x64 systems. Required to install and run NixOS on 64bit x86 systems with 32bit (U)EFI.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.fsIdentifier
Determines how GRUB will identify devices when generating the configuration file. A value of uuid / label signifies that grub will always resolve the uuid or label of the device before using it in the configuration. A value of provided means that GRUB will use the device name as show in df or mount. Note, zfs zpools / datasets are ignored and will always be mounted using their labels.
Type: one of "uuid", "label", "provided"
Default: "uuid"
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.gfxmodeBios
The gfxmode to pass to GRUB when loading a graphical boot interface under BIOS.
Type: string
Default: "1024x768"
Example: "auto"
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.gfxmodeEfi
The gfxmode to pass to GRUB when loading a graphical boot interface under EFI.
Type: string
Default: "auto"
Example: "1024x768"
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.gfxpayloadBios
The gfxpayload to pass to GRUB when loading a graphical boot interface under BIOS.
Type: string
Default: "text"
Example: "keep"
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.gfxpayloadEfi
The gfxpayload to pass to GRUB when loading a graphical boot interface under EFI.
Type: string
Default: "keep"
Example: "text"
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.ipxe
Set of iPXE scripts available for booting from the GRUB boot menu.
Type: attribute set of path or strings
Default: { }
Example:
{ demo = '' #!ipxe dhcp chain http://boot.ipxe.org/demo/boot.php ''; }
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/ipxe.nix>
- boot.loader.grub.memtest86.enable
Make Memtest86+ (or MemTest86 if EFI support is enabled), a memory testing program, available from the GRUB boot menu. MemTest86 is an unfree program, so this requires allowUnfree to be set to true.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/memtest.nix>
- boot.loader.grub.memtest86.params
Parameters added to the Memtest86+ command line. As of memtest86+ 5.01 the following list of (apparently undocumented) parameters are accepted:
- console=..., set up a serial console. Examples: console=ttyS0, console=ttyS0,9600 or console=ttyS0,115200n8.
- btrace, enable boot trace.
- maxcpus=N, limit number of CPUs.
- onepass, run one pass and exit if there are no errors.
- tstlist=..., list of tests to run. Example: 0,1,2.
- cpumask=..., set a CPU mask, to select CPUs to use for testing.
This list of command line options was obtained by reading the Memtest86+ source code.
Type: list of strings
Default: [ ]
Example: [ "console=ttyS0,115200" ]
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/memtest.nix>
- boot.loader.grub.mirroredBoots
Mirror the boot configuration to multiple partitions and install grub to the respective devices corresponding to those partitions.
Type: list of submodules
Default: [ ]
Example: [ { devices = [ "/dev/disk/by-id/wwn-0x500001234567890a" ] ; path = "/boot1"; } { devices = [ "/dev/disk/by-id/wwn-0x500009876543210a" ] ; path = "/boot2"; } ]
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.mirroredBoots.*.devices
The path to the devices which will have the GRUB MBR written. Note these are typically device paths and not paths to partitions.
Type: list of strings
Default: [ ]
Example: [ "/dev/disk/by-id/wwn-0x500001234567890a" "/dev/disk/by-id/wwn-0x500009876543210a" ]
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.mirroredBoots.*.efiBootloaderId
The id of the bootloader to store in efi nvram. The default is to name it NixOS and append the path or efiSysMountPoint. This is only used if boot.loader.efi.canTouchEfiVariables is true.
Type: null or string
Default: null
Example: "NixOS-fsid"
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.mirroredBoots.*.efiSysMountPoint
The path to the efi system mount point. Usually this is the same partition as the above path and can be left as null.
Type: null or string
Default: null
Example: "/boot1/efi"
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.mirroredBoots.*.path
The path to the boot directory where GRUB will be written. Generally this boot path should double as an EFI path.
Type: string
Example: "/boot1"
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.splashImage
Background image used for GRUB. Set to null to run GRUB in text mode.
Note
For grub 1: It must be a 640x480, 14-colour image in XPM format, optionally compressed with gzip or bzip2.Note
For grub 2: File must be one of .png, .tga, .jpg, or .jpeg. JPEG images must not be progressive. The image will be scaled if necessary to fit the screen.Type: null or path
Example: ./my-background.png
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.splashMode
Whether to stretch the image or show the image in the top-left corner unstretched.
Note
This options has no effect for GRUB 1.Type: one of "normal", "stretch"
Default: "stretch"
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.storePath
Path to the Nix store when looking for kernels at boot. Only makes sense when copyKernels is false.
Type: string
Default: "/nix/store"
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.theme
Grub theme to be used.
Note
This options has no effect for GRUB 1.Type: null or path
Default: null
Example: pkgs.nixos-grub2-theme
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.trustedBoot.enable
Enable trusted boot. GRUB will measure all critical components during the boot process to offer TCG (TPM) support.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.trustedBoot.isHPLaptop
Use a special version of TrustedGRUB that is needed by some HP laptops and works only for the HP laptops.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.trustedBoot.systemHasTPM
Assertion that the target system has an activated TPM. It is a safety check before allowing the activation of 'trustedBoot.enable'. TrustedBoot WILL FAIL TO BOOT YOUR SYSTEM if no TPM is available.
Type: string
Default: ""
Example: "YES_TPM_is_activated"
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.useOSProber
If set to true, append entries for other OSs detected by os-prober.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.users
User accounts for GRUB. When specified, the GRUB command line and all boot options except the default are password-protected. All passwords and hashes provided will be stored in /boot/grub/grub.cfg, and will be visible to any local user who can read this file. Additionally, any passwords and hashes provided directly in a Nix configuration (as opposed to external files) will be copied into the Nix store, and will be visible to all local users.
Type: attribute set of submodules
Default: { }
Example: { root = { hashedPasswordFile = "/path/to/file"; } ; }
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.users.<name>.hashedPassword
Specifies the password hash for the account, generated with grub-mkpasswd-pbkdf2. This hash will be copied to the Nix store, and will be visible to all local users.
Type: null or string
Default: null
Example: "grub.pbkdf2.sha512.10000.674DFFDEF76E13EA...2CC972B102CF4355"
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.users.<name>.hashedPasswordFile
Specifies the path to a file containing the password hash for the account, generated with grub-mkpasswd-pbkdf2. This hash will be stored in /boot/grub/grub.cfg, and will be visible to any local user who can read this file.
Type: null or string
Default: null
Example: "/path/to/file"
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.users.<name>.password
Specifies the clear text password for the account. This password will be copied to the Nix store, and will be visible to all local users.
Type: null or string
Default: null
Example: "Pa$$w0rd!"
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.users.<name>.passwordFile
Specifies the path to a file containing the clear text password for the account. This password will be stored in /boot/grub/grub.cfg, and will be visible to any local user who can read this file.
Type: null or string
Default: null
Example: "/path/to/file"
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.version
The version of GRUB to use: 1 for GRUB Legacy (versions 0.9x), or 2 (the default) for GRUB 2.
Type: signed integer
Default: 2
Example: 1
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.grub.zfsSupport
Whether GRUB should be built against libzfs. ZFS support is only available for GRUB v2. This option is ignored for GRUB v1.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
- boot.loader.initScript.enable
Some systems require a /sbin/init script which is started. Or having it makes starting NixOS easier. This applies to some kind of hosting services and user mode linux.
Additionally this script will create /boot/init-other-configurations-contents.txt containing contents of remaining configurations. You can copy paste them into /sbin/init manually running a rescue system or such.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/init-script/init-script.nix>
- boot.loader.raspberryPi.enable
Whether to create files with the system generations in /boot. /boot/old will hold files from old generations.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix>
- boot.loader.raspberryPi.firmwareConfig
Extra options that will be appended to /boot/config.txt file. For possible values, see: https://www.raspberrypi.org/documentation/configuration/config-txt/
Type: null or strings concatenated with "\n"
Default: null
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix>
- boot.loader.raspberryPi.uboot.enable
Enable using uboot as bootmanager for the raspberry pi.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix>
- boot.loader.raspberryPi.uboot.configurationLimit
Maximum number of configurations in the boot menu.
Type: signed integer
Default: 20
Example: 10
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix>
- boot.loader.raspberryPi.version
Type: one of 0, 1, 2, 3, 4
Default: 2
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix>
- boot.loader.systemd-boot.enable
Whether to enable the systemd-boot (formerly gummiboot) EFI boot manager
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
- boot.loader.systemd-boot.configurationLimit
Maximum number of latest generations in the boot menu. Useful to prevent boot partition running out of disk space.
null means no limit i.e. all generations that were not garbage collected yet.
Type: null or signed integer
Default: null
Example: 120
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
- boot.loader.systemd-boot.consoleMode
The resolution of the console. The following values are valid:
- "0": Standard UEFI 80x25 mode
- "1": 80x50 mode, not supported by all devices
- "2": The first non-standard mode provided by the device firmware, if any
- "auto": Pick a suitable mode automatically using heuristics
- "max": Pick the highest-numbered available mode
- "keep": Keep the mode selected by firmware (the default)
Type: one of "0", "1", "2", "auto", "max", "keep"
Default: "keep"
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
- boot.loader.systemd-boot.editor
Whether to allow editing the kernel command-line before boot. It is recommended to set this to false, as it allows gaining root access by passing init=/bin/sh as a kernel parameter. However, it is enabled by default for backwards compatibility.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
- boot.loader.systemd-boot.graceful
Invoke bootctl install with the --graceful option, which ignores errors when EFI variables cannot be written or when the EFI System Partition cannot be found. Currently only applies to random seed operations.
Only enable this option if systemd-boot otherwise fails to install, as the scope or implication of the --graceful option may change in the future.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
- boot.loader.systemd-boot.memtest86.enable
Make MemTest86 available from the systemd-boot menu. MemTest86 is a program for testing memory. MemTest86 is an unfree program, so this requires allowUnfree to be set to true.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
- boot.loader.timeout
Timeout (in seconds) until loader boots the default menu item. Use null if the loader menu should be displayed indefinitely.
Type: null or signed integer
Default: 5
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/loader.nix>
- boot.plymouth.enable
Whether to enable Plymouth boot splash screen.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/system/boot/plymouth.nix>
- boot.plymouth.extraConfig
Literal string to append to configFile and the config file generated by the plymouth module.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/system/boot/plymouth.nix>
- boot.plymouth.font
Font file made available for displaying text on the splash screen.
Type: path
Default: "${pkgs.dejavu_fonts.minimal}/share/fonts/truetype/DejaVuSans.ttf"
Declared by:
<nixpkgs/nixos/modules/system/boot/plymouth.nix>
- boot.plymouth.logo
Logo which is displayed on the splash screen.
Type: path
Default:
pkgs.fetchurl { url = "https://nixos.org/logo/nixos-hires.png"; sha256 = "1ivzgd7iz0i06y36p8m5w48fd8pjqwxhdaavc0pxs7w1g7mcy5si"; }
Declared by:
<nixpkgs/nixos/modules/system/boot/plymouth.nix>
- boot.plymouth.theme
Splash screen theme.
Type: string
Default: "bgrt"
Declared by:
<nixpkgs/nixos/modules/system/boot/plymouth.nix>
- boot.plymouth.themePackages
Extra theme packages for plymouth.
Type: list of packages
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/system/boot/plymouth.nix>
- boot.postBootCommands
Shell commands to be executed just before systemd is started.
Type: strings concatenated with "\n"
Default: ""
Example: "rm -f /var/log/messages"
Declared by:
<nixpkgs/nixos/modules/system/boot/stage-2.nix>
- boot.resumeDevice
Device for manual resume attempt during boot. This should be used primarily if you want to resume from file. If left empty, the swap partitions are used. Specify here the device where the file resides. You should also use boot.kernelParams to specify resume_offset.
Type: string
Default: ""
Example: "/dev/sda3"
Declared by:
<nixpkgs/nixos/modules/system/boot/stage-1.nix>
- boot.runSize
Size limit for the /run tmpfs. Look at mount(8), tmpfs size option, for the accepted syntax.
Type: string
Default: "25%"
Example: "256m"
Declared by:
<nixpkgs/nixos/modules/system/boot/stage-2.nix>
- boot.specialFileSystems.<name>.depends
List of paths that should be mounted before this one. This filesystem's device and mountPoint are always checked and do not need to be included explicitly. If a path is added to this list, any other filesystem whose mount point is a parent of the path will be mounted before this filesystem. The paths do not need to actually be the mountPoint of some other filesystem.
Type: list of string (with check: non-empty without trailing slash)s
Default: [ ]
Example: [ "/persist" ]
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
- boot.specialFileSystems.<name>.device
Location of the device.
Type: null or string (with check: non-empty)
Default: null
Example: "/dev/sda"
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
- boot.specialFileSystems.<name>.fsType
Type of the file system.
Type: string (with check: non-empty)
Default: "auto"
Example: "ext3"
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
- boot.specialFileSystems.<name>.mountPoint
Location of the mounted the file system.
Type: string (with check: non-empty without trailing slash)
Example: "/mnt/usb"
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
- boot.specialFileSystems.<name>.options
Options used to mount the file system.
Type: list of string (with check: non-empty)s
Default: [ "defaults" ]
Example: [ "data=journal" ]
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
- boot.supportedFilesystems
Names of supported filesystem types.
Type: list of strings
Default: [ ]
Example: [ "btrfs" ]
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
- boot.systemdExecutable
The program to execute to start systemd. Typically systemd, which will find systemd in the PATH.
Type: string
Default: "systemd"
Declared by:
<nixpkgs/nixos/modules/system/boot/stage-2.nix>
- boot.tmpOnTmpfs
Whether to mount a tmpfs on /tmp during boot.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/tmp.nix>
- boot.tmpOnTmpfsSize
Size of tmpfs in percentage. Percentage is defined by systemd.
Type: string or positive integer, meaning >0
Default: "50%"
Declared by:
<nixpkgs/nixos/modules/system/boot/tmp.nix>
- boot.vesa
(Deprecated) This option, if set, activates the VESA 800x600 video mode on boot and disables kernel modesetting. It is equivalent to specifying [ "vga=0x317" "nomodeset" ] in the boot.kernelParams option. This option is deprecated as of 2020: Xorg now works better with modesetting, and you might want a different VESA vga setting, anyway.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/kernel.nix>
- boot.zfs.enableUnstable
Use the unstable zfs package. This might be an option, if the latest kernel is not yet supported by a published release of ZFS. Enabling this option will install a development version of ZFS on Linux. The version will have already passed an extensive test suite, but it is more likely to hit an undiscovered bug compared to running a released version of ZFS on Linux.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
- boot.zfs.enabled
True if ZFS filesystem support is enabled
Type: boolean (read only)
Default: false
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
- boot.zfs.package
Configured ZFS userland tools package.
Type: package (read only)
Default: if config.boot.zfs.enableUnstable then pkgs.zfsUnstable else pkgs.zfs
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
- boot.zfs.devNodes
Name of directory from which to import ZFS devices.
This should be a path under /dev containing stable names for all devices needed, as import may fail if device nodes are renamed concurrently with a device failing.
Type: path
Default: "/dev/disk/by-id"
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
- boot.zfs.extraPools
Name or GUID of extra ZFS pools that you wish to import during boot.
Usually this is not necessary. Instead, you should set the mountpoint property of ZFS filesystems to legacy and add the ZFS filesystems to NixOS's fileSystems option, which makes NixOS automatically import the associated pool.
However, in some cases (e.g. if you have many filesystems) it may be preferable to exclusively use ZFS commands to manage filesystems. If so, since NixOS/systemd will not be managing those filesystems, you will need to specify the ZFS pool here so that NixOS automatically imports it on every boot.
Type: list of strings
Default: [ ]
Example: [ "tank" "data" ]
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
- boot.zfs.forceImportAll
Forcibly import all ZFS pool(s).
If you set this option to false and NixOS subsequently fails to import your non-root ZFS pool(s), you should manually import each pool with "zpool import -f <pool-name>", and then reboot. You should only need to do this once.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
- boot.zfs.forceImportRoot
Forcibly import the ZFS root pool(s) during early boot.
This is enabled by default for backwards compatibility purposes, but it is highly recommended to disable this option, as it bypasses some of the safeguards ZFS uses to protect your ZFS pools.
If you set this option to false and NixOS subsequently fails to boot because it cannot import the root pool, you should boot with the zfs_force=1 option as a kernel parameter (e.g. by manually editing the kernel params in grub during boot). You should only need to do this once.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
- boot.zfs.requestEncryptionCredentials
If true on import encryption keys or passwords for all encrypted datasets are requested. To only decrypt selected datasets supply a list of dataset names instead. For root pools the encryption key can be supplied via both an interactive prompt (keylocation=prompt) and from a file (keylocation=file://).
Type: boolean or list of strings
Default: true
Example: [ "tank" "data" ]
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
- console.packages
List of additional packages that provide console fonts, keymaps and other resources for virtual consoles use.
Type: list of packages
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/config/console.nix>
- console.colors
The 16 colors palette used by the virtual consoles. Leave empty to use the default colors. Colors must be in hexadecimal format and listed in order from color 0 to color 15.
Type: list of strings
Default: [ ]
Example: [ "002b36" "dc322f" "859900" "b58900" "268bd2" "d33682" "2aa198" "eee8d5" "002b36" "cb4b16" "586e75" "657b83" "839496" "6c71c4" "93a1a1" "fdf6e3" ]
Declared by:
<nixpkgs/nixos/modules/config/console.nix>
- console.earlySetup
Enable setting virtual console options as early as possible (in initrd).
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/config/console.nix>
- console.font
The font used for the virtual consoles. Leave empty to use whatever the setfont program considers the default font. Can be either a font name or a path to a PSF font file.
Type: string or path
Default: "Lat2-Terminus16"
Example: "LatArCyrHeb-16"
Declared by:
<nixpkgs/nixos/modules/config/console.nix>
- console.keyMap
The keyboard mapping table for the virtual consoles.
Type: string or path
Default: "us"
Example: "fr"
Declared by:
<nixpkgs/nixos/modules/config/console.nix>
- console.useXkbConfig
If set, configure the virtual console keymap from the xserver keyboard settings.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/config/console.nix>
- containers
A set of NixOS system configurations to be run as lightweight containers. Each container appears as a service container-name on the host system, allowing it to be started and stopped via systemctl.
Type: attribute set of submodules
Default: { }
Example:
{ webserver = { path = "/nix/var/nix/profiles/webserver"; }; database = { config = { config, pkgs, ... }: { services.postgresql.enable = true; services.postgresql.package = pkgs.postgresql_9_6; system.stateVersion = "17.03"; }; }; }
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.enableTun
Allows the container to create and setup tunnel interfaces by granting the NET_ADMIN capability and enabling access to /dev/net/tun.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.additionalCapabilities
Grant additional capabilities to the container. See the capabilities(7) and systemd-nspawn(1) man pages for more information.
Type: list of strings
Default: [ ]
Example: [ "CAP_NET_ADMIN" "CAP_MKNOD" ]
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.allowedDevices
A list of device nodes to which the containers has access to.
Type: list of submodules
Default: [ ]
Example: [ { modifier = "rw"; node = "/dev/net/tun"; } ]
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.allowedDevices.*.modifier
Device node access modifier. Takes a combination r (read), w (write), and m (mknod). See the systemd.resource-control(5) man page for more information.
Type: string
Example: "rw"
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.allowedDevices.*.node
Path to device node
Type: string
Example: "/dev/net/tun"
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.autoStart
Whether the container is automatically started at boot-time.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.bindMounts
An extra list of directories that is bound to the container.
Type: attribute set of submodules
Default: { }
Example:
{ "/home" = { hostPath = "/home/alice"; isReadOnly = false; }; }
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.bindMounts.<name>.hostPath
Location of the host path to be mounted.
Type: null or string
Default: null
Example: "/home/alice"
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.bindMounts.<name>.isReadOnly
Determine whether the mounted path will be accessed in read-only mode.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.bindMounts.<name>.mountPoint
Mount point on the container file system.
Type: string
Example: "/mnt/usb"
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.config
A specification of the desired configuration of this container, as a NixOS module.
Type: Toplevel NixOS config
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.ephemeral
Runs container in ephemeral mode with the empty root filesystem at boot. This way container will be bootstrapped from scratch on each boot and will be cleaned up on shutdown leaving no traces behind. Useful for completely stateless, reproducible containers.
Note that this option might require to do some adjustments to the container configuration, e.g. you might want to set systemd.network.networks.$interface.dhcpV4Config.ClientIdentifier to "mac" if you use macvlans option. This way dhcp client identifier will be stable between the container restarts.
Note that the container journal will not be linked to the host if this option is enabled.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.extraFlags
Extra flags passed to the systemd-nspawn command. See systemd-nspawn(1) for details.
Type: list of strings
Default: [ ]
Example: [ "--drop-capability=CAP_SYS_CHROOT" ]
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.extraVeths
Extra veth-pairs to be created for the container.
Type: attribute set of submodules
Default: { }
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.extraVeths.<name>.forwardPorts
List of forwarded ports from host to container. Each forwarded port is specified by protocol, hostPort and containerPort. By default, protocol is tcp and hostPort and containerPort are assumed to be the same if containerPort is not explicitly given.
Type: list of submodules
Default: [ ]
Example: [ { containerPort = 80; hostPort = 8080; protocol = "tcp"; } ]
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.extraVeths.<name>.forwardPorts.*.containerPort
Target port of container
Type: null or signed integer
Default: null
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.extraVeths.<name>.forwardPorts.*.hostPort
Source port of the external interface on host
Type: signed integer
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.extraVeths.<name>.forwardPorts.*.protocol
The protocol specifier for port forwarding between host and container
Type: string
Default: "tcp"
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.extraVeths.<name>.hostAddress
The IPv4 address assigned to the host interface. (Not used when hostBridge is set.)
Type: null or string
Default: null
Example: "10.231.136.1"
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.extraVeths.<name>.hostAddress6
The IPv6 address assigned to the host interface. (Not used when hostBridge is set.)
Type: null or string
Default: null
Example: "fc00::1"
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.extraVeths.<name>.hostBridge
Put the host-side of the veth-pair into the named bridge. Only one of hostAddress* or hostBridge can be given.
Type: null or string
Default: null
Example: "br0"
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.extraVeths.<name>.localAddress
The IPv4 address assigned to the interface in the container. If a hostBridge is used, this should be given with netmask to access the whole network. Otherwise the default netmask is /32 and routing is set up from localAddress to hostAddress and back.
Type: null or string
Default: null
Example: "10.231.136.2"
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.extraVeths.<name>.localAddress6
The IPv6 address assigned to the interface in the container. If a hostBridge is used, this should be given with netmask to access the whole network. Otherwise the default netmask is /128 and routing is set up from localAddress6 to hostAddress6 and back.
Type: null or string
Default: null
Example: "fc00::2"
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.forwardPorts
List of forwarded ports from host to container. Each forwarded port is specified by protocol, hostPort and containerPort. By default, protocol is tcp and hostPort and containerPort are assumed to be the same if containerPort is not explicitly given.
Type: list of submodules
Default: [ ]
Example: [ { containerPort = 80; hostPort = 8080; protocol = "tcp"; } ]
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.forwardPorts.*.containerPort
Target port of container
Type: null or signed integer
Default: null
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.forwardPorts.*.hostPort
Source port of the external interface on host
Type: signed integer
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.forwardPorts.*.protocol
The protocol specifier for port forwarding between host and container
Type: string
Default: "tcp"
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.hostAddress
The IPv4 address assigned to the host interface. (Not used when hostBridge is set.)
Type: null or string
Default: null
Example: "10.231.136.1"
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.hostAddress6
The IPv6 address assigned to the host interface. (Not used when hostBridge is set.)
Type: null or string
Default: null
Example: "fc00::1"
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.hostBridge
Put the host-side of the veth-pair into the named bridge. Only one of hostAddress* or hostBridge can be given.
Type: null or string
Default: null
Example: "br0"
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.interfaces
The list of interfaces to be moved into the container.
Type: list of strings
Default: [ ]
Example: [ "eth1" "eth2" ]
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.localAddress
The IPv4 address assigned to the interface in the container. If a hostBridge is used, this should be given with netmask to access the whole network. Otherwise the default netmask is /32 and routing is set up from localAddress to hostAddress and back.
Type: null or string
Default: null
Example: "10.231.136.2"
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.localAddress6
The IPv6 address assigned to the interface in the container. If a hostBridge is used, this should be given with netmask to access the whole network. Otherwise the default netmask is /128 and routing is set up from localAddress6 to hostAddress6 and back.
Type: null or string
Default: null
Example: "fc00::2"
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.macvlans
The list of host interfaces from which macvlans will be created. For each interface specified, a macvlan interface will be created and moved to the container.
Type: list of strings
Default: [ ]
Example: [ "eth1" "eth2" ]
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.nixpkgs
A path to the nixpkgs that provide the modules, pkgs and lib for evaluating the container.
To only change the pkgs argument used inside the container modules, set the nixpkgs.* options in the container config. Setting config.nixpkgs.pkgs = pkgs speeds up the container evaluation by reusing the system pkgs, but the nixpkgs.config option in the container config is ignored in this case.
Type: path
Default: pkgs.path
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.path
As an alternative to specifying config, you can specify the path to the evaluated NixOS system configuration, typically a symlink to a system profile.
Type: path
Example: "/nix/var/nix/profiles/per-container/webserver"
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.privateNetwork
Whether to give the container its own private virtual Ethernet interface. The interface is called eth0, and is hooked up to the interface ve-container-name on the host. If this option is not set, then the container shares the network interfaces of the host, and can bind to any port on any interface.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.timeoutStartSec
Time for the container to start. In case of a timeout, the container processes get killed. See systemd.time(7) for more information about the format.
Type: string
Default: "1min"
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- containers.<name>.tmpfs
Mounts a set of tmpfs file systems into the container. Multiple paths can be specified. Valid items must conform to the --tmpfs argument of systemd-nspawn. See systemd-nspawn(1) for details.
Type: list of strings
Default: [ ]
Example: [ "/var" ]
Declared by:
<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
- documentation.enable
Whether to install documentation of packages from environment.systemPackages into the generated system path.
See "Multiple-output packages" chapter in the nixpkgs manual for more info.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/misc/documentation.nix>
- documentation.dev.enable
Whether to install documentation targeted at developers.
- This includes man pages targeted at developers if documentation.man.enable is set (this also includes "devman" outputs).
- This includes info pages targeted at developers if documentation.info.enable is set (this also includes "devinfo" outputs).
- This includes other pages targeted at developers if documentation.doc.enable is set (this also includes "devdoc" outputs).
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/misc/documentation.nix>
- documentation.doc.enable
Whether to install documentation distributed in packages' /share/doc. Usually plain text and/or HTML. This also includes "doc" outputs.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/misc/documentation.nix>
- documentation.info.enable
Whether to install info pages and the info command. This also includes "info" outputs.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/misc/documentation.nix>
- documentation.man.enable
Whether to install manual pages and the man command. This also includes "man" outputs.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/misc/documentation.nix>
- documentation.man.generateCaches
Whether to generate the manual page index caches using mandb(8). This allows searching for a page or keyword using utilities like apropos(1).
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/misc/documentation.nix>
- documentation.man.manualPages
The manual pages to generate caches for if generateCaches is enabled. Must be a path to a directory with man pages under /share/man; see the source for an example. Advanced users can make this a content-addressed derivation to save a few rebuilds.
Type: path
Default: all man pages in config.environment.systemPackages
Declared by:
<nixpkgs/nixos/modules/misc/documentation.nix>
- documentation.nixos.enable
Whether to install NixOS's own documentation.
- This includes man pages like configuration.nix(5) if documentation.man.enable is set.
- This includes the HTML manual and the nixos-help command if documentation.doc.enable is set.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/misc/documentation.nix>
- documentation.nixos.extraModuleSources
Which extra NixOS module paths the generated NixOS's documentation should strip from options.
Type: list of path or strings
Default: [ ]
Example:
# e.g. with options from modules in ${pkgs.customModules}/nix: [ pkgs.customModules ]
Declared by:
<nixpkgs/nixos/modules/misc/documentation.nix>
- documentation.nixos.includeAllModules
Whether the generated NixOS's documentation should include documentation for all the options from all the NixOS modules included in the current configuration.nix. Disabling this will make the manual generator to ignore options defined outside of baseModules.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/misc/documentation.nix>
- dysnomia.enable
Whether to enable Dysnomia
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/misc/dysnomia.nix>
- dysnomia.enableAuthentication
Whether to publish privacy-sensitive authentication credentials
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/misc/dysnomia.nix>
- dysnomia.enableLegacyModules
Whether to enable Dysnomia legacy process and wrapper modules
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/misc/dysnomia.nix>
- dysnomia.package
The Dysnomia package
Type: path
Declared by:
<nixpkgs/nixos/modules/services/misc/dysnomia.nix>
- dysnomia.components
An atttribute set in which each key represents a container and each value an attribute set in which each key represents a component and each value a derivation constructing its initial state
Type: unspecified
Default: { }
Declared by:
<nixpkgs/nixos/modules/services/misc/dysnomia.nix>
- dysnomia.containers
An attribute set in which each key represents a container and each value an attribute set providing its configuration properties
Type: unspecified
Default: { }
Declared by:
<nixpkgs/nixos/modules/services/misc/dysnomia.nix>
- dysnomia.extraContainerPaths
A list of paths containing additional container configurations that are added to the search folders
Type: unspecified
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/services/misc/dysnomia.nix>
- dysnomia.extraContainerProperties
An attribute set providing additional container settings in addition to the default properties
Type: unspecified
Default: { }
Declared by:
<nixpkgs/nixos/modules/services/misc/dysnomia.nix>
- dysnomia.extraModulePaths
A list of paths containing additional modules that are added to the search folders
Type: unspecified
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/services/misc/dysnomia.nix>
- dysnomia.properties
An attribute set in which each attribute represents a machine property. Optionally, these values can be shell substitutions.
Type: unspecified
Default: { }
Declared by:
<nixpkgs/nixos/modules/services/misc/dysnomia.nix>
- ec2.zfs.datasets
Datasets to create under the `tank` and `boot` zpools.
**NOTE:** This option is used only at image creation time, and does not attempt to declaratively create or manage datasets on an existing system.
Type: attribute set of submodules
Default: { }
Declared by:
<nixpkgs/nixos/modules/virtualisation/amazon-options.nix>
- ec2.zfs.datasets.<name>.mount
Where to mount this dataset.
Type: null or Concatenated string
Default: null
Declared by:
<nixpkgs/nixos/modules/virtualisation/amazon-options.nix>
- ec2.zfs.datasets.<name>.properties
Properties to set on this dataset.
Type: attribute set of Concatenated strings
Default: { }
Declared by:
<nixpkgs/nixos/modules/virtualisation/amazon-options.nix>
- environment.enableDebugInfo
Some NixOS packages provide debug symbols. However, these are not included in the system closure by default to save disk space. Enabling this option causes the debug symbols to appear in /run/current-system/sw/lib/debug/.build-id, where tools such as gdb can find them. If you need debug symbols for a package that doesn't provide them by default, you can enable them as follows:
nixpkgs.config.packageOverrides = pkgs: { hello = pkgs.hello.overrideAttrs (oldAttrs: { separateDebugInfo = true; }); };
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/config/debug-info.nix>
- environment.checkConfigurationOptions
Alias of _module.check.
Type: boolean
Declared by:
<nixpkgs/nixos/modules/rename.nix>
- environment.cinnamon.excludePackages
Which packages cinnamon should exclude from the default environment
Type: list of packages
Default: [ ]
Example: [ pkgs.cinnamon.blueberry ]
Declared by:
<nixpkgs/nixos/modules/services/x11/desktop-managers/cinnamon.nix>
- environment.defaultPackages
Set of default packages that aren't strictly necessary for a running system, entries can be removed for a more minimal NixOS installation.
Note: If pkgs.nano is removed from this list, make sure another editor is installed and the EDITOR environment variable is set to it. Environment variables can be set using environment.variables.
Like with systemPackages, packages are installed to /run/current-system/sw. They are automatically available to all users, and are automatically updated every time you rebuild the system configuration.
Type: list of packages
Default: [ (build of nano-5.9) (build of perl-5.34.0) (build of rsync-3.2.3) (build of strace-5.16) ]
Example: [ ]
Declared by:
<nixpkgs/nixos/modules/config/system-path.nix>
- environment.etc
Set of files that have to be linked in /etc.
Type: attribute set of submodules
Default: { }
Example:
{ example-configuration-file = { source = "/nix/store/.../etc/dir/file.conf.example"; mode = "0440"; }; "default/useradd".text = "GROUP=100 ..."; }
Declared by:
<nixpkgs/nixos/modules/system/etc/etc.nix>
- environment.etc.<name>.enable
Whether this /etc file should be generated. This option allows specific /etc files to be disabled.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/system/etc/etc.nix>
- environment.etc.<name>.gid
GID of created file. Only takes effect when the file is copied (that is, the mode is not 'symlink').
Type: signed integer
Default: 0
Declared by:
<nixpkgs/nixos/modules/system/etc/etc.nix>
- environment.etc.<name>.group
Group name of created file. Only takes effect when the file is copied (that is, the mode is not 'symlink'). Changing this option takes precedence over gid.
Type: string
Default: "+0"
Declared by:
<nixpkgs/nixos/modules/system/etc/etc.nix>
- environment.etc.<name>.mode
If set to something else than symlink, the file is copied instead of symlinked, with the given file mode.
Type: string
Default: "symlink"
Example: "0600"
Declared by:
<nixpkgs/nixos/modules/system/etc/etc.nix>
- environment.etc.<name>.source
Path of the source file.
Type: path
Declared by:
<nixpkgs/nixos/modules/system/etc/etc.nix>
- environment.etc.<name>.target
Name of symlink (relative to /etc). Defaults to the attribute name.
Type: string
Declared by:
<nixpkgs/nixos/modules/system/etc/etc.nix>
- environment.etc.<name>.text
Text of the file.
Type: null or strings concatenated with "\n"
Default: null
Declared by:
<nixpkgs/nixos/modules/system/etc/etc.nix>
- environment.etc.<name>.uid
UID of created file. Only takes effect when the file is copied (that is, the mode is not 'symlink').
Type: signed integer
Default: 0
Declared by:
<nixpkgs/nixos/modules/system/etc/etc.nix>
- environment.etc.<name>.user
User name of created file. Only takes effect when the file is copied (that is, the mode is not 'symlink'). Changing this option takes precedence over uid.
Type: string
Default: "+0"
Declared by:
<nixpkgs/nixos/modules/system/etc/etc.nix>
- environment.extraInit
Shell script code called during global environment initialisation after all variables and profileVariables have been set. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/config/shells-environment.nix>
- environment.extraOutputsToInstall
List of additional package outputs to be symlinked into /run/current-system/sw.
Type: list of strings
Default: [ ]
Example: [ "doc" "info" "devdoc" ]
Declared by:
<nixpkgs/nixos/modules/config/system-path.nix>
- environment.extraSetup
Shell fragments to be run after the system environment has been created. This should only be used for things that need to modify the internals of the environment, e.g. generating MIME caches. The environment being built can be accessed at $out.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/config/system-path.nix>
- environment.freetds
Configure freetds database entries. Each attribute denotes a section within freetds.conf, and the value (a string) is the config content for that section. When at least one entry is configured the global environment variables FREETDSCONF, FREETDS and SYBASE will be configured to allow the programs that use freetds to find the library and config.
Type: attribute set of strings
Default: { }
Example:
{ MYDATABASE = '' host = 10.0.2.100 port = 1433 tds version = 7.2 ''; }
Declared by:
<nixpkgs/nixos/modules/programs/freetds.nix>
- environment.gnome.excludePackages
Which packages gnome should exclude from the default environment
Type: list of packages
Default: [ ]
Example: [ pkgs.gnome.totem ]
Declared by:
<nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix>
- environment.homeBinInPath
Include ~/bin/ in $PATH.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/config/shells-environment.nix>
- environment.interactiveShellInit
Shell script code called during interactive shell initialisation. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/config/shells-environment.nix>
- environment.localBinInPath
Add ~/.local/bin/ to $PATH
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/config/shells-environment.nix>
- environment.loginShellInit
Shell script code called during login shell initialisation. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/config/shells-environment.nix>
- environment.lxqt.excludePackages
Which LXQt packages to exclude from the default environment
Type: list of packages
Default: [ ]
Example: [ pkgs.lxqt.qterminal ]
Declared by:
<nixpkgs/nixos/modules/services/x11/desktop-managers/lxqt.nix>
- environment.mate.excludePackages
Which MATE packages to exclude from the default environment
Type: list of packages
Default: [ ]
Example: [ pkgs.mate.mate-terminal pkgs.mate.pluma ]
Declared by:
<nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix>
- environment.memoryAllocator.provider
The system-wide memory allocator.
Briefly, the system-wide memory allocator providers are:
- libc: the standard allocator provided by libc
- graphene-hardened: An allocator designed to mitigate memory corruption attacks, such as those caused by use-after-free bugs.
- jemalloc: A general purpose allocator that emphasizes fragmentation avoidance and scalable concurrency support.
- mimalloc: A compact and fast general purpose allocator, which may optionally be built with mitigations against various heap vulnerabilities.
- scudo: A user-mode allocator based on LLVM Sanitizer’s CombinedAllocator, which aims at providing additional mitigations against heap based vulnerabilities, while maintaining good performance.
Warning
Selecting an alternative allocator (i.e., anything other than libc) may result in instability, data loss, and/or service failure.Type: one of "libc", "graphene-hardened", "jemalloc", "mimalloc", "scudo"
Default: "libc"
Declared by:
<nixpkgs/nixos/modules/config/malloc.nix>
- environment.noXlibs
Switch off the options in the default configuration that require X11 libraries. This includes client-side font configuration and SSH forwarding of X11 authentication in. Thus, you probably do not want to enable this option if you want to run X11 programs on this machine via SSH.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/config/no-x-libs.nix>
- environment.pantheon.excludePackages
Which packages pantheon should exclude from the default environment
Type: list of packages
Default: [ ]
Example: [ pkgs.pantheon.elementary-camera ]
Declared by:
<nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix>
- environment.pathsToLink
List of directories to be symlinked in /run/current-system/sw.
Type: list of strings
Default: [ ]
Example: [ "/" ]
Declared by:
<nixpkgs/nixos/modules/config/system-path.nix>
- environment.profileRelativeEnvVars
Attribute set of environment variable. Each attribute maps to a list of relative paths. Each relative path is appended to the each profile of environment.profiles to form the content of the corresponding environment variable.
Type: attribute set of list of stringss
Example: { MANPATH = [ "/man" "/share/man" ] ; PATH = [ "/bin" ] ; }
Declared by:
<nixpkgs/nixos/modules/config/shells-environment.nix>
- environment.profileRelativeSessionVariables
Attribute set of environment variable used in the global environment. These variables will be set by PAM early in the login process.
Variable substitution is available as described in pam_env.conf(5).
Each attribute maps to a list of relative paths. Each relative path is appended to the each profile of environment.profiles to form the content of the corresponding environment variable.
Also, these variables are merged into environment.profileRelativeEnvVars and it is therefore not possible to use PAM style variables such as @{HOME}.
Type: attribute set of list of stringss
Example: { MANPATH = [ "/man" "/share/man" ] ; PATH = [ "/bin" ] ; }
Declared by:
<nixpkgs/nixos/modules/config/system-environment.nix>
- environment.profiles
A list of profiles used to setup the global environment.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/config/shells-environment.nix>
- environment.sessionVariables
A set of environment variables used in the global environment. These variables will be set by PAM early in the login process.
The value of each session variable can be either a string or a list of strings. The latter is concatenated, interspersed with colon characters.
Note, due to limitations in the PAM format values may not contain the " character.
Also, these variables are merged into environment.variables and it is therefore not possible to use PAM style variables such as @{HOME}.
Type: attribute set of string or list of stringss
Default: { }
Declared by:
<nixpkgs/nixos/modules/config/system-environment.nix>
- environment.shellAliases
An attribute set that maps aliases (the top level attribute names in this option) to command strings or directly to build outputs. The aliases are added to all users' shells. Aliases mapped to null are ignored.
Type: attribute set of null or string or paths
Example: { l = null; ll = "ls -l"; }
Declared by:
<nixpkgs/nixos/modules/config/shells-environment.nix>
- environment.shellInit
Shell script code called during shell initialisation. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/config/shells-environment.nix>
- environment.shells
A list of permissible login shells for user accounts. No need to mention /bin/sh here, it is placed into this list implicitly.
Type: list of package or paths
Default: [ ]
Example: [ pkgs.bashInteractive pkgs.zsh ]
Declared by:
<nixpkgs/nixos/modules/config/shells-environment.nix>
- environment.systemPackages
The set of packages that appear in /run/current-system/sw. These packages are automatically available to all users, and are automatically updated every time you rebuild the system configuration. (The latter is the main difference with installing them in the default profile, /nix/var/nix/profiles/default.
Type: list of packages
Default: [ ]
Example: [ pkgs.firefox pkgs.thunderbird ]
Declared by:
<nixpkgs/nixos/modules/config/system-path.nix>
- environment.unixODBCDrivers
Specifies Unix ODBC drivers to be registered in /etc/odbcinst.ini. You may also want to add pkgs.unixODBC to the system path to get a command line client to connect to ODBC databases.
Type: list of packages
Default: [ ]
Example: with pkgs.unixODBCDrivers; [ sqlite psql ]
Declared by:
<nixpkgs/nixos/modules/config/unix-odbc-drivers.nix>
- environment.variables
A set of environment variables used in the global environment. These variables will be set on shell initialisation (e.g. in /etc/profile). The value of each variable can be either a string or a list of strings. The latter is concatenated, interspersed with colon characters.
Type: attribute set of string or list of stringss
Default: { }
Example: { EDITOR = "nvim"; VISUAL = "nvim"; }
Declared by:
<nixpkgs/nixos/modules/config/shells-environment.nix>
- fileSystems
The file systems to be mounted. It must include an entry for the root directory (mountPoint = "/"). Each entry in the list is an attribute set with the following fields: mountPoint, device, fsType (a file system type recognised by mount; defaults to "auto"), and options (the mount options passed to mount using the -o flag; defaults to [ "defaults" ]).
Instead of specifying device, you can also specify a volume label (label) for file systems that support it, such as ext2/ext3 (see mke2fs -L).
Type: attribute set of submodules
Default: { }
Example:
{ "/".device = "/dev/hda1"; "/data" = { device = "/dev/hda2"; fsType = "ext3"; options = [ "data=journal" ]; }; "/bigdisk".label = "bigdisk"; }
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
<nixpkgs/nixos/modules/tasks/encrypted-devices.nix>
<nixpkgs/nixos/modules/system/boot/stage-1.nix>- fileSystems.<name>.autoFormat
If the device does not currently contain a filesystem (as determined by blkid, then automatically format it with the filesystem type specified in fsType. Use with caution.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
- fileSystems.<name>.autoResize
If set, the filesystem is grown to its maximum size before being mounted. (This is typically the size of the containing partition.) This is currently only supported for ext2/3/4 filesystems that are mounted during early boot.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
- fileSystems.<name>.depends
List of paths that should be mounted before this one. This filesystem's device and mountPoint are always checked and do not need to be included explicitly. If a path is added to this list, any other filesystem whose mount point is a parent of the path will be mounted before this filesystem. The paths do not need to actually be the mountPoint of some other filesystem.
Type: list of string (with check: non-empty without trailing slash)s
Default: [ ]
Example: [ "/persist" ]
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
- fileSystems.<name>.device
Location of the device.
Type: null or string (with check: non-empty)
Default: null
Example: "/dev/sda"
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
- fileSystems.<name>.encrypted.enable
The block device is backed by an encrypted one, adds this device as a initrd luks entry.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/tasks/encrypted-devices.nix>
- fileSystems.<name>.encrypted.blkDev
Location of the backing encrypted device.
Type: null or string
Default: null
Example: "/dev/sda1"
Declared by:
<nixpkgs/nixos/modules/tasks/encrypted-devices.nix>
- fileSystems.<name>.encrypted.keyFile
Path to a keyfile used to unlock the backing encrypted device. At the time this keyfile is accessed, the neededForBoot filesystems (see fileSystems.<name?>.neededForBoot) will have been mounted under /mnt-root, so the keyfile path should usually start with "/mnt-root/".
Type: null or string
Default: null
Example: "/mnt-root/root/.swapkey"
Declared by:
<nixpkgs/nixos/modules/tasks/encrypted-devices.nix>
- fileSystems.<name>.encrypted.label
Label of the unlocked encrypted device. Set fileSystems.<name?>.device to /dev/mapper/<label> to mount the unlocked device.
Type: null or string
Default: null
Example: "rootfs"
Declared by:
<nixpkgs/nixos/modules/tasks/encrypted-devices.nix>
- fileSystems.<name>.formatOptions
If autoFormat option is set specifies extra options passed to mkfs.
Type: string
Default: ""
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
- fileSystems.<name>.fsType
Type of the file system.
Type: string (with check: non-empty)
Default: "auto"
Example: "ext3"
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
- fileSystems.<name>.label
Label of the device (if any).
Type: null or string (with check: non-empty)
Default: null
Example: "root-partition"
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
- fileSystems.<name>.mountPoint
Location of the mounted the file system.
Type: string (with check: non-empty without trailing slash)
Example: "/mnt/usb"
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
- fileSystems.<name>.neededForBoot
If set, this file system will be mounted in the initial ramdisk. Note that the file system will always be mounted in the initial ramdisk if its mount point is one of the following: /, /nix, /nix/store, /var, /var/log, /var/lib, /var/lib/nixos, /etc, /usr.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/system/boot/stage-1.nix>
- fileSystems.<name>.noCheck
Disable running fsck on this filesystem.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
- fileSystems.<name>.options
Options used to mount the file system.
Type: list of string (with check: non-empty)s
Default: [ "defaults" ]
Example: [ "data=journal" ]
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
- fonts.enableDefaultFonts
Enable a basic set of fonts providing several font styles and families and reasonable coverage of Unicode.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/config/fonts/fonts.nix>
- fonts.enableGhostscriptFonts
Whether to add the fonts provided by Ghostscript (such as various URW fonts and the “Base-14” Postscript fonts) to the list of system fonts, making them available to X11 applications.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/config/fonts/ghostscript.nix>
- fonts.fontDir.enable
Whether to create a directory with links to all fonts in /run/current-system/sw/share/X11/fonts.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/config/fonts/fontdir.nix>
- fonts.fontDir.decompressFonts
Whether to decompress fonts in /run/current-system/sw/share/X11/fonts.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/config/fonts/fontdir.nix>
- fonts.fontconfig.enable
If enabled, a Fontconfig configuration file will be built pointing to a set of default fonts. If you don't care about running X11 applications or any other program that uses Fontconfig, you can turn this option off and prevent a dependency on all those fonts.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
- fonts.fontconfig.allowBitmaps
Allow bitmap fonts. Set to false to ban all bitmap fonts.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
- fonts.fontconfig.allowType1
Allow Type-1 fonts. Default is false because of poor rendering.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
- fonts.fontconfig.antialias
Enable font antialiasing. At high resolution (> 200 DPI), antialiasing has no visible effect; users of such displays may want to disable this option.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
- fonts.fontconfig.cache32Bit
Generate system fonts cache for 32-bit applications.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
- fonts.fontconfig.defaultFonts.emoji
System-wide default emoji font(s). Multiple fonts may be listed in case a font does not support all emoji.
Note that fontconfig matches color emoji fonts preferentially, so if you want to use a black and white font while having a color font installed (eg. Noto Color Emoji installed alongside Noto Emoji), fontconfig will still choose the color font even when it is later in the list.
Type: list of strings
Default: [ "Noto Color Emoji" ]
Declared by:
<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
- fonts.fontconfig.defaultFonts.monospace
System-wide default monospace font(s). Multiple fonts may be listed in case multiple languages must be supported.
Type: list of strings
Default: [ "DejaVu Sans Mono" ]
Declared by:
<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
- fonts.fontconfig.defaultFonts.sansSerif
System-wide default sans serif font(s). Multiple fonts may be listed in case multiple languages must be supported.
Type: list of strings
Default: [ "DejaVu Sans" ]
Declared by:
<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
- fonts.fontconfig.defaultFonts.serif
System-wide default serif font(s). Multiple fonts may be listed in case multiple languages must be supported.
Type: list of strings
Default: [ "DejaVu Serif" ]
Declared by:
<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
- fonts.fontconfig.hinting.enable
Enable font hinting. Hinting aligns glyphs to pixel boundaries to improve rendering sharpness at low resolution. At high resolution (> 200 dpi) hinting will do nothing (at best); users of such displays may want to disable this option.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
- fonts.fontconfig.hinting.autohint
Enable the autohinter in place of the default interpreter. The results are usually lower quality than correctly-hinted fonts, but better than unhinted fonts.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
- fonts.fontconfig.includeUserConf
Include the user configuration from ~/.config/fontconfig/fonts.conf or ~/.config/fontconfig/conf.d.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
- fonts.fontconfig.localConf
System-wide customization file contents, has higher priority than defaultFonts settings.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
- fonts.fontconfig.subpixel.lcdfilter
FreeType LCD filter. At high resolution (> 200 DPI), LCD filtering has no visible effect; users of such displays may want to select none.
Type: one of "none", "default", "light", "legacy"
Default: "default"
Declared by:
<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
- fonts.fontconfig.subpixel.rgba
Subpixel order. The overwhelming majority of displays are rgb in their normal orientation. Select vrgb for mounting such a display 90 degrees clockwise from its normal orientation or vbgr for mounting 90 degrees counter-clockwise. Select bgr in the unlikely event of mounting 180 degrees from the normal orientation. Reverse these directions in the improbable event that the display's native subpixel order is bgr.
Type: one of "rgb", "bgr", "vrgb", "vbgr", "none"
Default: "rgb"
Declared by:
<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
- fonts.fontconfig.useEmbeddedBitmaps
Use embedded bitmaps in fonts like Calibri.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
- fonts.fonts
List of primary font paths.
Type: list of paths
Default: [ ]
Example: [ pkgs.dejavu_fonts ]
Declared by:
<nixpkgs/nixos/modules/config/fonts/fonts.nix>
- gnu
When enabled, GNU software is chosen by default whenever a there is a choice between GNU and non-GNU software (e.g., GNU lsh vs. OpenSSH).
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/config/gnu.nix>
- gtk.iconCache.enable
Whether to build icon theme caches for GTK applications.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/config/gtk/gtk-icon-cache.nix>
- hardware.enableAllFirmware
Turn on this option if you want to enable all the firmware.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/all-firmware.nix>
- hardware.enableRedistributableFirmware
Turn on this option if you want to enable all the firmware with a license allowing redistribution. (i.e. free firmware and firmware-linux-nonfree)
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/all-firmware.nix>
- hardware.acpilight.enable
Enable acpilight. This will allow brightness control via xbacklight from users in the video group
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/acpilight.nix>
- hardware.bladeRF.enable
Enables udev rules for BladeRF devices. By default grants access to users in the "bladerf" group. You may want to install the libbladeRF package.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/bladeRF.nix>
- hardware.bluetooth.enable
Whether to enable support for Bluetooth.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/hardware/bluetooth.nix>
- hardware.bluetooth.package
Which BlueZ package to use.
Note
Use the pkgs.bluezFull package to enable all bluez plugins.Type: package
Default: pkgs.bluez
Example: pkgs.bluezFull
Declared by:
<nixpkgs/nixos/modules/services/hardware/bluetooth.nix>
- hardware.bluetooth.disabledPlugins
Built-in plugins to disable
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/services/hardware/bluetooth.nix>
- hardware.bluetooth.hsphfpd.enable
Whether to enable support for hsphfpd[-prototype] implementation.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/hardware/bluetooth.nix>
- hardware.bluetooth.powerOnBoot
Whether to power up the default Bluetooth controller on boot.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/hardware/bluetooth.nix>
- hardware.bluetooth.settings
Set configuration for system-wide bluetooth (/etc/bluetooth/main.conf).
Type: attribute set of attribute set of INI atom (null, bool, int, float or string)ss
Default: { }
Example: { General = { ControllerMode = "bredr"; } ; }
Declared by:
<nixpkgs/nixos/modules/services/hardware/bluetooth.nix>
- hardware.brillo.enable
Whether to enable Enable brillo in userspace. This will allow brightness control from users in the video group. .
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/brillo.nix>
- hardware.bumblebee.enable
Enable the bumblebee daemon to manage Optimus hybrid video cards. This should power off secondary GPU until its use is requested by running an application with optirun.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/video/bumblebee.nix>
- hardware.bumblebee.connectDisplay
Set to true if you intend to connect your discrete card to a monitor. This option will set up your Nvidia card for EDID discovery and to turn on the monitor signal.
Only nvidia driver is supported so far.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/video/bumblebee.nix>
- hardware.bumblebee.driver
Set driver used by bumblebeed. Supported are nouveau and nvidia.
Type: one of "nvidia", "nouveau"
Default: "nvidia"
Declared by:
<nixpkgs/nixos/modules/hardware/video/bumblebee.nix>
- hardware.bumblebee.group
Group for bumblebee socket
Type: string
Default: "wheel"
Example: "video"
Declared by:
<nixpkgs/nixos/modules/hardware/video/bumblebee.nix>
- hardware.bumblebee.pmMethod
Set preferred power management method for unused card.
Type: one of "auto", "bbswitch", "switcheroo", "none"
Default: "auto"
Declared by:
<nixpkgs/nixos/modules/hardware/video/bumblebee.nix>
- hardware.ckb-next.enable
Whether to enable the Corsair keyboard/mouse driver.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/ckb-next.nix>
- hardware.ckb-next.package
The package implementing the Corsair keyboard/mouse driver.
Type: package
Default: pkgs.ckb-next
Declared by:
<nixpkgs/nixos/modules/hardware/ckb-next.nix>
- hardware.ckb-next.gid
Limit access to the ckb daemon to a particular group.
Type: null or signed integer
Default: null
Example: 100
Declared by:
<nixpkgs/nixos/modules/hardware/ckb-next.nix>
- hardware.cpu.amd.updateMicrocode
Update the CPU microcode for AMD processors.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/cpu/amd-microcode.nix>
- hardware.cpu.intel.updateMicrocode
Update the CPU microcode for Intel processors.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/cpu/intel-microcode.nix>
- hardware.deviceTree.enable
Build device tree files. These are used to describe the non-discoverable hardware of a system.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/device-tree.nix>
- hardware.deviceTree.filter
Only include .dtb files matching glob expression.
Type: null or string
Default: null
Example: "*rpi*.dtb"
Declared by:
<nixpkgs/nixos/modules/hardware/device-tree.nix>
- hardware.deviceTree.kernelPackage
Kernel package containing the base device-tree (.dtb) to boot. Uses device trees bundled with the Linux kernel by default.
Type: path
Default: config.boot.kernelPackages.kernel
Example: pkgs.linux_latest
Declared by:
<nixpkgs/nixos/modules/hardware/device-tree.nix>
- hardware.deviceTree.name
The name of an explicit dtb to be loaded, relative to the dtb base. Useful in extlinux scenarios if the bootloader doesn't pick the right .dtb file from FDTDIR.
Type: null or string
Default: null
Example: "some-dtb.dtb"
Declared by:
<nixpkgs/nixos/modules/hardware/device-tree.nix>
- hardware.deviceTree.overlays
List of overlays to apply to base device-tree (.dtb) files.
Type: list of submodule or path convertible to its
Default: [ ]
Example:
[ { name = "pps"; dtsFile = ./dts/pps.dts; } { name = "spi"; dtsText = "..."; } { name = "precompiled"; dtboFile = ./dtbos/example.dtbo; } ]
Declared by:
<nixpkgs/nixos/modules/hardware/device-tree.nix>
- hardware.deviceTree.overlays.*.dtboFile
Path to .dtbo compiled overlay file.
Type: null or path
Default: null
Declared by:
<nixpkgs/nixos/modules/hardware/device-tree.nix>
- hardware.deviceTree.overlays.*.dtsFile
Path to .dts overlay file, overlay is applied to each .dtb file matching "compatible" of the overlay.
Type: null or path
Default: null
Example: ./dts/overlays.dts
Declared by:
<nixpkgs/nixos/modules/hardware/device-tree.nix>
- hardware.deviceTree.overlays.*.dtsText
Literal DTS contents, overlay is applied to each .dtb file matching "compatible" of the overlay.
Type: null or string
Default: null
Example:
'' /dts-v1/; /plugin/; / { compatible = "raspberrypi"; fragment@0 { target-path = "/soc"; __overlay__ { pps { compatible = "pps-gpio"; status = "okay"; }; }; }; }; ''
Declared by:
<nixpkgs/nixos/modules/hardware/device-tree.nix>
- hardware.deviceTree.overlays.*.name
Name of this overlay
Type: string
Declared by:
<nixpkgs/nixos/modules/hardware/device-tree.nix>
- hardware.digitalbitbox.enable
Enables udev rules for Digital Bitbox devices.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/digitalbitbox.nix>
- hardware.digitalbitbox.package
The Digital Bitbox package to use. This can be used to install a package with udev rules that differ from the defaults.
Type: package
Default: pkgs.digitalbitbox
Declared by:
<nixpkgs/nixos/modules/hardware/digitalbitbox.nix>
- hardware.facetimehd.enable
Whether to enable facetimehd kernel module.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/video/webcam/facetimehd.nix>
- hardware.fancontrol.enable
Whether to enable software fan control (requires fancontrol.config).
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/hardware/fancontrol.nix>
- hardware.fancontrol.config
Required fancontrol configuration file content. See pwmconfig(8) from the lm_sensors package.
Type: strings concatenated with "\n"
Example:
'' # Configuration file generated by pwmconfig INTERVAL=10 DEVPATH=hwmon3=devices/virtual/thermal/thermal_zone2 hwmon4=devices/platform/f71882fg.656 DEVNAME=hwmon3=soc_dts1 hwmon4=f71869a FCTEMPS=hwmon4/device/pwm1=hwmon3/temp1_input FCFANS=hwmon4/device/pwm1=hwmon4/device/fan1_input MINTEMP=hwmon4/device/pwm1=35 MAXTEMP=hwmon4/device/pwm1=65 MINSTART=hwmon4/device/pwm1=150 MINSTOP=hwmon4/device/pwm1=0 ''
Declared by:
<nixpkgs/nixos/modules/services/hardware/fancontrol.nix>
- hardware.firmware
List of packages containing firmware files. Such files will be loaded automatically if the kernel asks for them (i.e., when it has detected specific hardware that requires firmware to function). If multiple packages contain firmware files with the same name, the first package in the list takes precedence. Note that you must rebuild your system if you add files to any of these directories.
Type: list of packages
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/services/hardware/udev.nix>
- hardware.flirc.enable
Whether to enable software to configure a Flirc USB device.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/flirc.nix>
- hardware.gkraken.enable
Whether to enable gkraken's udev rules for NZXT AIO liquid coolers.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/gkraken.nix>
- hardware.hackrf.enable
Enables hackrf udev rules and ensures 'plugdev' group exists. This is a prerequisite to using HackRF devices without being root, since HackRF USB descriptors will be owned by plugdev through udev.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/hackrf.nix>
- hardware.i2c.enable
Whether to enable i2c devices support. By default access is granted to users in the "i2c" group (will be created if non-existent) and any user with a seat, meaning logged on the computer locally. .
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/i2c.nix>
- hardware.i2c.group
Grant access to i2c devices (/dev/i2c-*) to users in this group.
Type: string
Default: "i2c"
Declared by:
<nixpkgs/nixos/modules/hardware/i2c.nix>
- hardware.keyboard.teck.enable
Whether to enable non-root access to the firmware of TECK keyboards.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/keyboard/teck.nix>
- hardware.keyboard.zsa.enable
Enables udev rules for keyboards from ZSA like the ErgoDox EZ, Planck EZ and Moonlander Mark I. You need it when you want to flash a new configuration on the keyboard or use their live training in the browser. Access to the keyboard is granted to users in the "plugdev" group. You may want to install the wally-cli package.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/keyboard/zsa.nix>
- hardware.ksm.enable
Whether to enable Kernel Same-Page Merging.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/ksm.nix>
- hardware.ksm.sleep
How many milliseconds ksmd should sleep between scans. Setting it to null uses the kernel's default time.
Type: null or signed integer
Default: null
Declared by:
<nixpkgs/nixos/modules/hardware/ksm.nix>
- hardware.ledger.enable
Whether to enable udev rules for Ledger devices.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/ledger.nix>
- hardware.logitech.lcd.enable
Whether to enable Logitech LCD Devices.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/logitech.nix>
- hardware.logitech.lcd.devices
List of USB device ids supported by g15daemon.
You most likely do not need to change this.
Type: list of strings
Default: [ "0a07" "c222" "c225" "c227" "c251" ]
Declared by:
<nixpkgs/nixos/modules/hardware/logitech.nix>
- hardware.logitech.lcd.startWhenNeeded
Only run the service when an actual supported device is plugged.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/hardware/logitech.nix>
- hardware.logitech.wireless.enable
Whether to enable Logitech Wireless Devices.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/logitech.nix>
- hardware.logitech.wireless.enableGraphical
Enable graphical support applications.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/logitech.nix>
- hardware.mcelog.enable
Enable the Machine Check Exception logger.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/mcelog.nix>
- hardware.mwProCapture.enable
Whether to enable Magewell Pro Capture family kernel module.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/video/capture/mwprocapture.nix>
- hardware.nitrokey.enable
Enables udev rules for Nitrokey devices. By default grants access to users in the "nitrokey" group. You may want to install the nitrokey-app package, depending on your device and needs.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/nitrokey.nix>
- hardware.nvidia.package
The NVIDIA X11 derivation to use.
Type: package
Default: config.boot.kernelPackages.nvidiaPackages.stable
Example: config.boot.kernelPackages.nvidiaPackages.legacy_340
Declared by:
<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
- hardware.nvidia.modesetting.enable
Enable kernel modesetting when using the NVIDIA proprietary driver.
Enabling this fixes screen tearing when using Optimus via PRIME (see hardware.nvidia.prime.sync.enable. This is not enabled by default because it is not officially supported by NVIDIA and would not work with SLI.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
- hardware.nvidia.nvidiaPersistenced
Update for NVIDA GPU headless mode, i.e. nvidia-persistenced. It ensures all GPUs stay awake even during headless mode.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
- hardware.nvidia.nvidiaSettings
Whether to add nvidia-settings, NVIDIA's GUI configuration tool, to systemPackages.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
- hardware.nvidia.powerManagement.enable
Experimental power management through systemd. For more information, see the NVIDIA docs, on Chapter 21. Configuring Power Management Support.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
- hardware.nvidia.powerManagement.finegrained
Experimental power management of PRIME offload. For more information, see the NVIDIA docs, chapter 22. PCI-Express runtime power management.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
- hardware.nvidia.prime.amdgpuBusId
Bus ID of the AMD APU. You can find it using lspci; for example if lspci shows the AMD APU at "04:00.0", set this option to "PCI:4:0:0".
Type: string
Default: ""
Example: "PCI:4:0:0"
Declared by:
<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
- hardware.nvidia.prime.intelBusId
Bus ID of the Intel GPU. You can find it using lspci; for example if lspci shows the Intel GPU at "00:02.0", set this option to "PCI:0:2:0".
Type: string
Default: ""
Example: "PCI:0:2:0"
Declared by:
<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
- hardware.nvidia.prime.nvidiaBusId
Bus ID of the NVIDIA GPU. You can find it using lspci; for example if lspci shows the NVIDIA GPU at "01:00.0", set this option to "PCI:1:0:0".
Type: string
Default: ""
Example: "PCI:1:0:0"
Declared by:
<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
- hardware.nvidia.prime.offload.enable
Enable render offload support using the NVIDIA proprietary driver via PRIME.
If this is enabled, then the bus IDs of the NVIDIA and Intel GPUs have to be specified (hardware.nvidia.prime.nvidiaBusId and hardware.nvidia.prime.intelBusId).
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
- hardware.nvidia.prime.sync.enable
Enable NVIDIA Optimus support using the NVIDIA proprietary driver via PRIME. If enabled, the NVIDIA GPU will be always on and used for all rendering, while enabling output to displays attached only to the integrated Intel GPU without a multiplexer.
Note that this option only has any effect if the "nvidia" driver is specified in services.xserver.videoDrivers, and it should preferably be the only driver there.
If this is enabled, then the bus IDs of the NVIDIA and Intel GPUs have to be specified (hardware.nvidia.prime.nvidiaBusId and hardware.nvidia.prime.intelBusId).
If you enable this, you may want to also enable kernel modesetting for the NVIDIA driver (hardware.nvidia.modesetting.enable) in order to prevent tearing.
Note that this configuration will only be successful when a display manager for which the services.xserver.displayManager.setupCommands option is supported is used.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
- hardware.nvidia.prime.sync.allowExternalGpu
Configure X to allow external NVIDIA GPUs when using optimus.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
- hardware.nvidiaOptimus.disable
Completely disable the NVIDIA graphics card and use the integrated graphics processor instead.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/hardware/nvidia-optimus.nix>
- hardware.onlykey.enable
Enable OnlyKey device (https://crp.to/p/) support.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/onlykey/default.nix>
- hardware.opengl.enable
Whether to enable OpenGL drivers. This is needed to enable OpenGL support in X11 systems, as well as for Wayland compositors like sway and Weston. It is enabled by default by the corresponding modules, so you do not usually have to set it yourself, only if there is no module for your wayland compositor of choice. See services.xserver.enable and programs.sway.enable.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/opengl.nix>
- hardware.opengl.driSupport
Whether to enable accelerated OpenGL rendering through the Direct Rendering Interface (DRI).
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/hardware/opengl.nix>
- hardware.opengl.driSupport32Bit
On 64-bit systems, whether to support Direct Rendering for 32-bit applications (such as Wine). This is currently only supported for the nvidia as well as Mesa.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/opengl.nix>
- hardware.opengl.extraPackages
Additional packages to add to OpenGL drivers. This can be used to add OpenCL drivers, VA-API/VDPAU drivers etc.
Type: list of packages
Default: [ ]
Example: with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau intel-ocl ]
Declared by:
<nixpkgs/nixos/modules/hardware/opengl.nix>
- hardware.opengl.extraPackages32
Additional packages to add to 32-bit OpenGL drivers on 64-bit systems. Used when driSupport32Bit is set. This can be used to add OpenCL drivers, VA-API/VDPAU drivers etc.
Type: list of packages
Default: [ ]
Example: with pkgs.pkgsi686Linux; [ vaapiIntel libvdpau-va-gl vaapiVdpau ]
Declared by:
<nixpkgs/nixos/modules/hardware/opengl.nix>
- hardware.openrazer.enable
Whether to enable OpenRazer drivers and userspace daemon. .
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/openrazer.nix>
- hardware.openrazer.devicesOffOnScreensaver
Turn off the devices when the systems screensaver kicks in.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/hardware/openrazer.nix>
- hardware.openrazer.keyStatistics
Collects number of keypresses per hour per key used to generate a heatmap.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/openrazer.nix>
- hardware.openrazer.mouseBatteryNotifier
Mouse battery notifier.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/hardware/openrazer.nix>
- hardware.openrazer.syncEffectsEnabled
Set the sync effects flag to true so any assignment of effects will work across devices.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/hardware/openrazer.nix>
- hardware.openrazer.users
Usernames to be added to the "openrazer" group, so that they can start and interact with the OpenRazer userspace daemon.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/hardware/openrazer.nix>
- hardware.openrazer.verboseLogging
Whether to enable verbose logging. Logs debug messages.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/openrazer.nix>
- hardware.opentabletdriver.enable
Enable OpenTabletDriver udev rules, user service and blacklist kernel modules known to conflict with OpenTabletDriver.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/opentabletdriver.nix>
- hardware.opentabletdriver.package
OpenTabletDriver derivation to use.
Type: package
Default: pkgs.opentabletdriver
Declared by:
<nixpkgs/nixos/modules/hardware/opentabletdriver.nix>
- hardware.opentabletdriver.blacklistedKernelModules
Blacklist of kernel modules known to conflict with OpenTabletDriver.
Type: list of strings
Default: [ "hid-uclogic" "wacom" ]
Declared by:
<nixpkgs/nixos/modules/hardware/opentabletdriver.nix>
- hardware.opentabletdriver.daemon.enable
Whether to start OpenTabletDriver daemon as a systemd user service.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/hardware/opentabletdriver.nix>
- hardware.parallels.enable
This enables Parallels Tools for Linux guests, along with provided video, mouse and other hardware drivers.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/virtualisation/parallels-guest.nix>
- hardware.parallels.package
Defines which package to use for prl-tools. Override to change the version.
Type: null or package
Default: config.boot.kernelPackages.prl-tools
Declared by:
<nixpkgs/nixos/modules/virtualisation/parallels-guest.nix>
- hardware.parallels.autoMountShares
Control prlfsmountd service. When this service is running, shares can not be manually mounted through `mount -t prl_fs ...` as this service will remount and trample any set options. Recommended to enable for simple file sharing, but extended share use such as for code should disable this to manually mount shares.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/virtualisation/parallels-guest.nix>
- hardware.pcmcia.enable
Enable this option to support PCMCIA card.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/pcmcia.nix>
- hardware.pcmcia.config
Path to the configuration file which maps the memory, IRQs and ports used by the PCMCIA hardware.
Type: unspecified
Default: null
Declared by:
<nixpkgs/nixos/modules/hardware/pcmcia.nix>
- hardware.pcmcia.firmware
List of firmware used to handle specific PCMCIA card.
Type: list of paths
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/hardware/pcmcia.nix>
- hardware.printers.ensureDefaultPrinter
Ensures the named printer is the default CUPS printer / printer queue.
Type: null or printable string without spaces, # and /
Default: null
Declared by:
<nixpkgs/nixos/modules/hardware/printers.nix>
- hardware.printers.ensurePrinters
Will regularly ensure that the given CUPS printers are configured as declared here. If a printer's options are manually changed afterwards, they will be overwritten eventually. This option will never delete any printer, even if removed from this list. You can check existing printers with lpstat -s and remove printers with lpadmin -x <printer-name>. Printers not listed here can still be manually configured.
Type: list of submodules
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/hardware/printers.nix>
- hardware.printers.ensurePrinters.*.description
Optional human-readable description.
Type: null or string
Default: null
Example: "Brother HL-5140"
Declared by:
<nixpkgs/nixos/modules/hardware/printers.nix>
- hardware.printers.ensurePrinters.*.deviceUri
How to reach the printer. lpinfo -v shows a list of supported device URIs and schemes.
Type: string
Example:
"ipp://printserver.local/printers/BrotherHL_Workroom" "usb://HP/DESKJET%20940C?serial=CN16E6C364BH"
Declared by:
<nixpkgs/nixos/modules/hardware/printers.nix>
- hardware.printers.ensurePrinters.*.location
Optional human-readable location.
Type: null or string
Default: null
Example: "Workroom"
Declared by:
<nixpkgs/nixos/modules/hardware/printers.nix>
- hardware.printers.ensurePrinters.*.model
Location of the ppd driver file for the printer. lpinfo -m shows a list of supported models.
Type: string
Example:
"gutenprint.${lib.versions.majorMinor (lib.getVersion pkgs.gutenprint)}://brother-hl-5140/expert"
Declared by:
<nixpkgs/nixos/modules/hardware/printers.nix>
- hardware.printers.ensurePrinters.*.name
Name of the printer / printer queue. May contain any printable characters except "/", "#", and space.
Type: printable string without spaces, # and /
Example: "BrotherHL_Workroom"
Declared by:
<nixpkgs/nixos/modules/hardware/printers.nix>
- hardware.printers.ensurePrinters.*.ppdOptions
Sets PPD options for the printer. lpoptions [-p printername] -l shows suported PPD options for the given printer.
Type: attribute set of strings
Default: { }
Example: { Duplex = "DuplexNoTumble"; PageSize = "A4"; }
Declared by:
<nixpkgs/nixos/modules/hardware/printers.nix>
- hardware.pulseaudio.enable
Whether to enable the PulseAudio sound server.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/config/pulseaudio.nix>
- hardware.pulseaudio.package
The PulseAudio derivation to use. This can be used to enable features (such as JACK support, Bluetooth) via the pulseaudioFull package.
Type: package
Default: pkgs.pulseaudio
Example: pkgs.pulseaudioFull
Declared by:
<nixpkgs/nixos/modules/config/pulseaudio.nix>
- hardware.pulseaudio.configFile
The path to the default configuration options the PulseAudio server should use. By default, the "default.pa" configuration from the PulseAudio distribution is used.
Type: null or path
Declared by:
<nixpkgs/nixos/modules/config/pulseaudio.nix>
- hardware.pulseaudio.daemon.config
Config of the pulse daemon. See man pulse-daemon.conf.
Type: attribute set of unspecifieds
Default: { }
Example: { realtime-scheduling = "yes"; }
Declared by:
<nixpkgs/nixos/modules/config/pulseaudio.nix>
- hardware.pulseaudio.daemon.logLevel
The log level that the system-wide pulseaudio daemon should use, if activated.
Type: string
Default: "notice"
Declared by:
<nixpkgs/nixos/modules/config/pulseaudio.nix>
- hardware.pulseaudio.extraClientConf
Extra configuration appended to pulse/client.conf file.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/config/pulseaudio.nix>
- hardware.pulseaudio.extraConfig
Literal string to append to configFile and the config file generated by the pulseaudio module.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/config/pulseaudio.nix>
- hardware.pulseaudio.extraModules
Extra pulseaudio modules to use. This is intended for out-of-tree pulseaudio modules like extra bluetooth codecs.
Extra modules take precedence over built-in pulseaudio modules.
Type: list of packages
Default: [ ]
Example: [ pkgs.pulseaudio-modules-bt ]
Declared by:
<nixpkgs/nixos/modules/config/pulseaudio.nix>
- hardware.pulseaudio.support32Bit
Whether to include the 32-bit pulseaudio libraries in the system or not. This is only useful on 64-bit systems and currently limited to x86_64-linux.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/config/pulseaudio.nix>
- hardware.pulseaudio.systemWide
If false, a PulseAudio server is launched automatically for each user that tries to use the sound system. The server runs with user privileges. If true, one system-wide PulseAudio server is launched on boot, running as the user "pulse", and only users in the "audio" group will have access to the server. Please read the PulseAudio documentation for more details.
Don't enable this option unless you know what you are doing.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/config/pulseaudio.nix>
- hardware.pulseaudio.tcp.enable
Whether to enable tcp streaming support.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/config/pulseaudio.nix>
- hardware.pulseaudio.tcp.anonymousClients.allowAll
Whether to enable all anonymous clients to stream to the server.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/config/pulseaudio.nix>
- hardware.pulseaudio.tcp.anonymousClients.allowedIpRanges
A list of IP subnets that are allowed to stream to the server.
Type: list of strings
Default: [ ]
Example: [ "127.0.0.1" "192.168.1.0/24" ]
Declared by:
<nixpkgs/nixos/modules/config/pulseaudio.nix>
- hardware.pulseaudio.zeroconf.discovery.enable
Whether to enable discovery of pulseaudio sinks in the local network.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/config/pulseaudio.nix>
- hardware.pulseaudio.zeroconf.publish.enable
Whether to enable publishing the pulseaudio sink in the local network.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/config/pulseaudio.nix>
- hardware.raid.HPSmartArray.enable
Whether to enable HP Smart Array kernel modules and CLI utility.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/raid/hpsa.nix>
- hardware.rasdaemon.enable
Whether to enable RAS logging daemon.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/hardware/rasdaemon.nix>
- hardware.rasdaemon.config
rasdaemon configuration, currently only used for CE PFA for details, read rasdaemon.outPath/etc/sysconfig/rasdaemon's comments
Type: strings concatenated with "\n"
Default: ""
Example:
'' # defaults from included config PAGE_CE_REFRESH_CYCLE="24h" PAGE_CE_THRESHOLD="50" PAGE_CE_ACTION="soft" ''
Declared by:
<nixpkgs/nixos/modules/services/hardware/rasdaemon.nix>
- hardware.rasdaemon.extraModules
extra kernel modules to load
Type: list of strings
Default: [ ]
Example: [ "i7core_edac" ]
Declared by:
<nixpkgs/nixos/modules/services/hardware/rasdaemon.nix>
- hardware.rasdaemon.labels
Additional memory module label descriptions to be placed in /etc/ras/dimm_labels.d/labels
Type: strings concatenated with "\n"
Default: ""
Example:
'' # vendor and model may be shown by 'ras-mc-ctl --mainboard' vendor: ASRock product: To Be Filled By O.E.M. model: B450M Pro4 # these labels are names for the motherboard slots # the numbers may be shown by `ras-mc-ctl --error-count` # they are mc:csrow:channel DDR4_A1: 0.2.0; DDR4_B1: 0.2.1; DDR4_A2: 0.3.0; DDR4_B2: 0.3.1; ''
Declared by:
<nixpkgs/nixos/modules/services/hardware/rasdaemon.nix>
- hardware.rasdaemon.mainboard
Custom mainboard description, see ras-mc-ctl(8) for more details.
Type: strings concatenated with "\n"
Default: ""
Example:
'' vendor = ASRock model = B450M Pro4 # it should default to such values from # /sys/class/dmi/id/board_[vendor|name] # alternatively one can supply a script # that returns the same format as above script = <path to script> ''
Declared by:
<nixpkgs/nixos/modules/services/hardware/rasdaemon.nix>
- hardware.rasdaemon.record
record events via sqlite3, required for ras-mc-ctl
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/hardware/rasdaemon.nix>
- hardware.rasdaemon.testing
Whether to enable error injection infrastructure.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/hardware/rasdaemon.nix>
- hardware.rtl-sdr.enable
Enables rtl-sdr udev rules, ensures 'plugdev' group exists, and blacklists DVB kernel modules. This is a prerequisite to using devices supported by rtl-sdr without being root, since rtl-sdr USB descriptors will be owned by plugdev through udev.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/rtl-sdr.nix>
- hardware.sane.enable
Enable support for SANE scanners.
Note
Users in the "scanner" group will gain access to the scanner, or the "lp" group if it's also a printer.Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/hardware/sane.nix>
- hardware.sane.brscan4.enable
When enabled, will automatically register the "brscan4" sane backend and bring configuration files to their expected location.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix>
- hardware.sane.brscan4.netDevices
The list of network devices that will be registered against the brscan4 sane backend.
Type: attribute set of submodules
Default: { }
Example: { office1 = { ip = "192.168.1.2"; model = "MFC-7860DW"; } ; office2 = { model = "MFC-7860DW"; nodename = "BRW0080927AFBCE"; } ; }
Declared by:
<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix>
- hardware.sane.brscan4.netDevices.<name>.ip
The ip address of the device. If undefined, you will have to provide a nodename.
Type: null or string
Default: null
Example: "192.168.1.2"
Declared by:
<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix>
- hardware.sane.brscan4.netDevices.<name>.model
The model of the network device.
Type: string
Example: "MFC-7860DW"
Declared by:
<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix>
- hardware.sane.brscan4.netDevices.<name>.name
The friendly name you give to the network device. If undefined, the name of attribute will be used.
Type: string
Example: "office1"
Declared by:
<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix>
- hardware.sane.brscan4.netDevices.<name>.nodename
The node name of the device. If undefined, you will have to provide an ip.
Type: null or string
Default: null
Example: "BRW0080927AFBCE"
Declared by:
<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix>
- hardware.sane.brscan5.enable
Whether to enable the Brother brscan5 sane backend.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan5.nix>
- hardware.sane.brscan5.netDevices
The list of network devices that will be registered against the brscan5 sane backend.
Type: attribute set of submodules
Default: { }
Example: { office1 = { ip = "192.168.1.2"; model = "MFC-7860DW"; } ; office2 = { model = "MFC-7860DW"; nodename = "BRW0080927AFBCE"; } ; }
Declared by:
<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan5.nix>
- hardware.sane.brscan5.netDevices.<name>.ip
The ip address of the device. If undefined, you will have to provide a nodename.
Type: null or string
Default: null
Example: "192.168.1.2"
Declared by:
<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan5.nix>
- hardware.sane.brscan5.netDevices.<name>.model
The model of the network device.
Type: string
Example: "ADS-1200"
Declared by:
<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan5.nix>
- hardware.sane.brscan5.netDevices.<name>.name
The friendly name you give to the network device. If undefined, the name of attribute will be used.
Type: string
Example: "office1"
Declared by:
<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan5.nix>
- hardware.sane.brscan5.netDevices.<name>.nodename
The node name of the device. If undefined, you will have to provide an ip.
Type: null or string
Default: null
Example: "BRW0080927AFBCE"
Declared by:
<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan5.nix>
- hardware.sane.disabledDefaultBackends
Names of backends which are enabled by default but should be disabled. See $SANE_CONFIG_DIR/dll.conf for the list of possible names.
Type: list of strings
Default: [ ]
Example: [ "v4l" ]
Declared by:
<nixpkgs/nixos/modules/services/hardware/sane.nix>
- hardware.sane.drivers.scanSnap.enable
Whether to enable drivers for the Fujitsu ScanSnap scanners.
The driver files are unfree and extracted from the Windows driver image.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/hardware/sane.nix>
- hardware.sane.drivers.scanSnap.package
Epjitsu driver package to use. Useful if you want to extract the driver files yourself.
The process is described in the /etc/sane.d/epjitsu.conf file in the sane-backends package.
Type: package
Default: pkgs.sane-drivers.epjitsu
Declared by:
<nixpkgs/nixos/modules/services/hardware/sane.nix>
- hardware.sane.dsseries.enable
When enabled, will automatically register the "dsseries" SANE backend.
This supports the Brother DSmobile scanner series, including the DS-620, DS-720D, DS-820W, and DS-920DW scanners.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/dsseries.nix>
- hardware.sane.extraBackends
Packages providing extra SANE backends to enable.
Note
The example contains the package for HP scanners.Type: list of paths
Default: [ ]
Example: [ pkgs.hplipWithPlugin ]
Declared by:
<nixpkgs/nixos/modules/services/hardware/sane.nix>
- hardware.sane.netConf
Network hosts that should be probed for remote scanners.
Type: strings concatenated with "\n"
Default: ""
Example: "192.168.0.16"
Declared by:
<nixpkgs/nixos/modules/services/hardware/sane.nix>
- hardware.sane.snapshot
Use a development snapshot of SANE scanner drivers.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/hardware/sane.nix>
- hardware.sata.timeout.enable
Whether to enable SATA drive timeouts.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/sata.nix>
- hardware.sata.timeout.deciSeconds
Set SCT Error Recovery Control timeout in deciseconds for use in RAID configurations.
Values are as follows: 0 = disable SCT ERT 70 = default in consumer drives (7 seconds)
Maximum is disk dependant but probably 60 seconds.
Type: signed integer
Example: 70
Declared by:
<nixpkgs/nixos/modules/hardware/sata.nix>
- hardware.sata.timeout.drives
List of drives for which to configure the timeout.
Type: list of submodules
Declared by:
<nixpkgs/nixos/modules/hardware/sata.nix>
- hardware.sata.timeout.drives.*.idBy
The method to identify the drive.
Type: one of "path", "wwn"
Default: "path"
Declared by:
<nixpkgs/nixos/modules/hardware/sata.nix>
- hardware.sata.timeout.drives.*.name
Drive name without the full path.
Type: string
Declared by:
<nixpkgs/nixos/modules/hardware/sata.nix>
- hardware.sensor.hddtemp.enable
Enable this option to support HDD/SSD temperature sensors.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/sensor/hddtemp.nix>
- hardware.sensor.hddtemp.dbEntries
Additional DB entries
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/hardware/sensor/hddtemp.nix>
- hardware.sensor.hddtemp.drives
List of drives to monitor. If you pass /dev/disk/by-path/* entries the symlinks will be resolved as hddtemp doesn't like names with colons.
Type: list of strings
Declared by:
<nixpkgs/nixos/modules/hardware/sensor/hddtemp.nix>
- hardware.sensor.hddtemp.extraArgs
Additional arguments passed to the daemon.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/hardware/sensor/hddtemp.nix>
- hardware.sensor.hddtemp.unit
Celcius or Fahrenheit
Type: one of "C", "F"
Default: "C"
Declared by:
<nixpkgs/nixos/modules/hardware/sensor/hddtemp.nix>
- hardware.sensor.iio.enable
Enable this option to support IIO sensors with iio-sensor-proxy.
IIO sensors are used for orientation and ambient light sensors on some mobile devices.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/sensor/iio.nix>
- hardware.spacenavd.enable
Whether to enable spacenavd to support 3DConnexion devices.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/hardware/spacenavd.nix>
- hardware.steam-hardware.enable
Enable udev rules for Steam hardware such as the Steam Controller, other supported controllers and the HTC Vive
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/steam-hardware.nix>
- hardware.system76.enableAll
Whether to enable all recommended configuration for system76 systems.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/system-76.nix>
- hardware.system76.firmware-daemon.enable
Whether to enable the system76 firmware daemon
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/system-76.nix>
- hardware.system76.kernel-modules.enable
Whether to make the system76 out-of-tree kernel modules available
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/system-76.nix>
- hardware.system76.power-daemon.enable
Whether to enable the system76 power daemon
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/system-76.nix>
- hardware.trackpoint.enable
Enable sensitivity and speed configuration for trackpoints.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/tasks/trackpoint.nix>
- hardware.trackpoint.device
The device name of the trackpoint. You can check with xinput. Some newer devices (example x1c6) use "TPPS/2 Elan TrackPoint".
Type: string
Default: "TPPS/2 IBM TrackPoint"
Declared by:
<nixpkgs/nixos/modules/tasks/trackpoint.nix>
- hardware.trackpoint.emulateWheel
Enable scrolling while holding the middle mouse button.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/tasks/trackpoint.nix>
- hardware.trackpoint.fakeButtons
Switch to "bare" PS/2 mouse support in case Trackpoint buttons are not recognized properly. This can happen for example on models like the L430, T450, T450s, on which the Trackpoint buttons are actually a part of the Synaptics touchpad.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/tasks/trackpoint.nix>
- hardware.trackpoint.sensitivity
Configure the trackpoint sensitivity. By default, the kernel configures 128.
Type: signed integer
Default: 128
Example: 255
Declared by:
<nixpkgs/nixos/modules/tasks/trackpoint.nix>
- hardware.trackpoint.speed
Configure the trackpoint speed. By default, the kernel configures 97.
Type: signed integer
Default: 97
Example: 255
Declared by:
<nixpkgs/nixos/modules/tasks/trackpoint.nix>
- hardware.tuxedo-keyboard.enable
Whether to enable Enables the tuxedo-keyboard driver.
To configure the driver, pass the options to the boot.kernelParams configuration. There are several parameters you can change. It's best to check at the source code description which options are supported. You can find all the supported parameters at: https://github.com/tuxedocomputers/tuxedo-keyboard#kernelparam
In order to use the custom lighting with the maximumg brightness and a color of 0xff0a0a one would put pass boot.kernelParams like this:
boot.kernelParams = [ "tuxedo_keyboard.mode=0" "tuxedo_keyboard.brightness=255" "tuxedo_keyboard.color_left=0xff0a0a" ];
.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/tuxedo-keyboard.nix>
- hardware.ubertooth.enable
Whether to enable Enable the Ubertooth software and its udev rules..
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/ubertooth.nix>
- hardware.ubertooth.group
Group for Ubertooth's udev rules.
Type: string
Default: "ubertooth"
Example: "wheel"
Declared by:
<nixpkgs/nixos/modules/hardware/ubertooth.nix>
- hardware.uinput.enable
Whether to enable uinput support.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/uinput.nix>
- hardware.usbWwan.enable
Enable this option to support USB WWAN adapters.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/usb-wwan.nix>
- hardware.video.hidpi.enable
Whether to enable Font/DPI configuration optimized for HiDPI displays.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/video/hidpi.nix>
- hardware.wirelessRegulatoryDatabase
Load the wireless regulatory database at boot.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/all-firmware.nix>
- hardware.wooting.enable
Whether to enable Enable support for Wooting keyboards.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/wooting.nix>
- hardware.xpadneo.enable
Whether to enable the xpadneo driver for Xbox One wireless controllers.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/xpadneo.nix>
- i18n.defaultLocale
The default locale. It determines the language for program messages, the format for dates and times, sort order, and so on. It also determines the character set, such as UTF-8.
Type: string
Default: "en_US.UTF-8"
Example: "nl_NL.UTF-8"
Declared by:
<nixpkgs/nixos/modules/config/i18n.nix>
- i18n.extraLocaleSettings
A set of additional system-wide locale settings other than LANG which can be configured with i18n.defaultLocale.
Type: attribute set of strings
Default: { }
Example: { LC_MESSAGES = "en_US.UTF-8"; LC_TIME = "de_DE.UTF-8"; }
Declared by:
<nixpkgs/nixos/modules/config/i18n.nix>
- i18n.glibcLocales
Customized pkg.glibcLocales package.
Changing this option can disable handling of i18n.defaultLocale and supportedLocale.
Type: path
Default: (build of glibc-locales-2.33-117)
Example: pkgs.glibcLocales
Declared by:
<nixpkgs/nixos/modules/config/i18n.nix>
- i18n.inputMethod.enabled
Select the enabled input method. Input methods is a software to input symbols that are not available on standard input devices.
Input methods are specially used to input Chinese, Japanese and Korean characters.
Currently the following input methods are available in NixOS:
- ibus: The intelligent input bus, extra input engines can be added using i18n.inputMethod.ibus.engines.
- fcitx: A customizable lightweight input method, extra input engines can be added using i18n.inputMethod.fcitx.engines.
- fcitx5: The next generation of fcitx, addons (including engines, dictionaries, skins) can be added using i18n.inputMethod.fcitx5.addons.
- nabi: A Korean input method based on XIM. Nabi doesn't support Qt 5.
- uim: The universal input method, is a library with a XIM bridge. uim mainly support Chinese, Japanese and Korean.
- hime: An extremely easy-to-use input method framework.
- kime: Koream IME.
Type: null or one of "ibus", "fcitx", "fcitx5", "nabi", "uim", "hime", "kime"
Default: null
Example: "fcitx"
Declared by:
<nixpkgs/nixos/modules/i18n/input-method/default.nix>
- i18n.inputMethod.fcitx.engines
Enabled Fcitx engines. Available engines are: anthy, chewing, cloudpinyin, hangul, libpinyin, m17n, mozc, rime, skk, table-extra, table-other, unikey.
Type: list of packages
Default: [ ]
Example: with pkgs.fcitx-engines; [ mozc hangul ]
Declared by:
<nixpkgs/nixos/modules/i18n/input-method/fcitx.nix>
- i18n.inputMethod.fcitx5.addons
Enabled Fcitx5 addons.
Type: list of packages
Default: [ ]
Example: with pkgs; [ fcitx5-rime ]
Declared by:
<nixpkgs/nixos/modules/i18n/input-method/fcitx5.nix>
- i18n.inputMethod.ibus.engines
Enabled IBus engines. Available engines are: anthy, bamboo, hangul, kkc, libpinyin, libthai, m17n, mozc, rime, table, table-chinese, table-others, typing-booster, typing-booster-unwrapped, uniemoji.
Type: list of packages
Default: [ ]
Example: with pkgs.ibus-engines; [ mozc hangul ]
Declared by:
<nixpkgs/nixos/modules/i18n/input-method/ibus.nix>
- i18n.inputMethod.ibus.panel
Replace the IBus panel with another panel.
Type: null or path
Default: null
Example: "${pkgs.plasma5Packages.plasma-desktop}/lib/libexec/kimpanel-ibus-panel"
Declared by:
<nixpkgs/nixos/modules/i18n/input-method/ibus.nix>
- i18n.inputMethod.kime.config
kime configuration. Refer to https://github.com/Riey/kime/blob/v2.5.5/docs/CONFIGURATION.md for details on supported values.
Type: YAML value
Default: { }
Example:
{ daemon = { modules = ["Xim" "Indicator"]; }; indicator = { icon_color = "White"; }; engine = { hangul = { layout = "dubeolsik"; }; }; }
Declared by:
<nixpkgs/nixos/modules/i18n/input-method/kime.nix>
- i18n.inputMethod.uim.toolbar
selected UIM toolbar.
Type: one of "gtk", "gtk3", "gtk-systray", "gtk3-systray", "qt4"
Default: "gtk"
Example: "gtk-systray"
Declared by:
<nixpkgs/nixos/modules/i18n/input-method/uim.nix>
- i18n.supportedLocales
List of locales that the system should support. The value "all" means that all locales supported by Glibc will be installed. A full list of supported locales can be found at https://sourceware.org/git/?p=glibc.git;a=blob;f=localedata/SUPPORTED.
Type: list of strings
Default: [ "all" ]
Example: [ "en_US.UTF-8/UTF-8" "nl_NL.UTF-8/UTF-8" "nl_NL/ISO-8859-1" ]
Declared by:
<nixpkgs/nixos/modules/config/i18n.nix>
- krb5.enable
Whether to enable building krb5.conf, configuration file for Kerberos V.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/config/krb5/default.nix>
- krb5.appdefaults
Settings used by some Kerberos V5 applications.
Type: attribute set or strings concatenated with "\n"
Default: { }
Example:
{ pam = { debug = false; ticket_lifetime = 36000; renew_lifetime = 36000; max_timeout = 30; timeout_shift = 2; initial_timeout = 1; }; };
Declared by:
<nixpkgs/nixos/modules/config/krb5/default.nix>
- krb5.capaths
Authentication paths for non-hierarchical cross-realm authentication.
Type: attribute set or strings concatenated with "\n"
Default: { }
Example:
{ "ATHENA.MIT.EDU" = { "EXAMPLE.COM" = "."; }; "EXAMPLE.COM" = { "ATHENA.MIT.EDU" = "."; }; };
Declared by:
<nixpkgs/nixos/modules/config/krb5/default.nix>
- krb5.config
Verbatim krb5.conf configuration. Note that this is mutually exclusive with configuration via libdefaults, realms, domain_realm, capaths, appdefaults, plugins and extraConfig configuration options. Consult man krb5.conf for documentation.
Type: null or strings concatenated with "\n"
Default: null
Example:
'' [libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { admin_server = kerberos.example.com kdc = kerberos.example.com default_principal_flags = +preauth } [domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM [logging] kdc = SYSLOG:NOTICE admin_server = SYSLOG:NOTICE default = SYSLOG:NOTICE ''
Declared by:
<nixpkgs/nixos/modules/config/krb5/default.nix>
- krb5.defaultRealm
DEPRECATED, please use krb5.libdefaults.default_realm.
Type: null or string
Default: null
Example: "ATHENA.MIT.EDU"
Declared by:
<nixpkgs/nixos/modules/config/krb5/default.nix>
- krb5.domainRealm
DEPRECATED, please create a map of server hostnames to Kerberos realms in krb5.domain_realm.
Type: null or string
Default: null
Example: "athena.mit.edu"
Declared by:
<nixpkgs/nixos/modules/config/krb5/default.nix>
- krb5.domain_realm
Map of server hostnames to Kerberos realms.
Type: attribute set or strings concatenated with "\n"
Default: { }
Example:
{ "example.com" = "EXAMPLE.COM"; ".example.com" = "EXAMPLE.COM"; };
Declared by:
<nixpkgs/nixos/modules/config/krb5/default.nix>
- krb5.extraConfig
These lines go to the end of krb5.conf verbatim. krb5.conf may include any of the relations that are valid for kdc.conf (see man kdc.conf), but it is not a recommended practice.
Type: null or strings concatenated with "\n"
Default: null
Example:
'' [logging] kdc = SYSLOG:NOTICE admin_server = SYSLOG:NOTICE default = SYSLOG:NOTICE ''
Declared by:
<nixpkgs/nixos/modules/config/krb5/default.nix>
- krb5.kdc
DEPRECATED, please pass a kdc attribute to a realm in krb5.realms.
Type: null or string
Default: null
Example: "kerberos.mit.edu"
Declared by:
<nixpkgs/nixos/modules/config/krb5/default.nix>
- krb5.kerberos
The Kerberos implementation that will be present in environment.systemPackages after enabling this service.
Type: package
Default: pkgs.krb5Full
Example: pkgs.heimdal
Declared by:
<nixpkgs/nixos/modules/config/krb5/default.nix>
- krb5.kerberosAdminServer
DEPRECATED, please pass an admin_server attribute to a realm in krb5.realms.
Type: null or string
Default: null
Example: "kerberos.mit.edu"
Declared by:
<nixpkgs/nixos/modules/config/krb5/default.nix>
- krb5.libdefaults
Settings used by the Kerberos V5 library.
Type: attribute set or strings concatenated with "\n"
Default: { }
Example:
{ default_realm = "ATHENA.MIT.EDU"; };
Declared by:
<nixpkgs/nixos/modules/config/krb5/default.nix>
- krb5.plugins
Controls plugin module registration.
Type: attribute set or strings concatenated with "\n"
Default: { }
Example:
{ ccselect = { disable = "k5identity"; }; };
Declared by:
<nixpkgs/nixos/modules/config/krb5/default.nix>
- krb5.realms
Realm-specific contact information and settings.
Type: attribute set or strings concatenated with "\n"
Default: { }
Example:
{ "ATHENA.MIT.EDU" = { admin_server = "athena.mit.edu"; kdc = [ "athena01.mit.edu" "athena02.mit.edu" ]; }; };
Declared by:
<nixpkgs/nixos/modules/config/krb5/default.nix>
- lib
This option allows modules to define helper functions, constants, etc.
Type: attribute set of attribute sets
Default: { }
Declared by:
<nixpkgs/nixos/modules/misc/lib.nix>
- location.latitude
Your current latitude, between -90.0 and 90.0. Must be provided along with longitude.
Type: floating point number
Declared by:
<nixpkgs/nixos/modules/config/locale.nix>
- location.longitude
Your current longitude, between between -180.0 and 180.0. Must be provided along with latitude.
Type: floating point number
Declared by:
<nixpkgs/nixos/modules/config/locale.nix>
- location.provider
The location provider to use for determining your location. If set to manual you must also provide latitude/longitude.
Type: one of "manual", "geoclue2"
Default: "manual"
Declared by:
<nixpkgs/nixos/modules/config/locale.nix>
- networking.enableB43Firmware
Turn on this option if you want firmware for the NICs supported by the b43 module.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/network/b43.nix>
- networking.enableIPv6
Whether to enable support for IPv6.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.enableIntel2200BGFirmware
Turn on this option if you want firmware for the Intel PRO/Wireless 2200BG to be loaded automatically. This is required if you want to use this device.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/network/intel-2200bg.nix>
- networking.bonds
This option allows you to define bond devices that aggregate multiple, underlying networking interfaces together. The value of this option is an attribute set. Each attribute specifies a bond, with the attribute name specifying the name of the bond's network interface
Type: attribute set of submodules
Default: { }
Example:
{ bond0 = { interfaces = [ "eth0" "wlan0" ]; driverOptions = { miimon = "100"; mode = "active-backup"; } ; }; anotherBond.interfaces = [ "enp4s0f0" "enp4s0f1" "enp5s0f0" "enp5s0f1" ]; }
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.bonds.<name>.driverOptions
Options for the bonding driver. Documentation can be found in https://www.kernel.org/doc/Documentation/networking/bonding.txt
Type: attribute set of strings
Default: { }
Example:
{ miimon = "100"; mode = "active-backup"; }
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.bonds.<name>.interfaces
The interfaces to bond together
Type: list of strings
Example: [ "enp4s0f0" "enp4s0f1" "wlan0" ]
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.bonds.<name>.lacp_rate
DEPRECATED, use `driverOptions`. Option specifying the rate in which we'll ask our link partner to transmit LACPDU packets in 802.3ad mode.
Type: null or string
Default: null
Example: "fast"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.bonds.<name>.miimon
DEPRECATED, use `driverOptions`. Miimon is the number of millisecond in between each round of polling by the device driver for failed links. By default polling is not enabled and the driver is trusted to properly detect and handle failure scenarios.
Type: null or signed integer
Default: null
Example: 100
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.bonds.<name>.mode
DEPRECATED, use `driverOptions`. The mode which the bond will be running. The default mode for the bonding driver is balance-rr, optimizing for throughput. More information about valid modes can be found at https://www.kernel.org/doc/Documentation/networking/bonding.txt
Type: null or string
Default: null
Example: "active-backup"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.bonds.<name>.xmit_hash_policy
DEPRECATED, use `driverOptions`. Selects the transmit hash policy to use for slave selection in balance-xor, 802.3ad, and tlb modes.
Type: null or string
Default: null
Example: "layer2+3"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.bridges
This option allows you to define Ethernet bridge devices that connect physical networks together. The value of this option is an attribute set. Each attribute specifies a bridge, with the attribute name specifying the name of the bridge's network interface.
Type: attribute set of submodules
Default: { }
Example: { br0 = { interfaces = [ "eth0" "eth1" ] ; } ; br1 = { interfaces = [ "eth2" "wlan0" ] ; } ; }
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.bridges.<name>.interfaces
The physical network interfaces connected by the bridge.
Type: list of strings
Example: [ "eth0" "eth1" ]
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.bridges.<name>.rstp
Whether the bridge interface should enable rstp.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.defaultGateway
The default gateway. It can be left empty if it is auto-detected through DHCP. It can be specified as a string or an option set along with a network interface.
Type: null or submodule or string convertible to it
Default: null
Example: { address = "131.211.84.1"; interface = "enp3s0"; }
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.defaultGateway.address
The default gateway address.
Type: string
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.defaultGateway.interface
The default gateway interface.
Type: null or string
Default: null
Example: "enp0s3"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.defaultGateway.metric
The default gateway metric/preference.
Type: null or signed integer
Default: null
Example: 42
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.defaultGateway6
The default ipv6 gateway. It can be left empty if it is auto-detected through DHCP. It can be specified as a string or an option set along with a network interface.
Type: null or submodule or string convertible to it
Default: null
Example: { address = "2001:4d0:1e04:895::1"; interface = "enp3s0"; }
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.defaultGateway6.address
The default gateway address.
Type: string
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.defaultGateway6.interface
The default gateway interface.
Type: null or string
Default: null
Example: "enp0s3"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.defaultGateway6.metric
The default gateway metric/preference.
Type: null or signed integer
Default: null
Example: 42
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.defaultGatewayWindowSize
The window size of the default gateway. It limits maximal data bursts that TCP peers are allowed to send to us.
Type: null or signed integer
Default: null
Example: 524288
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.dhcpcd.enable
Whether to enable dhcpcd for device configuration. This is mainly to explicitly disable dhcpcd (for example when using networkd).
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpcd.nix>
- networking.dhcpcd.allowInterfaces
Enable the DHCP client for any interface whose name matches any of the shell glob patterns in this list. Any interface not explicitly matched by this pattern will be denied. This pattern only applies when non-null.
Type: null or list of strings
Default: null
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpcd.nix>
- networking.dhcpcd.denyInterfaces
Disable the DHCP client for any interface whose name matches any of the shell glob patterns in this list. The purpose of this option is to blacklist virtual interfaces such as those created by Xen, libvirt, LXC, etc.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpcd.nix>
- networking.dhcpcd.extraConfig
Literal string to append to the config file generated for dhcpcd.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpcd.nix>
- networking.dhcpcd.persistent
Whenever to leave interfaces configured on dhcpcd daemon shutdown. Set to true if you have your root or store mounted over the network or this machine accepts SSH connections through DHCP interfaces and clients should be notified when it shuts down.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpcd.nix>
- networking.dhcpcd.runHook
Shell code that will be run after all other hooks. See `man dhcpcd-run-hooks` for details on what is possible.
Type: strings concatenated with "\n"
Default: ""
Example: "if [[ $reason =~ BOUND ]]; then echo $interface: Routers are $new_routers - were $old_routers; fi"
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpcd.nix>
- networking.dhcpcd.wait
This option specifies when the dhcpcd service will fork to background. If set to "background", dhcpcd will fork to background immediately. If set to "ipv4" or "ipv6", dhcpcd will wait for the corresponding IP address to be assigned. If set to "any", dhcpcd will wait for any type (IPv4 or IPv6) to be assigned. If set to "both", dhcpcd will wait for both an IPv4 and an IPv6 address before forking. The option "if-carrier-up" is equivalent to "any" if either ethernet is plugged nor WiFi is powered, and to "background" otherwise.
Type: one of "background", "any", "ipv4", "ipv6", "both", "if-carrier-up"
Default: "any"
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpcd.nix>
- networking.domain
The domain. It can be left empty if it is auto-detected through DHCP.
Type: null or string
Default: null
Example: "home.arpa"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.extraHosts
Additional verbatim entries to be appended to /etc/hosts. For adding hosts from derivation results, use networking.hostFiles instead.
Type: strings concatenated with "\n"
Default: ""
Example: "192.168.0.1 lanlocalhost"
Declared by:
<nixpkgs/nixos/modules/config/networking.nix>
- networking.firewall.enable
Whether to enable the firewall. This is a simple stateful firewall that blocks connection attempts to unauthorised TCP or UDP ports on this machine. It does not affect packet forwarding.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.firewall.package
The iptables package to use for running the firewall service."
Type: package
Default: pkgs.iptables
Example: pkgs.iptables-nftables-compat
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.firewall.allowPing
Whether to respond to incoming ICMPv4 echo requests ("pings"). ICMPv6 pings are always allowed because the larger address space of IPv6 makes network scanning much less effective.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.firewall.allowedTCPPortRanges
A range of TCP ports on which incoming connections are accepted.
Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)ss
Default: [ ]
Example: [ { from = 8999; to = 9003; } ]
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.firewall.allowedTCPPorts
List of TCP ports on which incoming connections are accepted.
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)s
Default: [ ]
Example: [ 22 80 ]
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.firewall.allowedUDPPortRanges
Range of open UDP ports.
Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)ss
Default: [ ]
Example: [ { from = 60000; to = 61000; } ]
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.firewall.allowedUDPPorts
List of open UDP ports.
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)s
Default: [ ]
Example: [ 53 ]
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.firewall.autoLoadConntrackHelpers
Whether to auto-load connection-tracking helpers. See the description at networking.firewall.connectionTrackingModules
(needs kernel 3.5+)
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.firewall.checkReversePath
Performs a reverse path filter test on a packet. If a reply to the packet would not be sent via the same interface that the packet arrived on, it is refused.
If using asymmetric routing or other complicated routing, set this option to loose mode or disable it and setup your own counter-measures.
This option can be either true (or "strict"), "loose" (only drop the packet if the source address is not reachable via any interface) or false. Defaults to the value of kernelHasRPFilter.
(needs kernel 3.3+)
Type: boolean or one of "strict", "loose"
Default: true
Example: "loose"
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.firewall.connectionTrackingModules
List of connection-tracking helpers that are auto-loaded. The complete list of possible values is given in the example.
As helpers can pose as a security risk, it is advised to set this to an empty list and disable the setting networking.firewall.autoLoadConntrackHelpers unless you know what you are doing. Connection tracking is disabled by default.
Loading of helpers is recommended to be done through the CT target. More info: https://home.regit.org/netfilter-en/secure-use-of-helpers/
Type: list of strings
Default: [ ]
Example: [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.firewall.extraCommands
Additional shell commands executed as part of the firewall initialisation script. These are executed just before the final "reject" firewall rule is added, so they can be used to allow packets that would otherwise be refused.
Type: strings concatenated with "\n"
Default: ""
Example: "iptables -A INPUT -p icmp -j ACCEPT"
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.firewall.extraPackages
Additional packages to be included in the environment of the system as well as the path of networking.firewall.extraCommands.
Type: list of packages
Default: [ ]
Example: [ pkgs.ipset ]
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.firewall.extraStopCommands
Additional shell commands executed as part of the firewall shutdown script. These are executed just after the removal of the NixOS input rule, or if the service enters a failed state.
Type: strings concatenated with "\n"
Default: ""
Example: "iptables -P INPUT ACCEPT"
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.firewall.interfaces
Interface-specific open ports.
Type: attribute set of submodules
Default: { }
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.firewall.interfaces.<name>.allowedTCPPortRanges
A range of TCP ports on which incoming connections are accepted.
Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)ss
Default: [ ]
Example: [ { from = 8999; to = 9003; } ]
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.firewall.interfaces.<name>.allowedTCPPorts
List of TCP ports on which incoming connections are accepted.
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)s
Default: [ ]
Example: [ 22 80 ]
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.firewall.interfaces.<name>.allowedUDPPortRanges
Range of open UDP ports.
Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)ss
Default: [ ]
Example: [ { from = 60000; to = 61000; } ]
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.firewall.interfaces.<name>.allowedUDPPorts
List of open UDP ports.
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)s
Default: [ ]
Example: [ 53 ]
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.firewall.logRefusedConnections
Whether to log rejected or dropped incoming connections. Note: The logs are found in the kernel logs, i.e. dmesg or journalctl -k.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.firewall.logRefusedPackets
Whether to log all rejected or dropped incoming packets. This tends to give a lot of log messages, so it's mostly useful for debugging. Note: The logs are found in the kernel logs, i.e. dmesg or journalctl -k.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.firewall.logRefusedUnicastsOnly
If networking.firewall.logRefusedPackets and this option are enabled, then only log packets specifically directed at this machine, i.e., not broadcasts or multicasts.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.firewall.logReversePathDrops
Logs dropped packets failing the reverse path filter test if the option networking.firewall.checkReversePath is enabled.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.firewall.pingLimit
If pings are allowed, this allows setting rate limits on them. If non-null, this option should be in the form of flags like "--limit 1/minute --limit-burst 5"
Type: null or strings concatenated with " "
Default: null
Example: "--limit 1/minute --limit-burst 5"
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.firewall.rejectPackets
If set, refused packets are rejected rather than dropped (ignored). This means that an ICMP "port unreachable" error message is sent back to the client (or a TCP RST packet in case of an existing connection). Rejecting packets makes port scanning somewhat easier.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.firewall.trustedInterfaces
Traffic coming in from these interfaces will be accepted unconditionally. Traffic from the loopback (lo) interface will always be accepted.
Type: list of strings
Default: [ ]
Example: [ "enp0s2" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
- networking.fooOverUDP
This option allows you to configure Foo Over UDP and Generic UDP Encapsulation endpoints. See ip-fou(8) for details.
Type: attribute set of submodules
Default: { }
Example: { backup = { port = 9002; } ; primary = { local = { address = "192.0.2.1"; dev = "eth0"; } ; port = 9001; } ; }
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.fooOverUDP.<name>.local
Local address (and optionally device) to bind to using the given port.
Type: null or submodule
Default: null
Example: { address = "203.0.113.22"; }
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.fooOverUDP.<name>.local.address
Local address to bind to. The address must be available when the FOU endpoint is created, using the scripted network setup this can be achieved either by setting dev or adding dependency information to systemd.services.<name>-fou-encap; it isn't supported when using networkd.
Type: string
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.fooOverUDP.<name>.local.dev
Network device to bind to.
Type: null or string
Default: null
Example: "eth0"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.fooOverUDP.<name>.port
Local port of the encapsulation UDP socket.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.fooOverUDP.<name>.protocol
Protocol number of the encapsulated packets. Specifying null (the default) creates a GUE endpoint, specifying a protocol number will create a FOU endpoint.
Type: null or integer between 1 and 255 (both inclusive)
Default: null
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.fqdn
The fully qualified domain name (FQDN) of this host. It is the result of combining networking.hostName and networking.domain. Using this option will result in an evaluation error if the hostname is empty or no domain is specified.
Type: string (read only)
Default: "${networking.hostName}.${networking.domain}"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.hostFiles
Files that should be concatenated together to form /etc/hosts.
Type: list of paths
Default: Hosts from networking.hosts and networking.extraHosts
Example: [ "${pkgs.my-blocklist-package}/share/my-blocklist/hosts" ]
Declared by:
<nixpkgs/nixos/modules/config/networking.nix>
- networking.hostId
The 32-bit host ID of the machine, formatted as 8 hexadecimal characters.
You should try to make this ID unique among your machines. You can generate a random 32-bit ID using the following commands:
head -c 8 /etc/machine-id
(this derives it from the machine-id that systemd generates) or
head -c4 /dev/urandom | od -A none -t x4
The primary use case is to ensure when using ZFS that a pool isn't imported accidentally on a wrong machine.
Type: null or string
Default: null
Example: "4e98920d"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.hostName
The name of the machine. Leave it empty if you want to obtain it from a DHCP server (if using DHCP). The hostname must be a valid DNS label (see RFC 1035 section 2.3.1: "Preferred name syntax", RFC 1123 section 2.1: "Host Names and Numbers") and as such must not contain the domain part. This means that the hostname must start with a letter or digit, end with a letter or digit, and have as interior characters only letters, digits, and hyphen. The maximum length is 63 characters. Additionally it is recommended to only use lower-case characters. If (e.g. for legacy reasons) a FQDN is required as the Linux kernel network node hostname (uname --nodename) the option boot.kernel.sysctl."kernel.hostname" can be used as a workaround (but the 64 character limit still applies).
WARNING: Do not use underscores (_) or you may run into unexpected issues.
Type: string matching the pattern ^$|^[[:alnum:]]([[:alnum:]_-]{0,61}[[:alnum:]])?$
Default: "nixos"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.hosts
Locally defined maps of hostnames to IP addresses.
Type: attribute set of list of stringss
Example:
{ "127.0.0.1" = [ "foo.bar.baz" ]; "192.168.0.2" = [ "fileserver.local" "nameserver.local" ]; };
Declared by:
<nixpkgs/nixos/modules/config/networking.nix>
- networking.interfaces
The configuration for each network interface. If networking.useDHCP is true, then every interface not listed here will be configured using DHCP.
Type: attribute set of submodules
Default: { }
Example: { eth0 = { ipv4 = { addresses = [ { address = "131.211.84.78"; prefixLength = 25; } ] ; } ; } ; }
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.ipv4.addresses
List of IPv4 addresses that will be statically assigned to the interface.
Type: list of submodules
Default: [ ]
Example: [ { address = "10.0.0.1"; prefixLength = 16; } { address = "192.168.1.1"; prefixLength = 24; } ]
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.ipv4.addresses.*.address
IPv4 address of the interface. Leave empty to configure the interface using DHCP.
Type: string
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.ipv4.addresses.*.prefixLength
Subnet mask of the interface, specified as the number of bits in the prefix (24).
Type: signed integer
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.ipv4.routes
List of extra IPv4 static routes that will be assigned to the interface.
Type: list of submodules
Default: [ ]
Example: [ { address = "10.0.0.0"; prefixLength = 16; } { address = "192.168.2.0"; prefixLength = 24; via = "192.168.1.1"; } ]
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.ipv4.routes.*.address
IPv4 address of the network.
Type: string
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.ipv4.routes.*.options
Other route options. See the symbol OPTIONS in the ip-route(8) manual page for the details.
Type: attribute set of strings
Default: { }
Example: { mtu = "1492"; window = "524288"; }
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.ipv4.routes.*.prefixLength
Subnet mask of the network, specified as the number of bits in the prefix (24).
Type: signed integer
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.ipv4.routes.*.via
IPv4 address of the next hop.
Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.ipv6.addresses
List of IPv6 addresses that will be statically assigned to the interface.
Type: list of submodules
Default: [ ]
Example: [ { address = "fdfd:b3f0:482::1"; prefixLength = 48; } { address = "2001:1470:fffd:2098::e006"; prefixLength = 64; } ]
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.ipv6.addresses.*.address
IPv6 address of the interface. Leave empty to configure the interface using DHCP.
Type: string
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.ipv6.addresses.*.prefixLength
Subnet mask of the interface, specified as the number of bits in the prefix (64).
Type: signed integer
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.ipv6.routes
List of extra IPv6 static routes that will be assigned to the interface.
Type: list of submodules
Default: [ ]
Example: [ { address = "fdfd:b3f0::"; prefixLength = 48; } { address = "2001:1470:fffd:2098::"; prefixLength = 64; via = "fdfd:b3f0::1"; } ]
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.ipv6.routes.*.address
IPv6 address of the network.
Type: string
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.ipv6.routes.*.options
Other route options. See the symbol OPTIONS in the ip-route(8) manual page for the details.
Type: attribute set of strings
Default: { }
Example: { mtu = "1492"; window = "524288"; }
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.ipv6.routes.*.prefixLength
Subnet mask of the network, specified as the number of bits in the prefix (64).
Type: signed integer
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.ipv6.routes.*.via
IPv6 address of the next hop.
Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.macAddress
MAC address of the interface. Leave empty to use the default.
Type: null or string
Default: null
Example: "00:11:22:33:44:55"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.mtu
MTU size for packets leaving the interface. Leave empty to use the default.
Type: null or signed integer
Default: null
Example: 9000
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.name
Name of the interface.
Type: string
Example: "eth0"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.proxyARP
Turn on proxy_arp for this device. This is mainly useful for creating pseudo-bridges between a real interface and a virtual network such as VPN or a virtual machine for interfaces that don't support real bridging (most wlan interfaces). As ARP proxying acts slightly above the link-layer, below-ip traffic isn't bridged, so things like DHCP won't work. The advantage above using NAT lies in the fact that no IP addresses are shared, so all hosts are reachable/routeable.
WARNING: turns on ip-routing, so if you have multiple interfaces, you should think of the consequence and setup firewall rules to limit this.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.tempAddress
When IPv6 is enabled with SLAAC, this option controls the use of temporary address (aka privacy extensions) on this interface. This is used to reduce tracking.
See also the global option networking.tempAddresses, which applies to all interfaces where this is not set.
Possible values are:
- "default" to generate IPv6 temporary addresses and use these as source addresses in routing;
- "disabled" to completely disable IPv6 temporary addresses;
- "enabled" to generate IPv6 temporary addresses but still use EUI-64 addresses as source addresses;
Type: one of "default", "disabled", "enabled"
Default: config.networking.tempAddresses
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.useDHCP
Whether this interface should be configured with dhcp. Null implies the old behavior which depends on whether ip addresses are specified or not.
Type: null or boolean
Default: null
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.virtual
Whether this interface is virtual and should be created by tunctl. This is mainly useful for creating bridges between a host and a virtual network such as VPN or a virtual machine.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.virtualOwner
In case of a virtual device, the user who owns it.
Type: string
Default: "root"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.virtualType
The type of interface to create. The default is TUN for an interface name starting with "tun", otherwise TAP.
Type: one of "tun", "tap"
Default: if hasPrefix "tun" name then "tun" else "tap"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.interfaces.<name>.wakeOnLan.enable
Wether to enable wol on this interface.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.iproute2.enable
Whether to enable copy IP route configuration files.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/config/iproute2.nix>
- networking.iproute2.rttablesExtraConfig
Verbatim lines to add to /etc/iproute2/rt_tables
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/config/iproute2.nix>
- networking.localCommands
Shell commands to be executed at the end of the network-setup systemd service. Note that if you are using DHCP to obtain the network configuration, interfaces may not be fully configured yet.
Type: strings concatenated with "\n"
Default: ""
Example: "text=anything; echo You can put $text here."
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.macvlans
This option allows you to define macvlan interfaces which should be automatically created.
Type: attribute set of submodules
Default: { }
Example:
{ wan = { interface = "enp2s0"; mode = "vepa"; }; }
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.macvlans.<name>.interface
The interface the macvlan will transmit packets through.
Type: string
Example: "enp4s0"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.macvlans.<name>.mode
The mode of the macvlan device.
Type: null or string
Default: null
Example: "vepa"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.nameservers
The list of nameservers. It can be left empty if it is auto-detected through DHCP.
Type: list of strings
Default: [ ]
Example: [ "130.161.158.4" "130.161.33.17" ]
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.nat.enable
Whether to enable Network Address Translation (NAT).
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/nat.nix>
- networking.nat.enableIPv6
Whether to enable IPv6 NAT.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/nat.nix>
- networking.nat.dmzHost
The local IP address to which all traffic that does not match any forwarding rule is forwarded.
Type: null or string
Default: null
Example: "10.0.0.1"
Declared by:
<nixpkgs/nixos/modules/services/networking/nat.nix>
- networking.nat.externalIP
The public IP address to which packets from the local network are to be rewritten. If this is left empty, the IP address associated with the external interface will be used.
Type: null or string
Default: null
Example: "203.0.113.123"
Declared by:
<nixpkgs/nixos/modules/services/networking/nat.nix>
- networking.nat.externalIPv6
The public IPv6 address to which packets from the local network are to be rewritten. If this is left empty, the IP address associated with the external interface will be used.
Type: null or string
Default: null
Example: "2001:dc0:2001:11::175"
Declared by:
<nixpkgs/nixos/modules/services/networking/nat.nix>
- networking.nat.externalInterface
The name of the external network interface.
Type: null or string
Default: null
Example: "eth1"
Declared by:
<nixpkgs/nixos/modules/services/networking/nat.nix>
- networking.nat.extraCommands
Additional shell commands executed as part of the nat initialisation script.
Type: strings concatenated with "\n"
Default: ""
Example: "iptables -A INPUT -p icmp -j ACCEPT"
Declared by:
<nixpkgs/nixos/modules/services/networking/nat.nix>
- networking.nat.extraStopCommands
Additional shell commands executed as part of the nat teardown script.
Type: strings concatenated with "\n"
Default: ""
Example: "iptables -D INPUT -p icmp -j ACCEPT || true"
Declared by:
<nixpkgs/nixos/modules/services/networking/nat.nix>
- networking.nat.forwardPorts
List of forwarded ports from the external interface to internal destinations by using DNAT. Destination can be IPv6 if IPv6 NAT is enabled.
Type: list of submodules
Default: [ ]
Example: [ { destination = "10.0.0.1:80"; proto = "tcp"; sourcePort = 8080; } { destination = "[fc00::2]:80"; proto = "tcp"; sourcePort = 8080; } ]
Declared by:
<nixpkgs/nixos/modules/services/networking/nat.nix>
- networking.nat.forwardPorts.*.destination
Forward connection to destination ip:port (or [ipv6]:port); to specify a port range, use ip:start-end
Type: string
Example: "10.0.0.1:80"
Declared by:
<nixpkgs/nixos/modules/services/networking/nat.nix>
- networking.nat.forwardPorts.*.loopbackIPs
Public IPs for NAT reflection; for connections to `loopbackip:sourcePort' from the host itself and from other hosts behind NAT
Type: list of strings
Default: [ ]
Example: [ "55.1.2.3" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/nat.nix>
- networking.nat.forwardPorts.*.proto
Protocol of forwarded connection
Type: string
Default: "tcp"
Example: "udp"
Declared by:
<nixpkgs/nixos/modules/services/networking/nat.nix>
- networking.nat.forwardPorts.*.sourcePort
Source port of the external interface; to specify a port range, use a string with a colon (e.g. "60000:61000")
Type: signed integer or string matching the pattern [[:digit:]]+:[[:digit:]]+
Example: 8080
Declared by:
<nixpkgs/nixos/modules/services/networking/nat.nix>
- networking.nat.internalIPs
The IP address ranges for which to perform NAT. Packets coming from these addresses (on any interface) and destined for the external interface will be rewritten.
Type: list of strings
Default: [ ]
Example: [ "192.168.1.0/24" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/nat.nix>
- networking.nat.internalIPv6s
The IPv6 address ranges for which to perform NAT. Packets coming from these addresses (on any interface) and destined for the external interface will be rewritten.
Type: list of strings
Default: [ ]
Example: [ "fc00::/64" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/nat.nix>
- networking.nat.internalInterfaces
The interfaces for which to perform NAT. Packets coming from these interface and destined for the external interface will be rewritten.
Type: list of strings
Default: [ ]
Example: [ "eth0" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/nat.nix>
- networking.networkmanager.enable
Whether to use NetworkManager to obtain an IP address and other configuration for all network interfaces that are not manually configured. If enabled, a group networkmanager will be created. Add all users that should have permission to change network settings to this group.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
- networking.networkmanager.enableStrongSwan
Enable the StrongSwan plugin.
If you enable this option the networkmanager_strongswan plugin will be added to the networking.networkmanager.packages option so you don't need to to that yourself.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
- networking.networkmanager.packages
Extra packages that provide NetworkManager plugins.
Type: list of packages
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
- networking.networkmanager.appendNameservers
A list of name servers that should be appended to the ones configured in NetworkManager or received by DHCP.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
- networking.networkmanager.connectionConfig
Configuration for the [connection] section of NetworkManager.conf. Refer to https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html#id-1.2.3.11 or NetworkManager.conf(5) for more information.
Type: attribute set of null or boolean or signed integer or strings
Default: { }
Declared by:
<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
- networking.networkmanager.dhcp
Which program (or internal library) should be used for DHCP.
Type: one of "dhclient", "dhcpcd", "internal"
Default: "internal"
Declared by:
<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
- networking.networkmanager.dispatcherScripts
A list of scripts which will be executed in response to network events.
Type: list of submodules
Default: [ ]
Example:
[ { source = pkgs.writeText "upHook" '' if [ "$2" != "up" ]; then logger "exit: event $2 != up" exit fi # coreutils and iproute are in PATH too logger "Device $DEVICE_IFACE coming up" ''; type = "basic"; } ]
Declared by:
<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
- networking.networkmanager.dispatcherScripts.*.source
Path to the hook script.
Type: path
Declared by:
<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
- networking.networkmanager.dispatcherScripts.*.type
Dispatcher hook type. Look up the hooks described at https://developer.gnome.org/NetworkManager/stable/NetworkManager.html and choose the type depending on the output folder. You should then filter the event type (e.g., "up"/"down") from within your script.
Type: one of "basic", "pre-down", "pre-up"
Default: "basic"
Declared by:
<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
- networking.networkmanager.dns
Set the DNS (resolv.conf) processing mode.
A description of these modes can be found in the main section of https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html or in NetworkManager.conf(5).
Type: one of "default", "dnsmasq", "unbound", "systemd-resolved", "none"
Default: "default"
Declared by:
<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
- networking.networkmanager.ethernet.macAddress
Set the MAC address of the interface.
- "XX:XX:XX:XX:XX:XX"
MAC address of the interface
- "permanent"
Use the permanent MAC address of the device
- "preserve"
Don’t change the MAC address of the device upon activation
- "random"
Generate a randomized value upon each connect
- "stable"
Generate a stable, hashed MAC address
Type: string or one of "permanent", "preserve", "random", "stable"
Default: "preserve"
Example: "00:11:22:33:44:55"
Declared by:
<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
- networking.networkmanager.extraConfig
Configuration appended to the generated NetworkManager.conf. Refer to https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html or NetworkManager.conf(5) for more information.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
- networking.networkmanager.firewallBackend
Which firewall backend should be used for configuring masquerading with shared mode. If set to none, NetworkManager doesn't manage the configuration at all.
Type: one of "iptables", "nftables", "none"
Default: "iptables"
Declared by:
<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
- networking.networkmanager.insertNameservers
A list of name servers that should be inserted before the ones configured in NetworkManager or received by DHCP.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
- networking.networkmanager.logLevel
Set the default logging verbosity level.
Type: one of "OFF", "ERR", "WARN", "INFO", "DEBUG", "TRACE"
Default: "WARN"
Declared by:
<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
- networking.networkmanager.unmanaged
List of interfaces that will not be managed by NetworkManager. Interface name can be specified here, but if you need more fidelity, refer to https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html#device-spec or the "Device List Format" Appendix of NetworkManager.conf(5).
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
- networking.networkmanager.wifi.backend
Specify the Wi-Fi backend used for the device. Currently supported are wpa_supplicant or iwd (experimental).
Type: one of "wpa_supplicant", "iwd"
Default: "wpa_supplicant"
Declared by:
<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
- networking.networkmanager.wifi.macAddress
Set the MAC address of the interface.
- "XX:XX:XX:XX:XX:XX"
MAC address of the interface
- "permanent"
Use the permanent MAC address of the device
- "preserve"
Don’t change the MAC address of the device upon activation
- "random"
Generate a randomized value upon each connect
- "stable"
Generate a stable, hashed MAC address
Type: string or one of "permanent", "preserve", "random", "stable"
Default: "preserve"
Example: "00:11:22:33:44:55"
Declared by:
<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
- networking.networkmanager.wifi.powersave
Whether to enable Wi-Fi power saving.
Type: null or boolean
Default: null
Declared by:
<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
- networking.networkmanager.wifi.scanRandMacAddress
Whether to enable MAC address randomization of a Wi-Fi device during scanning.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
- networking.nftables.enable
Whether to enable nftables. nftables is a Linux-based packet filtering framework intended to replace frameworks like iptables.
This conflicts with the standard networking firewall, so make sure to disable it before using nftables.
Note that if you have Docker enabled you will not be able to use nftables without intervention. Docker uses iptables internally to setup NAT for containers. This module disables the ip_tables kernel module, however Docker automatically loads the module. Please see [1] for more information.
There are other programs that use iptables internally too, such as libvirt.
[1]: https://github.com/NixOS/nixpkgs/issues/24318#issuecomment-289216273
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/nftables.nix>
- networking.nftables.ruleset
The ruleset to be used with nftables. Should be in a format that can be loaded using "/bin/nft -f". The ruleset is updated atomically.
Type: strings concatenated with "\n"
Default: ""
Example:
'' # Check out https://wiki.nftables.org/ for better documentation. # Table for both IPv4 and IPv6. table inet filter { # Block all incomming connections traffic except SSH and "ping". chain input { type filter hook input priority 0; # accept any localhost traffic iifname lo accept # accept traffic originated from us ct state {established, related} accept # ICMP # routers may also want: mld-listener-query, nd-router-solicit ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept # allow "ping" ip6 nexthdr icmpv6 icmpv6 type echo-request accept ip protocol icmp icmp type echo-request accept # accept SSH connections (required for a server) tcp dport 22 accept # count and drop any other traffic counter drop } # Allow all outgoing connections. chain output { type filter hook output priority 0; accept } chain forward { type filter hook forward priority 0; accept } } ''
Declared by:
<nixpkgs/nixos/modules/services/networking/nftables.nix>
- networking.nftables.rulesetFile
The ruleset file to be used with nftables. Should be in a format that can be loaded using "nft -f". The ruleset is updated atomically.
Type: path
Default: a file with the contents of networking.nftables.ruleset
Declared by:
<nixpkgs/nixos/modules/services/networking/nftables.nix>
- networking.proxy.allProxy
This option specifies the all_proxy environment variable.
Type: null or string
Default: null
Example: "http://127.0.0.1:3128"
Declared by:
<nixpkgs/nixos/modules/config/networking.nix>
- networking.proxy.default
This option specifies the default value for httpProxy, httpsProxy, ftpProxy and rsyncProxy.
Type: null or string
Default: null
Example: "http://127.0.0.1:3128"
Declared by:
<nixpkgs/nixos/modules/config/networking.nix>
- networking.proxy.ftpProxy
This option specifies the ftp_proxy environment variable.
Type: null or string
Default: null
Example: "http://127.0.0.1:3128"
Declared by:
<nixpkgs/nixos/modules/config/networking.nix>
- networking.proxy.httpProxy
This option specifies the http_proxy environment variable.
Type: null or string
Default: null
Example: "http://127.0.0.1:3128"
Declared by:
<nixpkgs/nixos/modules/config/networking.nix>
- networking.proxy.httpsProxy
This option specifies the https_proxy environment variable.
Type: null or string
Default: null
Example: "http://127.0.0.1:3128"
Declared by:
<nixpkgs/nixos/modules/config/networking.nix>
- networking.proxy.noProxy
This option specifies the no_proxy environment variable. If a default proxy is used and noProxy is null, then noProxy will be set to 127.0.0.1,localhost.
Type: null or string
Default: null
Example: "127.0.0.1,localhost,.localdomain"
Declared by:
<nixpkgs/nixos/modules/config/networking.nix>
- networking.proxy.rsyncProxy
This option specifies the rsync_proxy environment variable.
Type: null or string
Default: null
Example: "http://127.0.0.1:3128"
Declared by:
<nixpkgs/nixos/modules/config/networking.nix>
- networking.resolvconf.dnsExtensionMechanism
Enable the edns0 option in resolv.conf. With that option set, glibc supports use of the extension mechanisms for DNS (EDNS) specified in RFC 2671. The most popular user of that feature is DNSSEC, which does not work without it.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/config/resolvconf.nix>
- networking.resolvconf.dnsSingleRequest
Recent versions of glibc will issue both ipv4 (A) and ipv6 (AAAA) address queries at the same time, from the same port. Sometimes upstream routers will systemically drop the ipv4 queries. The symptom of this problem is that 'getent hosts example.com' only returns ipv6 (or perhaps only ipv4) addresses. The workaround for this is to specify the option 'single-request' in /etc/resolv.conf. This option enables that.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/config/resolvconf.nix>
- networking.resolvconf.extraConfig
Extra configuration to append to resolvconf.conf.
Type: strings concatenated with "\n"
Default: ""
Example: "libc=NO"
Declared by:
<nixpkgs/nixos/modules/config/resolvconf.nix>
- networking.resolvconf.extraOptions
Set the options in /etc/resolv.conf.
Type: list of strings
Default: [ ]
Example: [ "ndots:1" "rotate" ]
Declared by:
<nixpkgs/nixos/modules/config/resolvconf.nix>
- networking.resolvconf.useLocalResolver
Use local DNS server for resolving.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/config/resolvconf.nix>
- networking.rxe.enable
Whether to enable RDMA over converged ethernet.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/networking/rxe.nix>
- networking.rxe.interfaces
Enable RDMA on the listed interfaces. The corresponding virtual RDMA interfaces will be named rxe_<interface>. UDP port 4791 must be open on the respective ethernet interfaces.
Type: list of strings
Default: [ ]
Example: [ "eth0" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/rxe.nix>
- networking.search
The list of search paths used when resolving domain names.
Type: list of strings
Default: [ ]
Example: [ "example.com" "home.arpa" ]
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.sits
This option allows you to define 6-to-4 interfaces which should be automatically created.
Type: attribute set of submodules
Default: { }
Example:
{ hurricane = { remote = "10.0.0.1"; local = "10.0.0.22"; ttl = 255; }; msipv6 = { remote = "192.168.0.1"; dev = "enp3s0"; ttl = 127; }; }
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.sits.<name>.dev
The underlying network device on which the tunnel resides.
Type: null or string
Default: null
Example: "enp4s0f0"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.sits.<name>.encapsulation
Configures encapsulation in UDP packets.
Type: null or submodule
Default: null
Example: { port = 9001; type = "fou"; }
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.sits.<name>.encapsulation.port
Destination port for encapsulated packets.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Example: 9001
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.sits.<name>.encapsulation.sourcePort
Source port for encapsulated packets. Will be chosen automatically by the kernel if unset.
Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: null
Example: 9002
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.sits.<name>.encapsulation.type
Selects encapsulation type. See ip-link(8) for details.
Type: one of "fou", "gue"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.sits.<name>.local
The address of the local endpoint which the remote side should send packets to.
Type: null or string
Default: null
Example: "10.0.0.22"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.sits.<name>.remote
The address of the remote endpoint to forward traffic over.
Type: null or string
Default: null
Example: "10.0.0.1"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.sits.<name>.ttl
The time-to-live of the connection to the remote tunnel endpoint.
Type: null or signed integer
Default: null
Example: 255
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.supplicant
Interfaces for which to start wpa_supplicant. The supplicant is used to scan for and associate with wireless networks, or to authenticate with 802.1x capable network switches.
The value of this option is an attribute set. Each attribute configures a wpa_supplicant service, where the attribute name specifies the name of the interface that wpa_supplicant operates on. The attribute name can be a space separated list of interfaces. The attribute names WLAN, LAN and DBUS have a special meaning. WLAN and LAN are configurations for universal wpa_supplicant service that is started for each WLAN interface or for each LAN interface, respectively. DBUS defines a device-unrelated wpa_supplicant service that can be accessed through D-Bus.
Type: attribute set of submodules
Default: { }
Example:
{ "wlan0 wlan1" = { configFile.path = "/etc/wpa_supplicant.conf"; userControlled.group = "network"; extraConf = '' ap_scan=1 p2p_disabled=1 ''; extraCmdArgs = "-u -W"; bridge = "br0"; }; }
Declared by:
<nixpkgs/nixos/modules/services/networking/supplicant.nix>
- networking.supplicant.<name>.bridge
Name of the bridge interface that wpa_supplicant should listen at.
Type: string
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/networking/supplicant.nix>
- networking.supplicant.<name>.configFile.path
External wpa_supplicant.conf configuration file. The configuration options defined declaratively within networking.supplicant have precedence over options defined in configFile.
Type: null or path
Default: null
Example: /etc/wpa_supplicant.conf
Declared by:
<nixpkgs/nixos/modules/services/networking/supplicant.nix>
- networking.supplicant.<name>.configFile.writable
Whether the configuration file at configFile.path should be written to by wpa_supplicant.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/supplicant.nix>
- networking.supplicant.<name>.driver
Force a specific wpa_supplicant driver.
Type: null or string
Default: "nl80211,wext"
Declared by:
<nixpkgs/nixos/modules/services/networking/supplicant.nix>
- networking.supplicant.<name>.extraCmdArgs
Command line arguments to add when executing wpa_supplicant.
Type: string
Default: ""
Example: "-e/run/wpa_supplicant/entropy.bin"
Declared by:
<nixpkgs/nixos/modules/services/networking/supplicant.nix>
- networking.supplicant.<name>.extraConf
Configuration options for wpa_supplicant.conf. Options defined here have precedence over options in configFile. NOTE: Do not write sensitive data into extraConf as it will be world-readable in the nix-store. For sensitive information use the configFile instead.
Type: strings concatenated with "\n"
Default: ""
Example:
'' ap_scan=1 device_name=My-NixOS-Device device_type=1-0050F204-1 driver_param=use_p2p_group_interface=1 disable_scan_offload=1 p2p_listen_reg_class=81 p2p_listen_channel=1 p2p_oper_reg_class=81 p2p_oper_channel=1 manufacturer=NixOS model_name=NixOS_Unstable model_number=2015 ''
Declared by:
<nixpkgs/nixos/modules/services/networking/supplicant.nix>
- networking.supplicant.<name>.userControlled.enable
Allow normal users to control wpa_supplicant through wpa_gui or wpa_cli. This is useful for laptop users that switch networks a lot and don't want to depend on a large package such as NetworkManager just to pick nearby access points.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/supplicant.nix>
- networking.supplicant.<name>.userControlled.group
Members of this group can control wpa_supplicant.
Type: string
Default: "wheel"
Example: "network"
Declared by:
<nixpkgs/nixos/modules/services/networking/supplicant.nix>
- networking.supplicant.<name>.userControlled.socketDir
Directory of sockets for controlling wpa_supplicant.
Type: string
Default: "/run/wpa_supplicant"
Declared by:
<nixpkgs/nixos/modules/services/networking/supplicant.nix>
- networking.tcpcrypt.enable
Whether to enable opportunistic TCP encryption. If the other end speaks Tcpcrypt, then your traffic will be encrypted; otherwise it will be sent in clear text. Thus, Tcpcrypt alone provides no guarantees -- it is best effort. If, however, a Tcpcrypt connection is successful and any attackers that exist are passive, then Tcpcrypt guarantees privacy.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/tcpcrypt.nix>
- networking.tempAddresses
Whether to enable IPv6 Privacy Extensions for interfaces not configured explicitly in networking.interfaces.<name>.tempAddress.
This sets the ipv6.conf.*.use_tempaddr sysctl for all interfaces. Possible values are:
- "default" to generate IPv6 temporary addresses and use these as source addresses in routing;
- "disabled" to completely disable IPv6 temporary addresses;
- "enabled" to generate IPv6 temporary addresses but still use EUI-64 addresses as source addresses;
Type: one of "default", "disabled", "enabled"
Default: "default"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.timeServers
The set of NTP servers from which to synchronise.
Type: list of strings
Default: [ "0.nixos.pool.ntp.org" "1.nixos.pool.ntp.org" "2.nixos.pool.ntp.org" "3.nixos.pool.ntp.org" ]
Declared by:
<nixpkgs/nixos/modules/config/networking.nix>
- networking.ucarp.enable
Whether to enable ucarp, userspace implementation of CARP.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/networking/ucarp.nix>
- networking.ucarp.package
Package that should be used for ucarp.
Please note that the default package, pkgs.ucarp, has not received any upstream updates for a long time and can be considered as unmaintained.
Type: package
Default: pkgs.ucarp
Declared by:
<nixpkgs/nixos/modules/services/networking/ucarp.nix>
- networking.ucarp.addr
Virtual shared IP address.
Type: string
Declared by:
<nixpkgs/nixos/modules/services/networking/ucarp.nix>
- networking.ucarp.advBase
Advertisement frequency in seconds.
Type: unsigned integer, meaning >=0
Default: 1
Declared by:
<nixpkgs/nixos/modules/services/networking/ucarp.nix>
- networking.ucarp.advSkew
Advertisement skew in seconds.
Type: unsigned integer, meaning >=0
Default: 0
Declared by:
<nixpkgs/nixos/modules/services/networking/ucarp.nix>
- networking.ucarp.deadratio
Ratio to consider a host as dead.
Type: unsigned integer, meaning >=0
Default: 3
Declared by:
<nixpkgs/nixos/modules/services/networking/ucarp.nix>
- networking.ucarp.downscript
Command to run after become backup, the interface name, virtual address and optional extra parameters are passed as arguments.
Type: path
Example:
pkgs.writeScript "downscript" '' #!/bin/sh ${pkgs.iproute2}/bin/ip addr del "$2"/24 dev "$1" '';
Declared by:
<nixpkgs/nixos/modules/services/networking/ucarp.nix>
- networking.ucarp.extraParam
Extra parameter to pass to the up/down scripts.
Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/services/networking/ucarp.nix>
- networking.ucarp.ignoreIfState
Ignore interface state, e.g., down or no carrier.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/ucarp.nix>
- networking.ucarp.interface
Network interface to bind to.
Type: string
Example: "eth0"
Declared by:
<nixpkgs/nixos/modules/services/networking/ucarp.nix>
- networking.ucarp.neutral
Do not run downscript at start if the host is the backup.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/ucarp.nix>
- networking.ucarp.noMcast
Use broadcast instead of multicast advertisements.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/ucarp.nix>
- networking.ucarp.passwordFile
File containing shared password between CARP hosts.
Type: string
Example: "/run/keys/ucarp-password"
Declared by:
<nixpkgs/nixos/modules/services/networking/ucarp.nix>
- networking.ucarp.preempt
Enable preemptive failover. Thus, this host becomes the CARP master as soon as possible.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/ucarp.nix>
- networking.ucarp.shutdown
Call downscript at exit.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/ucarp.nix>
- networking.ucarp.srcIp
Source (real) IP address of this host.
Type: string
Declared by:
<nixpkgs/nixos/modules/services/networking/ucarp.nix>
- networking.ucarp.upscript
Command to run after become master, the interface name, virtual address and optional extra parameters are passed as arguments.
Type: path
Example:
pkgs.writeScript "upscript" '' #!/bin/sh ${pkgs.iproute2}/bin/ip addr add "$2"/24 dev "$1" '';
Declared by:
<nixpkgs/nixos/modules/services/networking/ucarp.nix>
- networking.ucarp.vhId
Virtual IP identifier shared between CARP hosts.
Type: integer between 1 and 255 (both inclusive)
Example: 1
Declared by:
<nixpkgs/nixos/modules/services/networking/ucarp.nix>
- networking.useDHCP
Whether to use DHCP to obtain an IP address and other configuration for all network interfaces that are not manually configured.
Using this option is highly discouraged and also incompatible with networking.useNetworkd. Please use networking.interfaces.<name>.useDHCP instead and set this to false.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.useHostResolvConf
In containers, whether to use the resolv.conf supplied by the host.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.useNetworkd
Whether we should use networkd as the network configuration backend or the legacy script based system. Note that this option is experimental, enable at your own risk.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.usePredictableInterfaceNames
Whether to assign predictable names to network interfaces. If enabled, interfaces are assigned names that contain topology information (e.g. wlp3s0) and thus should be stable across reboots. If disabled, names depend on the order in which interfaces are discovered by the kernel, which may change randomly across reboots; for instance, you may find eth0 and eth1 flipping unpredictably.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/hardware/udev.nix>
- networking.vlans
This option allows you to define vlan devices that tag packets on top of a physical interface. The value of this option is an attribute set. Each attribute specifies a vlan, with the name specifying the name of the vlan interface.
Type: attribute set of submodules
Default: { }
Example:
{ vlan0 = { id = 3; interface = "enp3s0"; }; vlan1 = { id = 1; interface = "wlan0"; }; }
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.vlans.<name>.id
The vlan identifier
Type: signed integer
Example: 1
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.vlans.<name>.interface
The interface the vlan will transmit packets through.
Type: string
Example: "enp4s0"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.vswitches
This option allows you to define Open vSwitches that connect physical networks together. The value of this option is an attribute set. Each attribute specifies a vswitch, with the attribute name specifying the name of the vswitch's network interface.
Type: attribute set of submodules
Default: { }
Example: { vs0 = { interfaces = { eth0 = { } ; lo1 = { type = "internal"; } ; } ; } ; vs1 = { interfaces = [ { name = "eth2"; } { name = "lo2"; type = "internal"; } ] ; } ; }
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.vswitches.<name>.controllers
Specify the controller targets. For the allowed options see man 8 ovs-vsctl.
Type: list of strings
Default: [ ]
Example: [ "ptcp:6653:[::1]" ]
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.vswitches.<name>.extraOvsctlCmds
Commands to manipulate the Open vSwitch database. Every line executed with ovs-vsctl. All commands are bundled together with the operations for adding the interfaces into one atomic operation.
Type: strings concatenated with "\n"
Default: ""
Example:
'' set-fail-mode <switch_name> secure set Bridge <switch_name> stp_enable=true ''
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.vswitches.<name>.interfaces
The physical network interfaces connected by the vSwitch.
Type: attribute set of submodules
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.vswitches.<name>.interfaces.<name>.name
Name of the interface
Type: string
Example: "eth0"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.vswitches.<name>.interfaces.<name>.type
Openvswitch type to assign to interface
Type: null or string
Default: null
Example: "internal"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.vswitches.<name>.interfaces.<name>.vlan
Vlan tag to apply to interface
Type: null or signed integer
Default: null
Example: 10
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.vswitches.<name>.openFlowRules
OpenFlow rules to insert into the Open vSwitch. All openFlowRules are loaded with ovs-ofctl within one atomic operation.
Type: strings concatenated with "\n"
Default: ""
Example:
'' actions=normal ''
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.vswitches.<name>.openFlowVersion
Version of OpenFlow protocol to use when communicating with the switch internally (e.g. with openFlowRules).
Type: string
Default: "OpenFlow13"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.vswitches.<name>.supportedOpenFlowVersions
Supported versions to enable on this switch.
Type: list of strings
Default: [ "OpenFlow13" ]
Example: [ "OpenFlow10" "OpenFlow13" "OpenFlow14" ]
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.wg-quick.interfaces
Wireguard interfaces.
Type: attribute set of submodules
Default: { }
Example: { wg0 = { address = [ "192.168.20.4/24" ] ; peers = [ { allowedIPs = [ "192.168.20.1/32" ] ; endpoint = "demo.wireguard.io:12913"; publicKey = "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg="; } ] ; privateKey = "yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk="; } ; }
Declared by:
<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
- networking.wg-quick.interfaces.<name>.address
The IP addresses of the interface.
Type: list of strings
Default: [ ]
Example: [ "192.168.2.1/24" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
- networking.wg-quick.interfaces.<name>.dns
The IP addresses of DNS servers to configure.
Type: list of strings
Default: [ ]
Example: [ "192.168.2.2" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
networking.wg-quick.interfaces.<name>.listenPort
16-bit port for listening. Optional; if not specified, automatically generated based on interface name.
Type: null or signed integer
Default: null
Example: 51820
Declared by:
<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
- networking.wg-quick.interfaces.<name>.mtu
If not specified, the MTU is automatically determined from the endpoint addresses or the system default route, which is usually a sane choice. However, to manually specify an MTU to override this automatic discovery, this value may be specified explicitly.
Type: null or signed integer
Default: null
Example: 1248
Declared by:
<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
- networking.wg-quick.interfaces.<name>.peers
Peers linked to the interface.
Type: list of submodules
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
- networking.wg-quick.interfaces.<name>.peers.*.allowedIPs
List of IP (v4 or v6) addresses with CIDR masks from which this peer is allowed to send incoming traffic and to which outgoing traffic for this peer is directed. The catch-all 0.0.0.0/0 may be specified for matching all IPv4 addresses, and ::/0 may be specified for matching all IPv6 addresses.
Type: list of strings
Example: [ "10.192.122.3/32" "10.192.124.1/24" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
- networking.wg-quick.interfaces.<name>.peers.*.endpoint
Endpoint IP or hostname of the peer, followed by a colon, and then a port number of the peer.
Type: null or string
Default: null
Example: "demo.wireguard.io:12913"
Declared by:
<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
- networking.wg-quick.interfaces.<name>.peers.*.persistentKeepalive
This is optional and is by default off, because most users will not need it. It represents, in seconds, between 1 and 65535 inclusive, how often to send an authenticated empty packet to the peer, for the purpose of keeping a stateful firewall or NAT mapping valid persistently. For example, if the interface very rarely sends traffic, but it might at anytime receive traffic from a peer, and it is behind NAT, the interface might benefit from having a persistent keepalive interval of 25 seconds; however, most users will not need this.
Type: null or signed integer
Default: null
Example: 25
Declared by:
<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
- networking.wg-quick.interfaces.<name>.peers.*.presharedKey
Base64 preshared key generated by wg genpsk. Optional, and may be omitted. This option adds an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance.
Warning: Consider using presharedKeyFile instead if you do not want to store the key in the world-readable Nix store.
Type: null or string
Default: null
Example: "rVXs/Ni9tu3oDBLS4hOyAUAa1qTWVA3loR8eL20os3I="
Declared by:
<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
- networking.wg-quick.interfaces.<name>.peers.*.presharedKeyFile
File pointing to preshared key as generated by wg genpsk. Optional, and may be omitted. This option adds an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance.
Type: null or string
Default: null
Example: "/private/wireguard_psk"
Declared by:
<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
- networking.wg-quick.interfaces.<name>.peers.*.publicKey
The base64 public key to the peer.
Type: string
Example: "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg="
Declared by:
<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
- networking.wg-quick.interfaces.<name>.postDown
Command called after the interface is taken down.
Type: strings concatenated with "\n" or list of strings convertible to it
Default: ""
Example: "${pkgs.iproute2}/bin/ip netns del foo"
Declared by:
<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
- networking.wg-quick.interfaces.<name>.postUp
Commands called after the interface setup.
Type: strings concatenated with "\n" or list of strings convertible to it
Default: ""
Example: "${pkgs.iproute2}/bin/ip netns add foo"
Declared by:
<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
- networking.wg-quick.interfaces.<name>.preDown
Command called before the interface is taken down.
Type: strings concatenated with "\n" or list of strings convertible to it
Default: ""
Example: "${pkgs.iproute2}/bin/ip netns del foo"
Declared by:
<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
- networking.wg-quick.interfaces.<name>.preUp
Commands called at the start of the interface setup.
Type: strings concatenated with "\n" or list of strings convertible to it
Default: ""
Example: "${pkgs.iproute2}/bin/ip netns add foo"
Declared by:
<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
- networking.wg-quick.interfaces.<name>.privateKey
Base64 private key generated by wg genkey.
Warning: Consider using privateKeyFile instead if you do not want to store the key in the world-readable Nix store.
Type: null or string
Default: null
Example: "yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk="
Declared by:
<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
- networking.wg-quick.interfaces.<name>.privateKeyFile
Private key file as generated by wg genkey.
Type: null or string
Default: null
Example: "/private/wireguard_key"
Declared by:
<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
- networking.wg-quick.interfaces.<name>.table
The kernel routing table to add this interface's associated routes to. Setting this is useful for e.g. policy routing ("ip rule") or virtual routing and forwarding ("ip vrf"). Both numeric table IDs and table names (/etc/rt_tables) can be used. Defaults to "main".
Type: null or string
Default: null
Example: "main"
Declared by:
<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
- networking.wireguard.enable
Whether to enable WireGuard.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/networking/wireguard.nix>
- networking.wireguard.interfaces
WireGuard interfaces.
Type: attribute set of submodules
Default: { }
Example: { wg0 = { ips = [ "192.168.20.4/24" ] ; peers = [ { allowedIPs = [ "192.168.20.1/32" ] ; endpoint = "demo.wireguard.io:12913"; publicKey = "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg="; } ] ; privateKey = "yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk="; } ; }
Declared by:
<nixpkgs/nixos/modules/services/networking/wireguard.nix>
- networking.wireguard.interfaces.<name>.allowedIPsAsRoutes
Determines whether to add allowed IPs as routes or not.
Type: boolean
Default: true
Example: false
Declared by:
<nixpkgs/nixos/modules/services/networking/wireguard.nix>
- networking.wireguard.interfaces.<name>.generatePrivateKeyFile
Automatically generate a private key with wg genkey, at the privateKeyFile location.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/wireguard.nix>
- networking.wireguard.interfaces.<name>.interfaceNamespace
The pre-existing network namespace the WireGuard interface is moved to. The special value init means the init namespace. When null, the interface is not moved. See documentation.
Type: null or string
Default: null
Example: "init"
Declared by:
<nixpkgs/nixos/modules/services/networking/wireguard.nix>
- networking.wireguard.interfaces.<name>.ips
The IP addresses of the interface.
Type: list of strings
Default: [ ]
Example: [ "192.168.2.1/24" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.listenPort
16-bit port for listening. Optional; if not specified, automatically generated based on interface name.
Type: null or signed integer
Default: null
Example: 51820
Declared by:
<nixpkgs/nixos/modules/services/networking/wireguard.nix>
- networking.wireguard.interfaces.<name>.peers
Peers linked to the interface.
Type: list of submodules
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/services/networking/wireguard.nix>
- networking.wireguard.interfaces.<name>.peers.*.allowedIPs
List of IP (v4 or v6) addresses with CIDR masks from which this peer is allowed to send incoming traffic and to which outgoing traffic for this peer is directed. The catch-all 0.0.0.0/0 may be specified for matching all IPv4 addresses, and ::/0 may be specified for matching all IPv6 addresses.
Type: list of strings
Example: [ "10.192.122.3/32" "10.192.124.1/24" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/wireguard.nix>
- networking.wireguard.interfaces.<name>.peers.*.dynamicEndpointRefreshSeconds
Periodically re-execute the wg utility every this many seconds in order to let WireGuard notice DNS / hostname changes.
Setting this to 0 disables periodic reexecution.
Type: signed integer
Default: 0
Example: 5
Declared by:
<nixpkgs/nixos/modules/services/networking/wireguard.nix>
- networking.wireguard.interfaces.<name>.peers.*.endpoint
Endpoint IP or hostname of the peer, followed by a colon, and then a port number of the peer.
Warning for endpoints with changing IPs: The WireGuard kernel side cannot perform DNS resolution. Thus DNS resolution is done once by the wg userspace utility, when setting up WireGuard. Consequently, if the IP address behind the name changes, WireGuard will not notice. This is especially common for dynamic-DNS setups, but also applies to any other DNS-based setup. If you do not use IP endpoints, you likely want to set networking.wireguard.dynamicEndpointRefreshSeconds to refresh the IPs periodically.
Type: null or string
Default: null
Example: "demo.wireguard.io:12913"
Declared by:
<nixpkgs/nixos/modules/services/networking/wireguard.nix>
- networking.wireguard.interfaces.<name>.peers.*.persistentKeepalive
This is optional and is by default off, because most users will not need it. It represents, in seconds, between 1 and 65535 inclusive, how often to send an authenticated empty packet to the peer, for the purpose of keeping a stateful firewall or NAT mapping valid persistently. For example, if the interface very rarely sends traffic, but it might at anytime receive traffic from a peer, and it is behind NAT, the interface might benefit from having a persistent keepalive interval of 25 seconds; however, most users will not need this.
Type: null or signed integer
Default: null
Example: 25
Declared by:
<nixpkgs/nixos/modules/services/networking/wireguard.nix>
- networking.wireguard.interfaces.<name>.peers.*.presharedKey
Base64 preshared key generated by wg genpsk. Optional, and may be omitted. This option adds an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance.
Warning: Consider using presharedKeyFile instead if you do not want to store the key in the world-readable Nix store.
Type: null or string
Default: null
Example: "rVXs/Ni9tu3oDBLS4hOyAUAa1qTWVA3loR8eL20os3I="
Declared by:
<nixpkgs/nixos/modules/services/networking/wireguard.nix>
- networking.wireguard.interfaces.<name>.peers.*.presharedKeyFile
File pointing to preshared key as generated by wg genpsk. Optional, and may be omitted. This option adds an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance.
Type: null or string
Default: null
Example: "/private/wireguard_psk"
Declared by:
<nixpkgs/nixos/modules/services/networking/wireguard.nix>
- networking.wireguard.interfaces.<name>.peers.*.publicKey
The base64 public key of the peer.
Type: string
Example: "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg="
Declared by:
<nixpkgs/nixos/modules/services/networking/wireguard.nix>
- networking.wireguard.interfaces.<name>.postSetup
Commands called at the end of the interface setup.
Type: strings concatenated with "\n" or list of strings convertible to it
Default: ""
Example:
''printf "nameserver 10.200.100.1" | ${pkgs.openresolv}/bin/resolvconf -a wg0 -m 0''
Declared by:
<nixpkgs/nixos/modules/services/networking/wireguard.nix>
- networking.wireguard.interfaces.<name>.postShutdown
Commands called after shutting down the interface.
Type: strings concatenated with "\n" or list of strings convertible to it
Default: ""
Example: "${pkgs.openresolv}/bin/resolvconf -d wg0"
Declared by:
<nixpkgs/nixos/modules/services/networking/wireguard.nix>
- networking.wireguard.interfaces.<name>.preSetup
Commands called at the start of the interface setup.
Type: strings concatenated with "\n" or list of strings convertible to it
Default: ""
Example: "${pkgs.iproute2}/bin/ip netns add foo"
Declared by:
<nixpkgs/nixos/modules/services/networking/wireguard.nix>
- networking.wireguard.interfaces.<name>.privateKey
Base64 private key generated by wg genkey.
Warning: Consider using privateKeyFile instead if you do not want to store the key in the world-readable Nix store.
Type: null or string
Default: null
Example: "yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk="
Declared by:
<nixpkgs/nixos/modules/services/networking/wireguard.nix>
- networking.wireguard.interfaces.<name>.privateKeyFile
Private key file as generated by wg genkey.
Type: null or string
Default: null
Example: "/private/wireguard_key"
Declared by:
<nixpkgs/nixos/modules/services/networking/wireguard.nix>
- networking.wireguard.interfaces.<name>.socketNamespace
The pre-existing network namespace in which the WireGuard interface is created, and which retains the socket even if the interface is moved via interfaceNamespace. When null, the interface is created in the init namespace. See documentation.
Type: null or string
Default: null
Example: "container"
Declared by:
<nixpkgs/nixos/modules/services/networking/wireguard.nix>
- networking.wireguard.interfaces.<name>.table
The kernel routing table to add this interface's associated routes to. Setting this is useful for e.g. policy routing ("ip rule") or virtual routing and forwarding ("ip vrf"). Both numeric table IDs and table names (/etc/rt_tables) can be used. Defaults to "main".
Type: string
Default: "main"
Declared by:
<nixpkgs/nixos/modules/services/networking/wireguard.nix>
- networking.wireless.enable
Whether to enable wpa_supplicant.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
- networking.wireless.allowAuxiliaryImperativeNetworks
Whether to allow configuring networks "imperatively" (e.g. via wpa_supplicant_gui) and declaratively via networking.wireless.networks.
Please note that this adds a custom patch to wpa_supplicant.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
- networking.wireless.athUserRegulatoryDomain
If enabled, sets the ATH_USER_REGD kernel config switch to true to disable the enforcement of EEPROM regulatory restrictions for ath drivers. Requires at least Linux 5.8.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/hardware/network/ath-user-regd.nix>
- networking.wireless.dbusControlled
Whether to enable the DBus control interface. This is only needed when using NetworkManager or connman.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
- networking.wireless.driver
Force a specific wpa_supplicant driver.
Type: string
Default: "nl80211,wext"
Declared by:
<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
- networking.wireless.environmentFile
File consisting of lines of the form varname=value to define variables for the wireless configuration.
See section "EnvironmentFile=" in systemd.exec(5) for a syntax reference.
Secrets (PSKs, passwords, etc.) can be provided without adding them to the world-readable Nix store by defining them in the environment file and referring to them in option networking.wireless.networks with the syntax @varname@. Example:
# content of /run/secrets/wireless.env PSK_HOME=mypassword PASS_WORK=myworkpassword
# wireless-related configuration networking.wireless.environmentFile = "/run/secrets/wireless.env"; networking.wireless.networks = { home.psk = "@PSK_HOME@"; work.auth = '' eap=PEAP identity="my-user@example.com" password="@PASS_WORK@" ''; };
Type: null or path
Default: null
Example: "/run/secrets/wireless.env"
Declared by:
<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
- networking.wireless.extraConfig
Extra lines appended to the configuration file. See wpa_supplicant.conf(5) for available options.
Type: string
Default: ""
Example:
'' p2p_disabled=1 ''
Declared by:
<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
- networking.wireless.fallbackToWPA2
Whether to fall back to WPA2 authentication protocols if WPA3 failed. This allows old wireless cards (that lack recent features required by WPA3) to connect to mixed WPA2/WPA3 access points.
To avoid possible downgrade attacks, disable this options.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
- networking.wireless.interfaces
The interfaces wpa_supplicant will use. If empty, it will automatically use all wireless interfaces.
Note
A separate wpa_supplicant instance will be started for each interface.Type: list of strings
Default: [ ]
Example: [ "wlan0" "wlan1" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
- networking.wireless.iwd.enable
Whether to enable iwd.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/networking/iwd.nix>
- networking.wireless.iwd.settings
Options passed to iwd. See here for supported options.
Type: attribute set of attribute set of INI atom (null, bool, int, float or string)ss
Default: { }
Example: { Network = { EnableIPv6 = true; RoutePriorityOffset = 300; } ; Settings = { AutoConnect = true; } ; }
Declared by:
<nixpkgs/nixos/modules/services/networking/iwd.nix>
- networking.wireless.networks
The network definitions to automatically connect to when wpa_supplicant is running. If this parameter is left empty wpa_supplicant will use /etc/wpa_supplicant.conf as the configuration file.
Type: attribute set of submodules
Default: { }
Example:
{ echelon = { # SSID with no spaces or special characters psk = "abcdefgh"; # (password will be written to /nix/store!) }; echelon = { # safe version of the above: read PSK from the psk = "@PSK_ECHELON@"; # variable PSK_ECHELON, defined in environmentFile, }; # this won't leak into /nix/store "echelon's AP" = { # SSID with spaces and/or special characters psk = "ijklmnop"; # (password will be written to /nix/store!) }; "free.wifi" = {}; # Public wireless network }
Declared by:
<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
- networking.wireless.networks.<name>.auth
Use this option to configure advanced authentication methods like EAP. See wpa_supplicant.conf(5) for example configurations.
Warning
Be aware that this will be written to the nix store in plaintext! Use an environment variable for secrets.Note
Mutually exclusive with psk and pskRaw.Type: null or string
Default: null
Example:
'' eap=PEAP identity="user@example.com" password="@EXAMPLE_PASSWORD@" ''
Declared by:
<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
- networking.wireless.networks.<name>.authProtocols
The list of authentication protocols accepted by this network. This corresponds to the key_mgmt option in wpa_supplicant.
Type: list of one of "WPA-PSK", "WPA-EAP", "IEEE8021X", "NONE", "WPA-NONE", "FT-PSK", "FT-EAP", "FT-EAP-SHA384", "WPA-PSK-SHA256", "WPA-EAP-SHA256", "SAE", "FT-SAE", "WPA-EAP-SUITE-B", "WPA-EAP-SUITE-B-192", "OSEN", "FILS-SHA256", "FILS-SHA384", "FT-FILS-SHA256", "FT-FILS-SHA384", "OWE", "DPP"s
Default: [ "WPA-PSK" "WPA-EAP" "SAE" "FT-PSK" "FT-EAP" "FT-SAE" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
- networking.wireless.networks.<name>.extraConfig
Extra configuration lines appended to the network block. See wpa_supplicant.conf(5) for available options.
Type: string
Default: ""
Example:
'' bssid_blacklist=02:11:22:33:44:55 02:22:aa:44:55:66 ''
Declared by:
<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
- networking.wireless.networks.<name>.hidden
Set this to true if the SSID of the network is hidden.
Type: boolean
Default: false
Example:
{ echelon = { hidden = true; psk = "abcdefgh"; }; }
Declared by:
<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
- networking.wireless.networks.<name>.priority
By default, all networks will get same priority group (0). If some of the networks are more desirable, this field can be used to change the order in which wpa_supplicant goes through the networks when selecting a BSS. The priority groups will be iterated in decreasing priority (i.e., the larger the priority value, the sooner the network is matched against the scan results). Within each priority group, networks will be selected based on security policy, signal strength, etc.
Type: null or signed integer
Default: null
Declared by:
<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
- networking.wireless.networks.<name>.psk
The network's pre-shared key in plaintext defaulting to being a network without any authentication.
Warning
Be aware that this will be written to the nix store in plaintext! Use an environment variable instead.Note
Mutually exclusive with pskRaw.Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
- networking.wireless.networks.<name>.pskRaw
The network's pre-shared key in hex defaulting to being a network without any authentication.
Warning
Be aware that this will be written to the nix store in plaintext! Use an environment variable instead.Note
Mutually exclusive with psk.Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
- networking.wireless.scanOnLowSignal
Whether to periodically scan for (better) networks when the signal of the current one is low. This will make roaming between access points faster, but will consume more power.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
- networking.wireless.userControlled.enable
Allow normal users to control wpa_supplicant through wpa_gui or wpa_cli. This is useful for laptop users that switch networks a lot and don't want to depend on a large package such as NetworkManager just to pick nearby access points.
When using a declarative network specification you cannot persist any settings via wpa_gui or wpa_cli.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
- networking.wireless.userControlled.group
Members of this group can control wpa_supplicant.
Type: string
Default: "wheel"
Example: "network"
Declared by:
<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
- networking.wlanInterfaces
Creating multiple WLAN interfaces on top of one physical WLAN device (NIC).
The name of the WLAN interface corresponds to the name of the attribute. A NIC is referenced by the persistent device name of the WLAN interface that udev assigns to a NIC by default. If a NIC supports multiple WLAN interfaces, then the one NIC can be used as device for multiple WLAN interfaces. If a NIC is used for creating WLAN interfaces, then the default WLAN interface with a persistent device name form udev is not created. A WLAN interface with the persistent name assigned from udev would have to be created explicitly.
Type: attribute set of submodules
Default: { }
Example:
{ wlan-station0 = { device = "wlp6s0"; }; wlan-adhoc0 = { type = "ibss"; device = "wlp6s0"; mac = "02:00:00:00:00:01"; }; wlan-p2p0 = { device = "wlp6s0"; mac = "02:00:00:00:00:02"; }; wlan-ap0 = { device = "wlp6s0"; mac = "02:00:00:00:00:03"; }; }
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.wlanInterfaces.<name>.device
The name of the underlying hardware WLAN device as assigned by udev.
Type: string
Example: "wlp6s0"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.wlanInterfaces.<name>.flags
Flags for interface of type monitor.
Type: null or one of "none", "fcsfail", "control", "otherbss", "cook", "active"
Default: null
Example: "control"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.wlanInterfaces.<name>.fourAddr
Whether to enable 4-address mode with type managed.
Type: null or boolean
Default: null
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.wlanInterfaces.<name>.mac
MAC address to use for the device. If null, then the MAC of the underlying hardware WLAN device is used.
INFO: Locally administered MAC addresses are of the form:
- x2:xx:xx:xx:xx:xx
- x6:xx:xx:xx:xx:xx
- xA:xx:xx:xx:xx:xx
- xE:xx:xx:xx:xx:xx
Type: null or string
Default: null
Example: "02:00:00:00:00:01"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.wlanInterfaces.<name>.meshID
MeshID of interface with type mesh.
Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- networking.wlanInterfaces.<name>.type
The type of the WLAN interface. The type has to be supported by the underlying hardware of the device.
Type: one of "managed", "ibss", "monitor", "mesh", "wds"
Default: "managed"
Example: "ibss"
Declared by:
<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
- nix.enable
Whether to enable Nix. Disabling Nix makes the system hard to modify and the Nix programs and configuration will not be made available by NixOS itself.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.package
This option specifies the Nix package instance to use throughout the system.
Type: package
Default: pkgs.nix
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.allowedUsers
A list of names of users (separated by whitespace) that are allowed to connect to the Nix daemon. As with nix.trustedUsers, you can specify groups by prefixing them with @. Also, you can allow all users by specifying *. The default is *. Note that trusted users are always allowed to connect.
Type: list of strings
Default: [ "*" ]
Example: [ "@wheel" "@builders" "alice" "bob" ]
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.autoOptimiseStore
If set to true, Nix automatically detects files in the store that have identical contents, and replaces them with hard links to a single copy. This saves disk space. If set to false (the default), you can still run nix-store --optimise to get rid of duplicate files.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.binaryCachePublicKeys
List of public keys used to sign binary caches. If nix.requireSignedBinaryCaches is enabled, then Nix will use a binary from a binary cache if and only if it is signed by any of the keys listed here. By default, only the key for cache.nixos.org is included.
Type: list of strings
Example: [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.binaryCaches
List of binary cache URLs used to obtain pre-built binaries of Nix packages.
By default https://cache.nixos.org/ is added, to override it use lib.mkForce [].
Type: list of strings
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.buildCores
This option defines the maximum number of concurrent tasks during one build. It affects, e.g., -j option for make. The special value 0 means that the builder should use all available CPU cores in the system. Some builds may become non-deterministic with this option; use with care! Packages will only be affected if enableParallelBuilding is set for them.
Type: signed integer
Default: 0
Example: 64
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.buildMachines
This option lists the machines to be used if distributed builds are enabled (see nix.distributedBuilds). Nix will perform derivations on those machines via SSH by copying the inputs to the Nix store on the remote machine, starting the build, then copying the output back to the local Nix store.
Type: list of submodules
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.buildMachines.*.hostName
The hostname of the build machine.
Type: string
Example: "nixbuilder.example.org"
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.buildMachines.*.mandatoryFeatures
A list of features mandatory for this builder. The builder will be ignored for derivations that don't require all features in this list. All mandatory features are automatically included in supportedFeatures.
Type: list of strings
Default: [ ]
Example: [ "big-parallel" ]
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.buildMachines.*.maxJobs
The number of concurrent jobs the build machine supports. The build machine will enforce its own limits, but this allows hydra to schedule better since there is no work-stealing between build machines.
Type: signed integer
Default: 1
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.buildMachines.*.speedFactor
The relative speed of this builder. This is an arbitrary integer that indicates the speed of this builder, relative to other builders. Higher is faster.
Type: signed integer
Default: 1
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.buildMachines.*.sshKey
The path to the SSH private key with which to authenticate on the build machine. The private key must not have a passphrase. If null, the building user (root on NixOS machines) must have an appropriate ssh configuration to log in non-interactively.
Note that for security reasons, this path must point to a file in the local filesystem, *not* to the nix store.
Type: null or string
Default: null
Example: "/root/.ssh/id_buildhost_builduser"
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.buildMachines.*.sshUser
The username to log in as on the remote host. This user must be able to log in and run nix commands non-interactively. It must also be privileged to build derivations, so must be included in nix.trustedUsers.
Type: null or string
Default: null
Example: "builder"
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.buildMachines.*.supportedFeatures
A list of features supported by this builder. The builder will be ignored for derivations that require features not in this list.
Type: list of strings
Default: [ ]
Example: [ "kvm" "big-parallel" ]
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.buildMachines.*.system
The system type the build machine can execute derivations on. Either this attribute or systems must be present, where system takes precedence if both are set.
Type: null or string
Default: null
Example: "x86_64-linux"
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.buildMachines.*.systems
The system types the build machine can execute derivations on. Either this attribute or system must be present, where system takes precedence if both are set.
Type: list of strings
Default: [ ]
Example: [ "x86_64-linux" "aarch64-linux" ]
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.checkConfig
If enabled (the default), checks that Nix can parse the generated nix.conf.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.daemonCPUSchedPolicy
Nix daemon process CPU scheduling policy. This policy propagates to build processes. other is the default scheduling policy for regular tasks. The batch policy is similar to other, but optimised for non-interactive tasks. idle is for extremely low-priority tasks that should only be run when no other task requires CPU time.
Please note that while using the idle policy may greatly improve responsiveness of a system performing expensive builds, it may also slow down and potentially starve crucial configuration updates during load.
Type: one of "other", "batch", "idle"
Default: "other"
Example: "batch"
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.daemonIOSchedClass
Nix daemon process I/O scheduling class. This class propagates to build processes. best-effort is the default class for regular tasks. The idle class is for extremely low-priority tasks that should only perform I/O when no other task does.
Please note that while using the idle scheduling class can improve responsiveness of a system performing expensive builds, it might also slow down or starve crucial configuration updates during load.
Type: one of "best-effort", "idle"
Default: "best-effort"
Example: "idle"
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.daemonIOSchedPriority
Nix daemon process I/O scheduling priority. This priority propagates to build processes. The supported priorities depend on the scheduling policy: With idle, priorities are not used in scheduling decisions. best-effort supports values in the range 0 (high) to 7 (low).
Type: signed integer
Default: 0
Example: 1
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.distributedBuilds
Whether to distribute builds to the machines listed in nix.buildMachines.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.extraOptions
Additional text appended to nix.conf.
Type: strings concatenated with "\n"
Default: ""
Example:
'' keep-outputs = true keep-derivations = true ''
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.gc.automatic
Automatically run the garbage collector at a specific time.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-gc.nix>
- nix.gc.dates
How often or when garbage collection is performed. For most desktop and server systems a sufficient garbage collection is once a week.
The format is described in systemd.time(7).
Type: string
Default: "03:15"
Example: "weekly"
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-gc.nix>
- nix.gc.options
Options given to nix-collect-garbage when the garbage collector is run automatically.
Type: string
Default: ""
Example: "--max-freed $((64 * 1024**3))"
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-gc.nix>
- nix.gc.persistent
Takes a boolean argument. If true, the time when the service unit was last triggered is stored on disk. When the timer is activated, the service unit is triggered immediately if it would have been triggered at least once during the time when the timer was inactive. Such triggering is nonetheless subject to the delay imposed by RandomizedDelaySec=. This is useful to catch up on missed runs of the service when the system was powered down.
Type: boolean
Default: true
Example: false
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-gc.nix>
- nix.gc.randomizedDelaySec
Add a randomized delay before each automatic upgrade. The delay will be chosen between zero and this value. This value must be a time span in the format specified by systemd.time(7)
Type: string
Default: "0"
Example: "45min"
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-gc.nix>
- nix.maxJobs
This option defines the maximum number of jobs that Nix will try to build in parallel. The default is auto, which means it will use all available logical cores. It is recommend to set it to the total number of logical cores in your system (e.g., 16 for two CPUs with 4 cores each and hyper-threading).
Type: signed integer or value "auto" (singular enum)
Default: "auto"
Example: 64
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.nixPath
The default Nix expression search path, used by the Nix evaluator to look up paths enclosed in angle brackets (e.g. <nixpkgs>).
Type: list of strings
Default: [ "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos" "nixos-config=/etc/nixos/configuration.nix" "/nix/var/nix/profiles/per-user/root/channels" ]
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.nrBuildUsers
Number of nixbld user accounts created to perform secure concurrent builds. If you receive an error message saying that “all build users are currently in use”, you should increase this value.
Type: signed integer
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.optimise.automatic
Automatically run the nix store optimiser at a specific time.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-optimise.nix>
- nix.optimise.dates
Specification (in the format described by systemd.time(7)) of the time at which the optimiser will run.
Type: list of strings
Default: [ "03:45" ]
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-optimise.nix>
- nix.readOnlyStore
If set, NixOS will enforce the immutability of the Nix store by making /nix/store a read-only bind mount. Nix will automatically make the store writable when needed.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.registry
A system-wide flake registry.
Type: attribute set of submodules
Default: { }
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.registry.<name>.exact
Whether the from reference needs to match exactly. If set, a from reference like nixpkgs does not match with a reference like nixpkgs/nixos-20.03.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.registry.<name>.flake
The flake input to which from> is to be rewritten.
Type: null or attribute set
Default: null
Example: nixpkgs
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.registry.<name>.from
The flake reference to be rewritten.
Type: attribute set of string or signed integer or boolean or packages
Example: { id = "nixpkgs"; type = "indirect"; }
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.registry.<name>.to
The flake reference to which from> is to be rewritten.
Type: attribute set of string or signed integer or boolean or packages
Example: { owner = "my-org"; repo = "my-nixpkgs"; type = "github"; }
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.requireSignedBinaryCaches
If enabled (the default), Nix will only download binaries from binary caches if they are cryptographically signed with any of the keys listed in nix.binaryCachePublicKeys. If disabled, signatures are neither required nor checked, so it's strongly recommended that you use only trustworthy caches and https to prevent man-in-the-middle attacks.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.sandboxPaths
Directories from the host filesystem to be included in the sandbox.
Type: list of strings
Default: [ ]
Example: [ "/dev" "/proc" ]
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.sshServe.enable
Whether to enable serving the Nix store as a remote store via SSH.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-ssh-serve.nix>
- nix.sshServe.keys
A list of SSH public keys allowed to access the binary cache via SSH.
Type: list of strings
Default: [ ]
Example: [ "ssh-dss AAAAB3NzaC1k... alice@example.org" ]
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-ssh-serve.nix>
- nix.sshServe.protocol
The specific Nix-over-SSH protocol to use.
Type: one of "ssh", "ssh-ng"
Default: "ssh"
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-ssh-serve.nix>
- nix.sshServe.write
Whether to enable writing to the Nix store as a remote store via SSH. Note: the sshServe user is named nix-ssh and is not a trusted-user. nix-ssh should be added to the nix.trustedUsers option in most use cases, such as allowing remote building of derivations.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-ssh-serve.nix>
- nix.systemFeatures
The supported features of a machine
Type: list of strings
Example: [ "kvm" "big-parallel" "gccarch-skylake" ]
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.trustedBinaryCaches
List of binary cache URLs that non-root users can use (in addition to those specified using nix.binaryCaches) by passing --option binary-caches to Nix commands.
Type: list of strings
Default: [ ]
Example: [ "https://hydra.nixos.org/" ]
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.trustedUsers
A list of names of users that have additional rights when connecting to the Nix daemon, such as the ability to specify additional binary caches, or to import unsigned NARs. You can also specify groups by prefixing them with @; for instance, @wheel means all users in the wheel group.
Type: list of strings
Default: [ "root" ]
Example: [ "root" "alice" "@wheel" ]
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nix.useSandbox
If set, Nix will perform builds in a sandboxed environment that it will set up automatically for each build. This prevents impurities in builds by disallowing access to dependencies outside of the Nix store by using network and mount namespaces in a chroot environment. This is enabled by default even though it has a possible performance impact due to the initial setup time of a sandbox for each build. It doesn't affect derivation hashes, so changing this option will not trigger a rebuild of packages.
Type: boolean or value "relaxed" (singular enum)
Default: true
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
- nixops.enableDeprecatedAutoLuks
Whether to enable Enable the deprecated NixOps AutoLuks module.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/misc/nixops-autoluks.nix>
- nixpkgs.config
The configuration of the Nix Packages collection. (For details, see the Nixpkgs documentation.) It allows you to set package configuration options.
Ignored when nixpkgs.pkgs is set.
Type: nixpkgs config
Default: { }
Example:
{ allowBroken = true; allowUnfree = true; }
Declared by:
<nixpkgs/nixos/modules/misc/nixpkgs.nix>
- nixpkgs.crossSystem
Specifies the platform for which NixOS should be built. Specify this only if it is different from nixpkgs.localSystem, the platform on which NixOS should be built. In other words, specify this to cross-compile NixOS. Otherwise it should be set as null, the default. See its description in the Nixpkgs manual for more details.
Ignored when nixpkgs.pkgs is set.
Type: null or attribute set
Default: null
Example: { config = "aarch64-unknown-linux-gnu"; system = "aarch64-linux"; }
Declared by:
<nixpkgs/nixos/modules/misc/nixpkgs.nix>
- nixpkgs.localSystem
Specifies the platform on which NixOS should be built. When nixpkgs.crossSystem is unset, it also specifies the platform for which NixOS should be built. If this option is unset, it defaults to the platform type of the machine where evaluation happens. Specifying this option is useful when doing distributed multi-platform deployment, or when building virtual machines. See its description in the Nixpkgs manual for more details.
Ignored when nixpkgs.pkgs is set.
Type: attribute set
Default: (import "${nixos}/../lib").lib.systems.examples.aarch64-multiplatform
Example: { config = "aarch64-unknown-linux-gnu"; system = "aarch64-linux"; }
Declared by:
<nixpkgs/nixos/modules/misc/nixpkgs.nix>
- nixpkgs.overlays
List of overlays to use with the Nix Packages collection. (For details, see the Nixpkgs documentation.) It allows you to override packages globally. Each function in the list takes as an argument the original Nixpkgs. The first argument should be used for finding dependencies, and the second should be used for overriding recipes.
If nixpkgs.pkgs is set, overlays specified here will be applied after the overlays that were already present in nixpkgs.pkgs.
Type: list of nixpkgs overlays
Default: [ ]
Example:
[ (self: super: { openssh = super.openssh.override { hpnSupport = true; kerberos = self.libkrb5; }; }) ]
Declared by:
<nixpkgs/nixos/modules/misc/nixpkgs.nix>
- nixpkgs.pkgs
If set, the pkgs argument to all NixOS modules is the value of this option, extended with nixpkgs.overlays, if that is also set. Either nixpkgs.crossSystem or nixpkgs.localSystem will be used in an assertion to check that the NixOS and Nixpkgs architectures match. Any other options in nixpkgs.*, notably config, will be ignored.
If unset, the pkgs argument to all NixOS modules is determined as shown in the default value for this option.
The default value imports the Nixpkgs source files relative to the location of this NixOS module, because NixOS and Nixpkgs are distributed together for consistency, so the nixos in the default value is in fact a relative path. The config, overlays, localSystem, and crossSystem come from this option's siblings.
This option can be used by applications like NixOps to increase the performance of evaluation, or to create packages that depend on a container that should be built with the exact same evaluation of Nixpkgs, for example. Applications like this should set their default value using lib.mkDefault, so user-provided configuration can override it without using lib.
Note that using a distinct version of Nixpkgs with NixOS may be an unexpected source of problems. Use this option with care.
Type: An evaluation of Nixpkgs; the top level attribute set of packages
Default:
import "${nixos}/.." { inherit (cfg) config overlays localSystem crossSystem; }
Example: import <nixpkgs> {}
Declared by:
<nixpkgs/nixos/modules/misc/nixpkgs.nix>
- nixpkgs.system
Specifies the Nix platform type on which NixOS should be built. It is better to specify nixpkgs.localSystem instead.
{ nixpkgs.system = ..; }
is the same as
{ nixpkgs.localSystem.system = ..; }
See nixpkgs.localSystem for more information.
Ignored when nixpkgs.localSystem is set. Ignored when nixpkgs.pkgs is set.
Type: string
Example: "i686-linux"
Declared by:
<nixpkgs/nixos/modules/misc/nixpkgs.nix>
- power.ups.enable
Enables support for Power Devices, such as Uninterruptible Power Supplies, Power Distribution Units and Solar Controllers.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/monitoring/ups.nix>
- power.ups.maxStartDelay
This can be set as a global variable above your first UPS definition and it can also be set in a UPS section. This value controls how long upsdrvctl will wait for the driver to finish starting. This keeps your system from getting stuck due to a broken driver or UPS.
Type: signed integer
Default: 45
Declared by:
<nixpkgs/nixos/modules/services/monitoring/ups.nix>
- power.ups.mode
The MODE determines which part of the NUT is to be started, and which configuration files must be modified.
The values of MODE can be:
- none: NUT is not configured, or use the Integrated Power Management, or use some external system to startup NUT components. So nothing is to be started.
- standalone: This mode address a local only configuration, with 1 UPS protecting the local system. This implies to start the 3 NUT layers (driver, upsd and upsmon) and the matching configuration files. This mode can also address UPS redundancy.
- netserver: same as for the standalone configuration, but also need some more ACLs and possibly a specific LISTEN directive in upsd.conf. Since this MODE is opened to the network, a special care should be applied to security concerns.
- netclient: this mode only requires upsmon.
Type: string
Default: "standalone"
Declared by:
<nixpkgs/nixos/modules/services/monitoring/ups.nix>
- power.ups.schedulerRules
File which contains the rules to handle UPS events.
Type: string
Example: "/etc/nixos/upssched.conf"
Declared by:
<nixpkgs/nixos/modules/services/monitoring/ups.nix>
- power.ups.ups
This is where you configure all the UPSes that this system will be monitoring directly. These are usually attached to serial ports, but USB devices are also supported.
Type: attribute set of submodules
Default: { }
Declared by:
<nixpkgs/nixos/modules/services/monitoring/ups.nix>
- power.ups.ups.<name>.description
Description of the UPS.
Type: string
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/monitoring/ups.nix>
- power.ups.ups.<name>.directives
List of configuration directives for this UPS.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/services/monitoring/ups.nix>
- power.ups.ups.<name>.driver
Specify the program to run to talk to this UPS. apcsmart, bestups, and sec are some examples.
Type: string
Declared by:
<nixpkgs/nixos/modules/services/monitoring/ups.nix>
- power.ups.ups.<name>.maxStartDelay
This can be set as a global variable above your first UPS definition and it can also be set in a UPS section. This value controls how long upsdrvctl will wait for the driver to finish starting. This keeps your system from getting stuck due to a broken driver or UPS.
Type: null or signed integer
Default: null
Declared by:
<nixpkgs/nixos/modules/services/monitoring/ups.nix>
- power.ups.ups.<name>.port
The serial port to which your UPS is connected. /dev/ttyS0 is usually the first port on Linux boxes, for example.
Type: string
Declared by:
<nixpkgs/nixos/modules/services/monitoring/ups.nix>
- power.ups.ups.<name>.shutdownOrder
When you have multiple UPSes on your system, you usually need to turn them off in a certain order. upsdrvctl shuts down all the 0s, then the 1s, 2s, and so on. To exclude a UPS from the shutdown sequence, set this to -1.
Type: signed integer
Default: 0
Declared by:
<nixpkgs/nixos/modules/services/monitoring/ups.nix>
- power.ups.ups.<name>.summary
Lines which would be added inside ups.conf for handling this UPS.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/monitoring/ups.nix>
- powerManagement.enable
Whether to enable power management. This includes support for suspend-to-RAM and powersave features on laptops.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/config/power-management.nix>
- powerManagement.cpuFreqGovernor
Configure the governor used to regulate the frequency of the available CPUs. By default, the kernel configures the performance governor, although this may be overwritten in your hardware-configuration.nix file.
Often used values: "ondemand", "powersave", "performance"
Type: null or string
Default: null
Example: "ondemand"
Declared by:
<nixpkgs/nixos/modules/tasks/cpu-freq.nix>
- powerManagement.cpufreq.max
The maximum frequency the CPU will use. Defaults to the maximum possible.
Type: null or unsigned integer, meaning >=0
Default: null
Example: 2200000
Declared by:
<nixpkgs/nixos/modules/tasks/cpu-freq.nix>
- powerManagement.cpufreq.min
The minimum frequency the CPU will use.
Type: null or unsigned integer, meaning >=0
Default: null
Example: 800000
Declared by:
<nixpkgs/nixos/modules/tasks/cpu-freq.nix>
- powerManagement.powerDownCommands
Commands executed when the machine powers down. That is, they're executed both when the system shuts down and when it goes to suspend or hibernation.
Type: strings concatenated with "\n"
Default: ""
Example:
"${pkgs.hdparm}/sbin/hdparm -B 255 /dev/sda"
Declared by:
<nixpkgs/nixos/modules/config/power-management.nix>
- powerManagement.powerUpCommands
Commands executed when the machine powers up. That is, they're executed both when the system first boots and when it resumes from suspend or hibernation.
Type: strings concatenated with "\n"
Default: ""
Example:
"${pkgs.hdparm}/sbin/hdparm -B 255 /dev/sda"
Declared by:
<nixpkgs/nixos/modules/config/power-management.nix>
- powerManagement.powertop.enable
Whether to enable powertop auto tuning on startup.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/tasks/powertop.nix>
- powerManagement.resumeCommands
Commands executed after the system resumes from suspend-to-RAM.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/config/power-management.nix>
- powerManagement.scsiLinkPolicy
SCSI link power management policy. The kernel default is "max_performance".
"med_power_with_dipm" is supported by kernel versions 4.15 and newer.
Type: null or one of "min_power", "max_performance", "medium_power", "med_power_with_dipm"
Default: null
Declared by:
<nixpkgs/nixos/modules/tasks/scsi-link-power-management.nix>
- programs.adb.enable
Whether to configure system to use Android Debug Bridge (adb). To grant access to a user, it must be part of adbusers group: users.users.alice.extraGroups = ["adbusers"];
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/adb.nix>
- programs.appgate-sdp.enable
Whether to enable AppGate SDP VPN client.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/appgate-sdp.nix>
- programs.atop.enable
Whether to enable Atop.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/atop.nix>
- programs.atop.package
Which package to use for Atop.
Type: package
Default: pkgs.atop
Declared by:
<nixpkgs/nixos/modules/programs/atop.nix>
- programs.atop.atopRotateTimer.enable
Whether to enable the atop-rotate timer, which restarts the atop service daily to make sure the data files are rotate.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/programs/atop.nix>
- programs.atop.atopService.enable
Whether to enable the atop service responsible for storing statistics for long-term analysis.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/programs/atop.nix>
- programs.atop.atopacctService.enable
Whether to enable the atopacct service which manages process accounting. This allows Atop to gather data about processes that disappeared in between two refresh intervals.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/programs/atop.nix>
- programs.atop.atopgpu.enable
Whether to install and enable the atopgpud daemon to get information about NVIDIA gpus.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/atop.nix>
- programs.atop.netatop.enable
Whether to install and enable the netatop kernel module. Note: this sets the kernel taint flag "O" for loading out-of-tree modules.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/atop.nix>
- programs.atop.netatop.package
Which package to use for netatop.
Type: package
Default: config.boot.kernelPackages.netatop
Declared by:
<nixpkgs/nixos/modules/programs/atop.nix>
- programs.atop.settings
Parameters to be written to /etc/atoprc.
Type: attribute set
Default: { }
Example: { flags = "a1f"; interval = 5; }
Declared by:
<nixpkgs/nixos/modules/programs/atop.nix>
- programs.atop.setuidWrapper.enable
Whether to install a setuid wrapper for Atop. This is required to use some of the features as non-root user (e.g.: ipc information, netatop, atopgpu). Atop tries to drop the root privileges shortly after starting.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/atop.nix>
- programs.autojump.enable
Whether to enable autojump.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/autojump.nix>
- programs.bandwhich.enable
Whether to add bandwhich to the global environment and configure a setcap wrapper for it.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/bandwhich.nix>
- programs.bash.enableCompletion
Whether to enable Bash completion for all interactive bash shells.
Type: boolean
Default: true
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/bash/bash-completion.nix>
- programs.bash.enableLsColors
Whether to enable extra colors in directory listings.
Type: boolean
Default: true
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/bash/ls-colors.nix>
- programs.bash.interactiveShellInit
Shell script code called during interactive bash shell initialisation.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/programs/bash/bash.nix>
- programs.bash.loginShellInit
Shell script code called during login bash shell initialisation.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/programs/bash/bash.nix>
- programs.bash.promptInit
Shell script code used to initialise the bash prompt.
Type: strings concatenated with "\n"
Default:
'' # Provide a nice prompt if the terminal supports it. if [ "$TERM" != "dumb" ] || [ -n "$INSIDE_EMACS" ]; then PROMPT_COLOR="1;31m" ((UID)) && PROMPT_COLOR="1;32m" if [ -n "$INSIDE_EMACS" ] || [ "$TERM" = "eterm" ] || [ "$TERM" = "eterm-color" ]; then # Emacs term mode doesn't support xterm title escape sequence (\e]0;) PS1="\n\[\033[$PROMPT_COLOR\][\u@\h:\w]\\$\[\033[0m\] " else PS1="\n\[\033[$PROMPT_COLOR\][\[\e]0;\u@\h: \w\a\]\u@\h:\w]\\$\[\033[0m\] " fi if test "$TERM" = "xterm"; then PS1="\[\033]2;\h:\u:\w\007\]$PS1" fi fi ''
Declared by:
<nixpkgs/nixos/modules/programs/bash/bash.nix>
- programs.bash.shellAliases
Set of aliases for bash shell, which overrides environment.shellAliases. See environment.shellAliases for an option format description.
Type: attribute set of null or string or paths
Default: { }
Declared by:
<nixpkgs/nixos/modules/programs/bash/bash.nix>
- programs.bash.shellInit
Shell script code called during bash shell initialisation.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/programs/bash/bash.nix>
- programs.bash.undistractMe.enable
Whether to enable notifications when long-running terminal commands complete.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/bash/undistract-me.nix>
- programs.bash.undistractMe.playSound
Whether to enable notification sounds when long-running terminal commands complete.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/bash/undistract-me.nix>
- programs.bash.undistractMe.timeout
Number of seconds it would take for a command to be considered long-running.
Type: signed integer
Default: 10
Declared by:
<nixpkgs/nixos/modules/programs/bash/undistract-me.nix>
- programs.bash.vteIntegration
Whether to enable Bash integration for VTE terminals. This allows it to preserve the current directory of the shell across terminals.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/config/vte.nix>
- programs.bash-my-aws.enable
Whether to enable bash-my-aws.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/bash-my-aws.nix>
- programs.bcc.enable
Whether to enable bcc.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/bcc.nix>
- programs.browserpass.enable
Whether to enable Browserpass native messaging host.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/browserpass.nix>
- programs.calls.enable
Whether to enable Whether to enable GNOME calls: a phone dialer and call handler. .
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/calls.nix>
- programs.captive-browser.enable
Whether to enable captive browser.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/captive-browser.nix>
- programs.captive-browser.package
Which package to use for captive-browser
Type: package
Default: pkgs.captive-browser
Declared by:
<nixpkgs/nixos/modules/programs/captive-browser.nix>
- programs.captive-browser.bindInterface
Binds captive-browser to the network interface declared in cfg.interface. This can be used to avoid collisions with private subnets.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/programs/captive-browser.nix>
- programs.captive-browser.browser
The shell (/bin/sh) command executed once the proxy starts. When browser exits, the proxy exits. An extra env var PROXY is available.
Here, we use a separate Chrome instance in Incognito mode, so that it can run (and be waited for) alongside the default one, and that it maintains no state across runs. To configure this browser open a normal window in it, settings will be preserved.
@volth: chromium is to open a plain HTTP (not HTTPS nor redirect to HTTPS!) website. upstream uses http://example.com but I have seen captive portals whose DNS server resolves "example.com" to 127.0.0.1
Type: string
Default: ''env XDG_CONFIG_HOME="$PREV_CONFIG_HOME" ''${pkgs.chromium}/bin/chromium --user-data-dir=''${XDG_DATA_HOME:-$HOME/.local/share}/chromium-captive --proxy-server="socks5://$PROXY" --host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE localhost" --no-first-run --new-window --incognito -no-default-browser-check http://cache.nixos.org/''
Declared by:
<nixpkgs/nixos/modules/programs/captive-browser.nix>
- programs.captive-browser.dhcp-dns
The shell (/bin/sh) command executed to obtain the DHCP DNS server address. The first match of an IPv4 regex is used. IPv4 only, because let's be real, it's a captive portal.
Type: string
Declared by:
<nixpkgs/nixos/modules/programs/captive-browser.nix>
- programs.captive-browser.interface
your public network interface (wlp3s0, wlan0, eth0, ...)
Type: string
Declared by:
<nixpkgs/nixos/modules/programs/captive-browser.nix>
- programs.captive-browser.socks5-addr
the listen address for the SOCKS5 proxy server
Type: string
Default: "localhost:1666"
Declared by:
<nixpkgs/nixos/modules/programs/captive-browser.nix>
- programs.ccache.enable
Whether to enable CCache.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/ccache.nix>
- programs.ccache.packageNames
Nix top-level packages to be compiled using CCache
Type: list of strings
Default: [ ]
Example: [ "wxGTK30" "ffmpeg" "libav_all" ]
Declared by:
<nixpkgs/nixos/modules/programs/ccache.nix>
- programs.ccache.cacheDir
CCache directory
Type: path
Default: "/var/cache/ccache"
Declared by:
<nixpkgs/nixos/modules/programs/ccache.nix>
- programs.cdemu.enable
cdemu for members of programs.cdemu.group.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/cdemu.nix>
- programs.cdemu.group
Group that users must be in to use cdemu.
Type: string
Default: "cdrom"
Declared by:
<nixpkgs/nixos/modules/programs/cdemu.nix>
- programs.cdemu.gui
Whether to install the cdemu GUI (gCDEmu).
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/programs/cdemu.nix>
- programs.cdemu.image-analyzer
Whether to install the image analyzer.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/programs/cdemu.nix>
- programs.chromium.enable
Whether to enable chromium policies.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/chromium.nix>
- programs.chromium.defaultSearchProviderSearchURL
Chromium default search provider url.
Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/programs/chromium.nix>
- programs.chromium.defaultSearchProviderSuggestURL
Chromium default search provider url for suggestions.
Type: null or string
Default: null
Example: "https://encrypted.google.com/complete/search?output=chrome&q={searchTerms}"
Declared by:
<nixpkgs/nixos/modules/programs/chromium.nix>
- programs.chromium.extensions
List of chromium extensions to install. For list of plugins ids see id in url of extensions on chrome web store page. To install a chromium extension not included in the chrome web store, append to the extension id a semicolon ";" followed by a URL pointing to an Update Manifest XML file. See ExtensionInstallForcelist for additional details.
Type: list of strings
Default: [ ]
Example:
[ "chlffgpmiacpedhhbkiomidkjlcfhogd" # pushbullet "mbniclmhobmnbdlbpiphghaielnnpgdp" # lightshot "gcbommkclmclpchllfjekcdonpmejbdp" # https everywhere "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin ]
Declared by:
<nixpkgs/nixos/modules/programs/chromium.nix>
- programs.chromium.extraOpts
Extra chromium policy options. A list of available policies can be found in the Chrome Enterprise documentation: https://cloud.google.com/docs/chrome-enterprise/policies/ Make sure the selected policy is supported on Linux and your browser version.
Type: attribute set
Default: { }
Example:
{ "BrowserSignin" = 0; "SyncDisabled" = true; "PasswordManagerEnabled" = false; "SpellcheckEnabled" = true; "SpellcheckLanguage" = [ "de" "en-US" ]; }
Declared by:
<nixpkgs/nixos/modules/programs/chromium.nix>
- programs.chromium.homepageLocation
Chromium default homepage
Type: null or string
Default: null
Example: "https://nixos.org"
Declared by:
<nixpkgs/nixos/modules/programs/chromium.nix>
- programs.clickshare-csc1.enable
Whether to enable Barco ClickShare CSC-1 driver/client. This allows users in the clickshare group to access and use a ClickShare USB dongle that is connected to the machine .
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/clickshare.nix>
- programs.cnping.enable
Whether to enable Whether to install a setcap wrapper for cnping.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/cnping.nix>
- programs.command-not-found.enable
Whether interactive shells should show which Nix package (if any) provides a missing command.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/programs/command-not-found/command-not-found.nix>
- programs.command-not-found.dbPath
Absolute path to programs.sqlite.
By default this file will be provided by your channel (nixexprs.tar.xz).
Type: path
Default: "/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite"
Declared by:
<nixpkgs/nixos/modules/programs/command-not-found/command-not-found.nix>
- programs.corectrl.enable
Whether to enable A tool to overclock amd graphics cards and processors. Add your user to the corectrl group to run corectrl without needing to enter your password .
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/corectrl.nix>
- programs.corectrl.gpuOverclock.enable
Whether to enable true .
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/hardware/corectrl.nix>
- programs.corectrl.gpuOverclock.ppfeaturemask
Sets the `amdgpu.ppfeaturemask` kernel option. In particular, it is used here to set the overdrive bit. Default is `0xfffd7fff` as it is less likely to cause flicker issues. Setting it to `0xffffffff` enables all features.
Type: string
Default: "0xfffd7fff"
Example: "0xffffffff"
Declared by:
<nixpkgs/nixos/modules/hardware/corectrl.nix>
- programs.criu.enable
Install criu along with necessary kernel options.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/criu.nix>
- programs.dconf.enable
Whether to enable dconf.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/dconf.nix>
- programs.dconf.packages
A list of packages which provide dconf profiles and databases in /etc/dconf.
Type: list of packages
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/programs/dconf.nix>
- programs.digitalbitbox.enable
Installs the Digital Bitbox application and enables the complementary hardware module.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/digitalbitbox/default.nix>
- programs.digitalbitbox.package
The Digital Bitbox package to use. This can be used to install a package with udev rules that differ from the defaults.
Type: package
Default: pkgs.digitalbitbox
Declared by:
<nixpkgs/nixos/modules/programs/digitalbitbox/default.nix>
- programs.dmrconfig.enable
Whether to configure system to enable use of dmrconfig. This enables the required udev rules and installs the program.
Type: boolean
Default: false
Related packages:
pkgs.dmrconfig (dmrconfig-1.1): Configuration utility for DMR radios.
DMRconfig is a utility for programming digital radios via USB programming cable.
Declared by:
<nixpkgs/nixos/modules/programs/dmrconfig.nix>
- programs.dmrconfig.package
dmrconfig derivation to use
Type: package
Default: pkgs.dmrconfig
Declared by:
<nixpkgs/nixos/modules/programs/dmrconfig.nix>
- programs.droidcam.enable
Whether to enable DroidCam client.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/droidcam.nix>
- programs.evince.enable
Whether to enable Evince, the GNOME document viewer.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/evince.nix>
- programs.evince.package
Evince derivation to use.
Type: package
Default: pkgs.evince
Declared by:
<nixpkgs/nixos/modules/programs/evince.nix>
- programs.evolution.enable
Whether to enable Evolution, a Personal information management application that provides integrated mail, calendaring and address book functionality..
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/desktops/gnome/evolution-data-server.nix>
- programs.evolution.plugins
Plugins for Evolution.
Type: list of packages
Default: [ ]
Example: [ pkgs.evolution-ews ]
Declared by:
<nixpkgs/nixos/modules/services/desktops/gnome/evolution-data-server.nix>
- programs.extra-container.enable
Whether to enable extra-container, a tool for running declarative NixOS containers without host system rebuilds .
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/extra-container.nix>
- programs.feedbackd.enable
Whether to enable Whether to enable the feedbackd D-BUS service and udev rules.
Your user needs to be in the `feedbackd` group to trigger effects. .
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/feedbackd.nix>
- programs.feedbackd.package
Which feedbackd package to use.
Type: package
Default: pkgs.feedbackd
Declared by:
<nixpkgs/nixos/modules/programs/feedbackd.nix>
- programs.file-roller.enable
Whether to enable File Roller, an archive manager for GNOME.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/file-roller.nix>
- programs.file-roller.package
File Roller derivation to use.
Type: package
Default: pkgs.gnome.file-roller
Declared by:
<nixpkgs/nixos/modules/programs/file-roller.nix>
- programs.firejail.enable
Whether to enable firejail.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/firejail.nix>
- programs.firejail.wrappedBinaries
Wrap the binaries in firejail and place them in the global path.
You will get file collisions if you put the actual application binary in the global environment and applications started via .desktop files are not wrapped if they specify the absolute path to the binary.
Type: attribute set of path or submodules
Default: { }
Example:
{ firefox = { executable = "${lib.getBin pkgs.firefox}/bin/firefox"; profile = "${pkgs.firejail}/etc/firejail/firefox.profile"; }; mpv = { executable = "${lib.getBin pkgs.mpv}/bin/mpv"; profile = "${pkgs.firejail}/etc/firejail/mpv.profile"; }; }
Declared by:
<nixpkgs/nixos/modules/programs/firejail.nix>
- programs.fish.enable
Whether to configure fish as an interactive shell.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/fish.nix>
- programs.fish.interactiveShellInit
Shell script code called during interactive fish shell initialisation.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/programs/fish.nix>
- programs.fish.loginShellInit
Shell script code called during fish login shell initialisation.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/programs/fish.nix>
- programs.fish.promptInit
Shell script code used to initialise fish prompt.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/programs/fish.nix>
- programs.fish.shellAbbrs
Set of fish abbreviations.
Type: attribute set of strings
Default: { }
Example: { gco = "git checkout"; npu = "nix-prefetch-url"; }
Declared by:
<nixpkgs/nixos/modules/programs/fish.nix>
- programs.fish.shellAliases
Set of aliases for fish shell, which overrides environment.shellAliases. See environment.shellAliases for an option format description.
Type: attribute set of null or string or paths
Default: { }
Declared by:
<nixpkgs/nixos/modules/programs/fish.nix>
- programs.fish.shellInit
Shell script code called during fish shell initialisation.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/programs/fish.nix>
- programs.fish.useBabelfish
If enabled, the configured environment will be translated to native fish using babelfish. Otherwise, foreign-env will be used.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/fish.nix>
- programs.fish.vendor.completions.enable
Whether fish should use completion files provided by other packages.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/programs/fish.nix>
- programs.fish.vendor.config.enable
Whether fish should source configuration snippets provided by other packages.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/programs/fish.nix>
- programs.fish.vendor.functions.enable
Whether fish should autoload fish functions provided by other packages.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/programs/fish.nix>
- programs.flashrom.enable
Installs flashrom and configures udev rules for programmers used by flashrom. Grants access to users in the "flashrom" group.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/flashrom.nix>
- programs.flexoptix-app.enable
Whether to enable FLEXOPTIX app + udev rules.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/flexoptix-app.nix>
- programs.flexoptix-app.package
FLEXOPTIX app package to use
Type: package
Default: pkgs.flexoptix-app
Declared by:
<nixpkgs/nixos/modules/programs/flexoptix-app.nix>
- programs.fuse.mountMax
Set the maximum number of FUSE mounts allowed to non-root users.
Type: integer between 0 and 32767 (both inclusive)
Default: 1000
Declared by:
<nixpkgs/nixos/modules/programs/fuse.nix>
- programs.fuse.userAllowOther
Allow non-root users to specify the allow_other or allow_root mount options, see mount.fuse3(8).
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/fuse.nix>
- programs.gamemode.enable
Whether to enable GameMode to optimise system performance on demand.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/gamemode.nix>
- programs.gamemode.enableRenice
Whether to enable CAP_SYS_NICE on gamemoded to support lowering process niceness.
Type: boolean
Default: true
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/gamemode.nix>
- programs.gamemode.settings
System-wide configuration for GameMode (/etc/gamemode.ini). See gamemoded(8) man page for available settings.
Type: attribute set of attribute set of INI atom (null, bool, int, float or string)ss
Default: { }
Example:
{ general = { renice = 10; }; # Warning: GPU optimisations have the potential to damage hardware gpu = { apply_gpu_optimisations = "accept-responsibility"; gpu_device = 0; amd_performance_level = "high"; }; custom = { start = "${pkgs.libnotify}/bin/notify-send 'GameMode started'"; end = "${pkgs.libnotify}/bin/notify-send 'GameMode ended'"; }; }
Declared by:
<nixpkgs/nixos/modules/programs/gamemode.nix>
- programs.geary.enable
Whether to enable Geary, a Mail client for GNOME 3.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/geary.nix>
- programs.git.enable
Whether to enable git.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/git.nix>
- programs.git.package
The git package to use
Type: package
Default: pkgs.git
Example: pkgs.gitFull
Declared by:
<nixpkgs/nixos/modules/programs/git.nix>
- programs.git.config
Configuration to write to /etc/gitconfig. See the CONFIGURATION FILE section of git-config(1) for more information.
Type: attribute set of attribute set of anythingss
Default: { }
Example: { init = { defaultBranch = "main"; } ; url = { https://github.com/ = { insteadOf = [ "gh:" "github:" ] ; } ; } ; }
Declared by:
<nixpkgs/nixos/modules/programs/git.nix>
- programs.git.lfs.enable
Whether to enable git-lfs.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/git.nix>
- programs.git.lfs.package
The git-lfs package to use
Type: package
Default: pkgs.git-lfs
Declared by:
<nixpkgs/nixos/modules/programs/git.nix>
- programs.gnome-disks.enable
Whether to enable GNOME Disks daemon, a program designed to be a UDisks2 graphical front-end.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/gnome-disks.nix>
- programs.gnome-documents.enable
Whether to enable GNOME Documents, a document manager application for GNOME.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/gnome-documents.nix>
- programs.gnome-terminal.enable
Whether to enable GNOME Terminal.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/gnome-terminal.nix>
- programs.gnupg.package
The gpg package that should be used.
Type: package
Default: pkgs.gnupg
Declared by:
<nixpkgs/nixos/modules/programs/gnupg.nix>
- programs.gnupg.agent.enable
Enables GnuPG agent with socket-activation for every user session.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/gnupg.nix>
- programs.gnupg.agent.enableBrowserSocket
Enable browser socket for GnuPG agent.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/gnupg.nix>
- programs.gnupg.agent.enableExtraSocket
Enable extra socket for GnuPG agent.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/gnupg.nix>
- programs.gnupg.agent.enableSSHSupport
Enable SSH agent support in GnuPG agent. Also sets SSH_AUTH_SOCK environment variable correctly. This will disable socket-activation and thus always start a GnuPG agent per user session.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/gnupg.nix>
- programs.gnupg.agent.pinentryFlavor
Which pinentry interface to use. If not null, the path to the pinentry binary will be passed to gpg-agent via commandline and thus overrides the pinentry option in gpg-agent.conf in the user's home directory. If not set at all, it'll pick an appropriate flavor depending on the system configuration (qt flavor for lxqt and plasma5, gtk2 for xfce 4.12, gnome3 on all other systems with X enabled, ncurses otherwise).
Type: null or one of "curses", "tty", "gtk2", "emacs", "gnome3", "qt"
Default: null
Example: "gnome3"
Declared by:
<nixpkgs/nixos/modules/programs/gnupg.nix>
- programs.gnupg.dirmngr.enable
Enables GnuPG network certificate management daemon with socket-activation for every user session.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/gnupg.nix>
- programs.gpaste.enable
Whether to enable GPaste, a clipboard manager.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/gpaste.nix>
- programs.gphoto2.enable
Whether to configure system to use gphoto2. To grant digital camera access to a user, the user must be part of the camera group: users.users.alice.extraGroups = ["camera"];
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/gphoto2.nix>
- programs.hamster.enable
Whether to enable hamster, a time tracking program.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/hamster.nix>
- programs.htop.enable
Whether to enable htop process monitor.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/htop.nix>
- programs.htop.package
The htop package that should be used.
Type: package
Default: "pkgs.htop"
Declared by:
<nixpkgs/nixos/modules/programs/htop.nix>
- programs.htop.settings
Extra global default configuration for htop which is read on first startup only. Htop subsequently uses ~/.config/htop/htoprc as configuration source.
Type: attribute set of string or signed integer or boolean or list of string or signed integer or booleanss
Default: { }
Example: { hide_kernel_threads = true; hide_userland_threads = true; }
Declared by:
<nixpkgs/nixos/modules/programs/htop.nix>
- programs.iftop.enable
Whether to enable iftop + setcap wrapper.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/iftop.nix>
- programs.iotop.enable
Whether to enable iotop + setcap wrapper.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/iotop.nix>
- programs.java.enable
Install and setup the Java development kit.
Note
This adds JAVA_HOME to the global environment, by sourcing the jdk's setup-hook on shell init. It is equivalent to starting a shell through 'nix-shell -p jdk', or roughly the following system-wide configuration:environment.variables.JAVA_HOME = ${pkgs.jdk.home}/lib/openjdk; environment.systemPackages = [ pkgs.jdk ];
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/java.nix>
- programs.java.package
Java package to install. Typical values are pkgs.jdk or pkgs.jre.
Type: package
Default: pkgs.jdk
Declared by:
<nixpkgs/nixos/modules/programs/java.nix>
- programs.kbdlight.enable
Whether to enable kbdlight.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/kbdlight.nix>
- programs.kdeconnect.enable
Whether to enable kdeconnect.
Note that it will open the TCP and UDP port from 1714 to 1764 as they are needed for it to function properly. You can use the package to use gnomeExtensions.gsconnect as an alternative implementation if you use Gnome. .
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/kdeconnect.nix>
- programs.kdeconnect.package
The package providing the implementation for kdeconnect.
Type: package
Default: pkgs.kdeconnect
Example: pkgs.gnomeExtensions.gsconnect
Declared by:
<nixpkgs/nixos/modules/programs/kdeconnect.nix>
- programs.less.enable
Whether to enable less.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/less.nix>
- programs.less.clearDefaultCommands
Clear all default commands. You should remember to set the quit key. Otherwise you will not be able to leave less without killing it.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/less.nix>
- programs.less.commands
Defines new command keys.
Type: attribute set of strings
Default: { }
Example: { h = ''noaction 5\e(''; l = ''noaction 5\e)''; }
Declared by:
<nixpkgs/nixos/modules/programs/less.nix>
- programs.less.configFile
Path to lesskey configuration file.
configFile takes precedence over commands, clearDefaultCommands, lineEditingKeys, and envVariables.
Type: null or path
Default: null
Example: "${pkgs.my-configs}/lesskey"
Declared by:
<nixpkgs/nixos/modules/programs/less.nix>
- programs.less.envVariables
Defines environment variables.
Type: attribute set of strings
Default: { LESS = "-R"; }
Example: { LESS = "--quit-if-one-screen"; }
Declared by:
<nixpkgs/nixos/modules/programs/less.nix>
- programs.less.lessclose
When less closes a file opened in such a way, it will call another program, called the input postprocessor, which may perform any desired clean-up action (such as deleting the replacement file created by LESSOPEN).
Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/programs/less.nix>
- programs.less.lessopen
Before less opens a file, it first gives your input preprocessor a chance to modify the way the contents of the file are displayed.
Type: null or string
Default: "|${pkgs.lesspipe}/bin/lesspipe.sh %s"
Declared by:
<nixpkgs/nixos/modules/programs/less.nix>
- programs.less.lineEditingKeys
Defines new line-editing keys.
Type: attribute set of strings
Default: { }
Example: { e = "abort"; }
Declared by:
<nixpkgs/nixos/modules/programs/less.nix>
- programs.liboping.enable
Whether to enable liboping.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/liboping.nix>
- programs.light.enable
Whether to install Light backlight control command and udev rules granting access to members of the "video" group.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/light.nix>
- programs.mininet.enable
Whether to enable Mininet.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/mininet.nix>
- programs.mosh.enable
Whether to enable mosh. Note, this will open ports in your firewall!
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/mosh.nix>
- programs.mosh.withUtempter
Whether to enable libutempter for mosh. This is required so that mosh can write to /var/run/utmp (which can be queried with `who` to display currently connected user sessions). Note, this will add a guid wrapper for the group utmp!
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/programs/mosh.nix>
- programs.msmtp.enable
Whether to enable msmtp - an SMTP client.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/msmtp.nix>
- programs.msmtp.accounts
Named accounts and their respective configurations. The special name "default" allows a default account to be defined. See msmtp(1) for the available options.
Use `programs.msmtp.extraConfig` instead of this attribute set-based option if ordered account inheritance is needed.
It is advised to use the `passwordeval` setting to read the password from a secret file to avoid having it written in the world-readable nix store. The password file must end with a newline (`\n`).
Type: attribute set of attribute sets
Default: { }
Example: { default = { auth = true; host = "smtp.example"; passwordeval = "cat /secrets/password.txt"; user = "someone"; } ; }
Declared by:
<nixpkgs/nixos/modules/programs/msmtp.nix>
- programs.msmtp.defaults
Default values applied to all accounts. See msmtp(1) for the available options.
Type: attribute set
Default: { }
Example: { aliases = "/etc/aliases"; port = 587; tls = true; }
Declared by:
<nixpkgs/nixos/modules/programs/msmtp.nix>
- programs.msmtp.extraConfig
Extra lines to add to the msmtp configuration verbatim. See msmtp(1) for the syntax and available options.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/programs/msmtp.nix>
- programs.msmtp.setSendmail
Whether to set the system sendmail to msmtp's.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/programs/msmtp.nix>
- programs.mtr.enable
Whether to add mtr to the global environment and configure a setcap wrapper for it.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/mtr.nix>
- programs.mtr.package
The package to use.
Type: package
Default: pkgs.mtr
Declared by:
<nixpkgs/nixos/modules/programs/mtr.nix>
- programs.nano.nanorc
The system-wide nano configuration. See nanorc(5).
Type: strings concatenated with "\n"
Default: ""
Example:
'' set nowrap set tabstospaces set tabsize 2 ''
Declared by:
<nixpkgs/nixos/modules/programs/nano.nix>
- programs.nano.syntaxHighlight
Whether to enable syntax highlight for various languages.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/programs/nano.nix>
- programs.neovim.enable
Whether to enable Neovim.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/neovim.nix>
- programs.neovim.package
The package to use for the neovim binary.
Type: package
Default: pkgs.neovim-unwrapped
Declared by:
<nixpkgs/nixos/modules/programs/neovim.nix>
- programs.neovim.configure
Generate your init file from your list of plugins and custom commands. Neovim will then be wrapped to load nvim -u /nix/store/hash-vimrc
Type: attribute set
Default: { }
Example:
{ customRC = '' " here your custom configuration goes! ''; packages.myVimPackage = with pkgs.vimPlugins; { # loaded on launch start = [ fugitive ]; # manually loadable by calling `:packadd $plugin-name` opt = [ ]; }; }
Declared by:
<nixpkgs/nixos/modules/programs/neovim.nix>
- programs.neovim.defaultEditor
When enabled, installs neovim and configures neovim to be the default editor using the EDITOR environment variable.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/neovim.nix>
- programs.neovim.runtime
Set of files that have to be linked in runtime.
Type: attribute set of submodules
Default: { }
Example:
{ "ftplugin/c.vim".text = "setlocal omnifunc=v:lua.vim.lsp.omnifunc"; }
Declared by:
<nixpkgs/nixos/modules/programs/neovim.nix>
- programs.neovim.runtime.<name>.enable
Whether this /etc file should be generated. This option allows specific /etc files to be disabled.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/programs/neovim.nix>
- programs.neovim.runtime.<name>.source
Path of the source file.
Type: path
Declared by:
<nixpkgs/nixos/modules/programs/neovim.nix>
- programs.neovim.runtime.<name>.target
Name of symlink. Defaults to the attribute name.
Type: string
Declared by:
<nixpkgs/nixos/modules/programs/neovim.nix>
- programs.neovim.runtime.<name>.text
Text of the file.
Type: null or strings concatenated with "\n"
Default: null
Declared by:
<nixpkgs/nixos/modules/programs/neovim.nix>
- programs.neovim.viAlias
Symlink vi to nvim binary.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/neovim.nix>
- programs.neovim.vimAlias
Symlink vim to nvim binary.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/neovim.nix>
- programs.neovim.withNodeJs
Enable Node provider.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/neovim.nix>
- programs.neovim.withPython3
Enable Python 3 provider.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/programs/neovim.nix>
- programs.neovim.withRuby
Enable Ruby provider.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/programs/neovim.nix>
- programs.nm-applet.enable
Whether to enable nm-applet.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/nm-applet.nix>
- programs.nm-applet.indicator
Whether to use indicator instead of status icon. It is needed for Appindicator environments, like Enlightenment.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/programs/nm-applet.nix>
- programs.noisetorch.enable
Whether to enable noisetorch + setcap wrapper.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/noisetorch.nix>
- programs.noisetorch.package
The noisetorch package to use.
Type: package
Default: pkgs.noisetorch
Declared by:
<nixpkgs/nixos/modules/programs/noisetorch.nix>
- programs.npm.enable
Whether to enable npm global config.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/npm.nix>
- programs.npm.package
The npm package version / flavor to use
Type: package
Default: pkgs.nodePackages.npm
Example: pkgs.nodePackages_13_x.npm
Declared by:
<nixpkgs/nixos/modules/programs/npm.nix>
- programs.npm.npmrc
The system-wide npm configuration. See https://docs.npmjs.com/misc/config.
Type: strings concatenated with "\n"
Default:
'' prefix = ''${HOME}/.npm ''
Example:
'' prefix = ''${HOME}/.npm https-proxy=proxy.example.com init-license=MIT init-author-url=http://npmjs.org color=true ''
Declared by:
<nixpkgs/nixos/modules/programs/npm.nix>
- programs.pantheon-tweaks.enable
Whether to enable Pantheon Tweaks, an unofficial system settings panel for Pantheon.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/pantheon-tweaks.nix>
- programs.partition-manager.enable
Whether to enable KDE Partition Manager.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/partition-manager.nix>
- programs.phosh.enable
Whether to enable Whether to enable, Phosh, related packages and default configurations. .
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/phosh.nix>
- programs.phosh.phocConfig
Configurations for the Phoc compositor.
Type: strings concatenated with "\n" or path or submodule
Default: { }
Declared by:
<nixpkgs/nixos/modules/programs/phosh.nix>
- programs.plotinus.enable
Whether to enable the Plotinus GTK 3 plugin. Plotinus provides a popup (triggered by Ctrl-Shift-P) to search the menus of a compatible application.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/plotinus.nix>
- programs.proxychains.enable
Whether to enable installing proxychains configuration.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/proxychains.nix>
- programs.proxychains.chain.length
Chain length for random chain.
Type: null or signed integer
Default: null
Declared by:
<nixpkgs/nixos/modules/programs/proxychains.nix>
- programs.proxychains.chain.type
dynamic - Each connection will be done via chained proxies all proxies chained in the order as they appear in the list at least one proxy must be online to play in chain (dead proxies are skipped) otherwise EINTR is returned to the app.
strict - Each connection will be done via chained proxies all proxies chained in the order as they appear in the list all proxies must be online to play in chain otherwise EINTR is returned to the app.
random - Each connection will be done via random proxy (or proxy chain, see programs.proxychains.chain.length) from the list.
Type: one of "dynamic", "strict", "random"
Default: "strict"
Declared by:
<nixpkgs/nixos/modules/programs/proxychains.nix>
- programs.proxychains.localnet
By default enable localnet for loopback address ranges.
Type: string
Default: "127.0.0.0/255.0.0.0"
Declared by:
<nixpkgs/nixos/modules/programs/proxychains.nix>
- programs.proxychains.proxies
Proxies to be used by proxychains.
Type: attribute set of submodules
Example:
{ myproxy = { type = "socks4"; host = "127.0.0.1"; port = 1337; }; }
Declared by:
<nixpkgs/nixos/modules/programs/proxychains.nix>
- programs.proxychains.proxies.<name>.enable
Whether to enable this proxy.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/proxychains.nix>
- programs.proxychains.proxies.<name>.host
Proxy host or IP address.
Type: string
Declared by:
<nixpkgs/nixos/modules/programs/proxychains.nix>
- programs.proxychains.proxies.<name>.port
Proxy port
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Declared by:
<nixpkgs/nixos/modules/programs/proxychains.nix>
- programs.proxychains.proxies.<name>.type
Proxy type.
Type: one of "http", "socks4", "socks5"
Declared by:
<nixpkgs/nixos/modules/programs/proxychains.nix>
- programs.proxychains.proxyDNS
Proxy DNS requests - no leak for DNS data.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/programs/proxychains.nix>
- programs.proxychains.quietMode
Whether to enable Quiet mode (no output from the library)..
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/proxychains.nix>
- programs.proxychains.remoteDNSSubnet
Set the class A subnet number to use for the internal remote DNS mapping, uses the reserved 224.x.x.x range by default.
Type: one of 10, 127, 224
Default: 224
Declared by:
<nixpkgs/nixos/modules/programs/proxychains.nix>
- programs.proxychains.tcpConnectTimeOut
Connection time-out in milliseconds.
Type: signed integer
Default: 8000
Declared by:
<nixpkgs/nixos/modules/programs/proxychains.nix>
- programs.proxychains.tcpReadTimeOut
Connection read time-out in milliseconds.
Type: signed integer
Default: 15000
Declared by:
<nixpkgs/nixos/modules/programs/proxychains.nix>
- programs.qt5ct.enable
Whether to enable the Qt5 Configuration Tool (qt5ct), a program that allows users to configure Qt5 settings (theme, font, icons, etc.) under desktop environments or window manager without Qt integration.
Official home page: https://sourceforge.net/projects/qt5ct/
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/qt5ct.nix>
- programs.screen.screenrc
The contents of /etc/screenrc file.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/programs/screen.nix>
- programs.seahorse.enable
Whether to enable Seahorse, a GNOME application for managing encryption keys and passwords in the GNOME Keyring.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/seahorse.nix>
- programs.sedutil.enable
Whether to enable sedutil.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/sedutil.nix>
- programs.singularity.enable
Whether to enable Singularity.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/singularity.nix>
- programs.slock.enable
Whether to install slock screen locker with setuid wrapper.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/slock.nix>
- programs.spacefm.enable
Whether to install SpaceFM and create /etc/spacefm/spacefm.conf.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/spacefm.nix>
- programs.spacefm.settings
The system-wide spacefm configuration. Parameters to be written to /etc/spacefm/spacefm.conf. Refer to the relevant entry in the SpaceFM manual.
Type: attribute set
Default:
{ tmp_dir = "/tmp"; terminal_su = "${pkgs.sudo}/bin/sudo"; graphical_su = "${pkgs.gksu}/bin/gksu"; }
Declared by:
<nixpkgs/nixos/modules/programs/spacefm.nix>
- programs.ssh.package
The package used for the openssh client and daemon.
Type: package
Default: pkgs.openssh
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
- programs.ssh.agentPKCS11Whitelist
A pattern-list of acceptable paths for PKCS#11 shared libraries that may be used with the -s option to ssh-add.
Type: null or string
Default: null
Example: "${pkgs.opensc}/lib/opensc-pkcs11.so"
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
- programs.ssh.agentTimeout
How long to keep the private keys in memory. Use null to keep them forever.
Type: null or string
Default: null
Example: "1h"
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
- programs.ssh.askPassword
Program used by SSH to ask for passwords.
Type: string
Default: "${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
- programs.ssh.ciphers
Specifies the ciphers allowed and their order of preference.
Type: null or list of strings
Default: null
Example: [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" ]
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
- programs.ssh.extraConfig
Extra configuration text prepended to ssh_config. Other generated options will be added after a Host * pattern. See ssh_config(5) for help.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
- programs.ssh.forwardX11
Whether to request X11 forwarding on outgoing connections by default. This is useful for running graphical programs on the remote machine and have them display to your local X11 server. Historically, this value has depended on the value used by the local sshd daemon, but there really isn't a relation between the two. Note: there are some security risks to forwarding an X11 connection. NixOS's X server is built with the SECURITY extension, which prevents some obvious attacks. To enable or disable forwarding on a per-connection basis, see the -X and -x options to ssh. The -Y option to ssh enables trusted forwarding, which bypasses the SECURITY extension.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
- programs.ssh.hostKeyAlgorithms
Specifies the host key algorithms that the client wants to use in order of preference.
Type: list of strings
Default: [ ]
Example: [ "ssh-ed25519" "ssh-rsa" ]
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
- programs.ssh.kexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Type: null or list of strings
Default: null
Example: [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
- programs.ssh.knownHosts
The set of system-wide known SSH hosts.
Type: attribute set of submodules
Default: { }
Example:
{ myhost = { hostNames = [ "myhost" "myhost.mydomain.com" "10.10.1.4" ]; publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub; }; myhost2 = { hostNames = [ "myhost2" ]; publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub; }; }
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
- programs.ssh.knownHosts.<name>.certAuthority
This public key is an SSH certificate authority, rather than an individual host's key.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
- programs.ssh.knownHosts.<name>.hostNames
A list of host names and/or IP numbers used for accessing the host's ssh service.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
- programs.ssh.knownHosts.<name>.publicKey
The public key data for the host. You can fetch a public key from a running SSH server with the ssh-keyscan command. The public key should not include any host names, only the key type and the key itself.
Type: null or string
Default: null
Example: "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg=="
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
- programs.ssh.knownHosts.<name>.publicKeyFile
The path to the public key file for the host. The public key file is read at build time and saved in the Nix store. You can fetch a public key file from a running SSH server with the ssh-keyscan command. The content of the file should follow the same format as described for the publicKey option.
Type: null or path
Default: null
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
- programs.ssh.macs
Specifies the MAC (message authentication code) algorithms in order of preference. The MAC algorithm is used for data integrity protection.
Type: null or list of strings
Default: null
Example: [ "hmac-sha2-512-etm@openssh.com" "hmac-sha1" ]
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
- programs.ssh.pubkeyAcceptedKeyTypes
Specifies the key types that will be used for public key authentication.
Type: list of strings
Default: [ ]
Example: [ "ssh-ed25519" "ssh-rsa" ]
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
- programs.ssh.setXAuthLocation
Whether to set the path to xauth for X11-forwarded connections. This causes a dependency on X11 packages.
Type: boolean
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
- programs.ssh.startAgent
Whether to start the OpenSSH agent when you log in. The OpenSSH agent remembers private keys for you so that you don't have to type in passphrases every time you make an SSH connection. Use ssh-add to add a key to the agent.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
- programs.steam.enable
Whether to enable steam.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/steam.nix>
- programs.steam.dedicatedServer.openFirewall
Open ports in the firewall for Source Dedicated Server.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/steam.nix>
- programs.steam.remotePlay.openFirewall
Open ports in the firewall for Steam Remote Play.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/steam.nix>
- programs.sway.enable
Whether to enable Sway, the i3-compatible tiling Wayland compositor. You can manually launch Sway by executing "exec sway" on a TTY. Copy /etc/sway/config to ~/.config/sway/config to modify the default configuration. See https://github.com/swaywm/sway/wiki and "man 5 sway" for more information.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/sway.nix>
- programs.sway.extraOptions
Command line arguments passed to launch Sway. Please DO NOT report issues if you use an unsupported GPU (proprietary drivers).
Type: list of strings
Default: [ ]
Example: [ "--verbose" "--debug" "--unsupported-gpu" "--my-next-gpu-wont-be-nvidia" ]
Declared by:
<nixpkgs/nixos/modules/programs/sway.nix>
- programs.sway.extraPackages
Extra packages to be installed system wide. See https://github.com/swaywm/sway/wiki/Useful-add-ons-for-sway and https://github.com/swaywm/sway/wiki/i3-Migration-Guide#common-x11-apps-used-on-i3-with-wayland-alternatives for a list of useful software.
Type: list of packages
Default:
with pkgs; [ swaylock swayidle alacritty dmenu ];
Example:
with pkgs; [ i3status i3status-rust termite rofi light ]
Declared by:
<nixpkgs/nixos/modules/programs/sway.nix>
- programs.sway.extraSessionCommands
Shell commands executed just before Sway is started. See https://github.com/swaywm/sway/wiki/Running-programs-natively-under-wayland and https://github.com/swaywm/wlroots/blob/master/docs/env_vars.md for some useful environment variables.
Type: strings concatenated with "\n"
Default: ""
Example:
'' # SDL: export SDL_VIDEODRIVER=wayland # QT (needs qt5.qtwayland in systemPackages): export QT_QPA_PLATFORM=wayland-egl export QT_WAYLAND_DISABLE_WINDOWDECORATION="1" # Fix for some Java AWT applications (e.g. Android Studio), # use this if they aren't displayed properly: export _JAVA_AWT_WM_NONREPARENTING=1 ''
Declared by:
<nixpkgs/nixos/modules/programs/sway.nix>
- programs.sway.wrapperFeatures
Attribute set of features to enable in the wrapper.
Type: submodule
Default: { }
Example: { gtk = true; }
Declared by:
<nixpkgs/nixos/modules/programs/sway.nix>
- programs.sway.wrapperFeatures.base
Whether to make use of the base wrapper to execute extra session commands and prepend a dbus-run-session to the sway command.
Type: boolean
Default: true
Example: false
Declared by:
<nixpkgs/nixos/modules/programs/sway.nix>
- programs.sway.wrapperFeatures.gtk
Whether to make use of the wrapGAppsHook wrapper to execute sway with required environment variables for GTK applications.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/sway.nix>
- programs.sysdig.enable
Whether to enable sysdig.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/sysdig.nix>
- programs.system-config-printer.enable
Whether to enable system-config-printer, a Graphical user interface for CUPS administration.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/system-config-printer.nix>
- programs.systemtap.enable
Install systemtap along with necessary kernel options.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/systemtap.nix>
- programs.thefuck.enable
Whether to enable thefuck.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/thefuck.nix>
programs.thefuck.alias
`thefuck` needs an alias to be configured. The default value is `fuck`, but you can use anything else as well.
Type: string
Default: "fuck"
Declared by:
<nixpkgs/nixos/modules/programs/thefuck.nix>
- programs.tilp2.enable
Enable tilp2 and udev rules for supported calculators.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/tilp2.nix>
- programs.tmux.enable
Whenever to configure tmux system-wide.
Type: boolean
Default: false
Related packages:
pkgs.tmux (tmux-3.2a): Terminal multiplexer.
tmux is intended to be a modern, BSD-licensed alternative to programs such as GNU screen. Major features include: * A powerful, consistent, well-documented and easily scriptable command interface. * A window may be split horizontally and vertically into panes. * Panes can be freely moved and resized, or arranged into preset layouts. * Support for UTF-8 and 256-colour terminals. * Copy and paste with multiple buffers. * Interactive menus to select windows, sessions or clients. * Change the current window by searching for text in the target. * Terminal locking, manually or after a timeout. * A clean, easily extended, BSD-licensed codebase, under active development.
Declared by:
<nixpkgs/nixos/modules/programs/tmux.nix>
- programs.tmux.aggressiveResize
Resize the window to the size of the smallest session for which it is the current window.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/tmux.nix>
- programs.tmux.baseIndex
Base index for windows and panes.
Type: signed integer
Default: 0
Example: 1
Declared by:
<nixpkgs/nixos/modules/programs/tmux.nix>
- programs.tmux.clock24
Use 24 hour clock.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/tmux.nix>
- programs.tmux.customPaneNavigationAndResize
Override the hjkl and HJKL bindings for pane navigation and resizing in VI mode.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/tmux.nix>
- programs.tmux.escapeTime
Time in milliseconds for which tmux waits after an escape is input.
Type: signed integer
Default: 500
Example: 0
Declared by:
<nixpkgs/nixos/modules/programs/tmux.nix>
- programs.tmux.extraConfig
Additional contents of /etc/tmux.conf
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/programs/tmux.nix>
- programs.tmux.historyLimit
Maximum number of lines held in window history.
Type: signed integer
Default: 2000
Example: 5000
Declared by:
<nixpkgs/nixos/modules/programs/tmux.nix>
- programs.tmux.keyMode
VI or Emacs style shortcuts.
Type: one of "emacs", "vi"
Default: "emacs"
Example: "vi"
Declared by:
<nixpkgs/nixos/modules/programs/tmux.nix>
- programs.tmux.newSession
Automatically spawn a session if trying to attach and none are running.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/tmux.nix>
- programs.tmux.resizeAmount
Number of lines/columns when resizing.
Type: signed integer
Default: 5
Example: 10
Declared by:
<nixpkgs/nixos/modules/programs/tmux.nix>
- programs.tmux.reverseSplit
Reverse the window split shortcuts.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/tmux.nix>
- programs.tmux.secureSocket
Store tmux socket under /run, which is more secure than /tmp, but as a downside it doesn't survive user logout.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/programs/tmux.nix>
- programs.tmux.shortcut
Ctrl following by this key is used as the main shortcut.
Type: string
Default: "b"
Example: "a"
Declared by:
<nixpkgs/nixos/modules/programs/tmux.nix>
- programs.tmux.terminal
Set the $TERM variable.
Type: string
Default: "screen"
Example: "screen-256color"
Declared by:
<nixpkgs/nixos/modules/programs/tmux.nix>
- programs.traceroute.enable
Whether to configure a setcap wrapper for traceroute.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/traceroute.nix>
- programs.tsmClient.enable
Whether to enable IBM Spectrum Protect (Tivoli Storage Manager, TSM) client command line applications with a client system-options file "dsm.sys" .
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/tsm-client.nix>
- programs.tsmClient.package
The TSM client derivation to be added to the system environment. It will called with .override to add paths to the client system-options file.
Type: package
Default: pkgs.tsm-client
Example: pkgs.tsm-client-withGui
Declared by:
<nixpkgs/nixos/modules/programs/tsm-client.nix>
- programs.tsmClient.defaultServername
If multiple server stanzas are declared with programs.tsmClient.servers, this option may be used to name a default server stanza that IBM TSM uses in the absence of a user-defined dsm.opt file. This option translates to a defaultserver configuration line.
Type: null or string matching the pattern .{1,64}
Default: null
Example: "mainTsmServer"
Declared by:
<nixpkgs/nixos/modules/programs/tsm-client.nix>
- programs.tsmClient.dsmSysText
This configuration key contains the effective text of the client system-options file "dsm.sys". It should not be changed, but may be used to feed the configuration into other TSM-depending packages used on the system.
Type: strings concatenated with "\n" (read only)
Declared by:
<nixpkgs/nixos/modules/programs/tsm-client.nix>
- programs.tsmClient.servers
Server definitions ("stanzas") for the client system-options file.
Type: attribute set of submodules
Default: { }
Example: { mainTsmServer = { extraConfig = { compression = "yes"; } ; node = "MY-TSM-NODE"; server = "tsmserver.company.com"; } ; }
Declared by:
<nixpkgs/nixos/modules/programs/tsm-client.nix>
- programs.tsmClient.servers.<name>.extraConfig
Additional key-value pairs for the server stanza. Values must be strings, or null for the key not to be used in the stanza (e.g. to overrule values generated by other options).
Type: attribute set of null or strings
Default: { }
Example: { compression = "yes"; passwordaccess = null; }
Declared by:
<nixpkgs/nixos/modules/programs/tsm-client.nix>
- programs.tsmClient.servers.<name>.genPasswd
Whether to enable automatic client password generation. This option influences the passwordaccess directive in dsm.sys. The password will be stored in the directory given by the option passwdDir. Caution: If this option is enabled and the server forces to renew the password (e.g. on first connection), a random password will be generated and stored .
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/tsm-client.nix>
- programs.tsmClient.servers.<name>.includeExclude
include.* and exclude.* directives to be used when sending files to the IBM TSM server. The lines will be written into a file that the inclexcl directive in dsm.sys points to.
Type: strings concatenated with "\n"
Default: ""
Example:
'' exclude.dir /nix/store include.encrypt /home/.../* ''
Declared by:
<nixpkgs/nixos/modules/programs/tsm-client.nix>
- programs.tsmClient.servers.<name>.name
Local name of the IBM TSM server, must be uncapitalized and no longer than 64 chars. The value will be used for the server directive in dsm.sys.
Type: string matching the pattern .{1,64}
Example: "mainTsmServer"
Declared by:
<nixpkgs/nixos/modules/programs/tsm-client.nix>
- programs.tsmClient.servers.<name>.node
Target node name on the IBM TSM server. The value will be used for the nodename directive in dsm.sys.
Type: string matching the pattern .+
Example: "MY-TSM-NODE"
Declared by:
<nixpkgs/nixos/modules/programs/tsm-client.nix>
- programs.tsmClient.servers.<name>.passwdDir
Directory that holds the TSM node's password information. The value will be used for the passworddir directive in dsm.sys.
Type: path
Example: "/home/alice/tsm-password"
Declared by:
<nixpkgs/nixos/modules/programs/tsm-client.nix>
- programs.tsmClient.servers.<name>.port
TCP port of the IBM TSM server. The value will be used for the tcpport directive in dsm.sys. TSM does not support ports above 32767.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: 1500
Declared by:
<nixpkgs/nixos/modules/programs/tsm-client.nix>
- programs.tsmClient.servers.<name>.server
Host/domain name or IP address of the IBM TSM server. The value will be used for the tcpserveraddress directive in dsm.sys.
Type: string matching the pattern .+
Example: "tsmserver.company.com"
Declared by:
<nixpkgs/nixos/modules/programs/tsm-client.nix>
- programs.tsmClient.servers.<name>.text
Additional text lines for the server stanza. This option can be used if certion configuration keys must be used multiple times or ordered in a certain way as the extraConfig option can't control the order of lines in the resulting stanza. Note that the server line at the beginning of the stanza is not part of this option's value.
Type: strings concatenated with "\n"
Example: lib.modules.mkAfter "compression no"
Declared by:
<nixpkgs/nixos/modules/programs/tsm-client.nix>
- programs.tsmClient.wrappedPackage
The TSM client derivation, wrapped with the path to the client system-options file "dsm.sys". This option is to provide the effective derivation for other modules that want to call TSM executables.
Type: package (read only)
Declared by:
<nixpkgs/nixos/modules/programs/tsm-client.nix>
- programs.turbovnc.ensureHeadlessSoftwareOpenGL
Whether to set up NixOS such that TurboVNC's built-in software OpenGL implementation works.
This will enable hardware.opengl.enable so that OpenGL programs can find Mesa's llvmpipe drivers.
Setting this option to false does not mean that software OpenGL won't work; it may still work depending on your system configuration.
This option is also intended to generate warnings if you are using some configuration that's incompatible with using headless software OpenGL in TurboVNC.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/turbovnc.nix>
- programs.udevil.enable
Whether to enable udevil.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/udevil.nix>
- programs.usbtop.enable
Whether to enable usbtop and required kernel module.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/usbtop.nix>
- programs.vim.package
vim package to use.
Type: package
Default: pkgs.vim
Example: pkgs.vimHugeX
Declared by:
<nixpkgs/nixos/modules/programs/vim.nix>
- programs.vim.defaultEditor
When enabled, installs vim and configures vim to be the default editor using the EDITOR environment variable.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/vim.nix>
- programs.wavemon.enable
Whether to add wavemon to the global environment and configure a setcap wrapper for it.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/wavemon.nix>
- programs.waybar.enable
Whether to enable waybar.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/waybar.nix>
- programs.weylus.enable
Whether to enable weylus.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/weylus.nix>
- programs.weylus.package
Weylus package to install.
Type: package
Default: "pkgs.weylus"
Declared by:
<nixpkgs/nixos/modules/programs/weylus.nix>
- programs.weylus.openFirewall
Open ports needed for the functionality of the program.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/weylus.nix>
- programs.weylus.users
To enable stylus and multi-touch support, the user you're going to use must be added to this list. These users can synthesize input events system-wide, even when another user is logged in - untrusted users should not be added.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/programs/weylus.nix>
- programs.wireshark.enable
Whether to add Wireshark to the global environment and configure a setcap wrapper for 'dumpcap' for users in the 'wireshark' group.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/wireshark.nix>
- programs.wireshark.package
Which Wireshark package to install in the global environment.
Type: package
Default: pkgs.wireshark-cli
Declared by:
<nixpkgs/nixos/modules/programs/wireshark.nix>
- programs.wshowkeys.enable
Whether to enable wshowkeys (displays keypresses on screen on supported Wayland compositors). It requires root permissions to read input events, but these permissions are dropped after startup.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/wshowkeys.nix>
- programs.xfs_quota.projects
Setup of xfs_quota projects. Make sure the filesystem is mounted with the pquota option.
Type: attribute set of submodules
Default: { }
Example: { projname = { id = 50; path = "/xfsprojects/projname"; sizeHardLimit = "50g"; } ; }
Declared by:
<nixpkgs/nixos/modules/programs/xfs_quota.nix>
- programs.xfs_quota.projects.<name>.fileSystem
XFS filesystem hosting the xfs_quota project.
Type: string
Default: "/"
Declared by:
<nixpkgs/nixos/modules/programs/xfs_quota.nix>
- programs.xfs_quota.projects.<name>.id
Project ID.
Type: signed integer
Declared by:
<nixpkgs/nixos/modules/programs/xfs_quota.nix>
- programs.xfs_quota.projects.<name>.path
Project directory.
Type: string
Declared by:
<nixpkgs/nixos/modules/programs/xfs_quota.nix>
- programs.xfs_quota.projects.<name>.sizeHardLimit
Hard limit of the project size.
Type: null or string
Default: null
Example: "50g"
Declared by:
<nixpkgs/nixos/modules/programs/xfs_quota.nix>
- programs.xfs_quota.projects.<name>.sizeSoftLimit
Soft limit of the project size
Type: null or string
Default: null
Example: "30g"
Declared by:
<nixpkgs/nixos/modules/programs/xfs_quota.nix>
- programs.xonsh.enable
Whether to configure xonsh as an interactive shell.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/xonsh.nix>
- programs.xonsh.package
xonsh package to use.
Type: package
Default: pkgs.xonsh
Example: pkgs.xonsh.override { configFile = "/path/to/xonshrc"; }
Declared by:
<nixpkgs/nixos/modules/programs/xonsh.nix>
- programs.xonsh.config
Control file to customize your shell behavior.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/programs/xonsh.nix>
- programs.xss-lock.enable
Whether to enable xss-lock.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/xss-lock.nix>
- programs.xss-lock.extraOptions
Additional command-line arguments to pass to xss-lock.
Type: list of strings
Default: [ ]
Example: [ "--ignore-sleep" ]
Declared by:
<nixpkgs/nixos/modules/programs/xss-lock.nix>
- programs.xss-lock.lockerCommand
Locker to be used with xsslock
Type: strings concatenated with " "
Default: "${pkgs.i3lock}/bin/i3lock"
Example: "${pkgs.i3lock-fancy}/bin/i3lock-fancy"
Declared by:
<nixpkgs/nixos/modules/programs/xss-lock.nix>
- programs.xwayland.enable
Whether to enable Xwayland (an X server for interfacing X11 apps with the Wayland protocol).
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/xwayland.nix>
- programs.xwayland.package
The Xwayland package to use.
Type: path
Default:
pkgs.xwayland.override (oldArgs: { inherit (config.programs.xwayland) defaultFontPath; })
Declared by:
<nixpkgs/nixos/modules/programs/xwayland.nix>
- programs.xwayland.defaultFontPath
Default font path. Setting this option causes Xwayland to be rebuilt.
Type: string
Default:
optionalString config.fonts.fontDir.enable "/run/current-system/sw/share/X11/fonts"
Declared by:
<nixpkgs/nixos/modules/programs/xwayland.nix>
- programs.yabar.enable
Whether to enable yabar.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/yabar.nix>
- programs.yabar.package
The package which contains the `yabar` binary.
Nixpkgs provides the `yabar` and `yabar-unstable` derivations since 18.03, so it's possible to choose.
Type: package
Default: pkgs.yabar-unstable
Example: pkgs.yabar
Declared by:
<nixpkgs/nixos/modules/programs/yabar.nix>
- programs.yabar.bars
List of bars that should be rendered by yabar.
Type: attribute set of submodules
Default: { }
Declared by:
<nixpkgs/nixos/modules/programs/yabar.nix>
- programs.yabar.bars.<name>.extra
An attribute set which contains further attributes of a bar.
Type: attribute set of strings
Default: { }
Declared by:
<nixpkgs/nixos/modules/programs/yabar.nix>
- programs.yabar.bars.<name>.font
The font that will be used to draw the status bar.
Type: string
Default: "sans bold 9"
Example: "Droid Sans, FontAwesome Bold 9"
Declared by:
<nixpkgs/nixos/modules/programs/yabar.nix>
- programs.yabar.bars.<name>.indicators
Indicators that should be rendered by yabar.
Type: attribute set of submodules
Default: { }
Declared by:
<nixpkgs/nixos/modules/programs/yabar.nix>
- programs.yabar.bars.<name>.indicators.<name>.align
Whether to align the indicator at the left or right of the bar.
Type: one of "left", "center", "right"
Default: "left"
Example: "right"
Declared by:
<nixpkgs/nixos/modules/programs/yabar.nix>
- programs.yabar.bars.<name>.indicators.<name>.exec
The type of the indicator to be executed.
Type: string
Example: "YABAR_DATE"
Declared by:
<nixpkgs/nixos/modules/programs/yabar.nix>
- programs.yabar.bars.<name>.indicators.<name>.extra
An attribute set which contains further attributes of a indicator.
Type: attribute set of string or signed integers
Default: { }
Declared by:
<nixpkgs/nixos/modules/programs/yabar.nix>
- programs.yabar.bars.<name>.position
The position where the bar will be rendered.
Type: one of "top", "bottom"
Default: "top"
Example: "bottom"
Declared by:
<nixpkgs/nixos/modules/programs/yabar.nix>
- programs.zmap.enable
Whether to enable ZMap.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/zmap.nix>
- programs.zsh.enable
Whether to configure zsh as an interactive shell. To enable zsh for a particular user, use the users.users.<name?>.shell option for that user. To enable zsh system-wide use the users.defaultUserShell option.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
- programs.zsh.enableBashCompletion
Enable compatibility with bash's programmable completion system.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
- programs.zsh.enableCompletion
Enable zsh completion for all interactive zsh shells.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
- programs.zsh.enableGlobalCompInit
Enable execution of compinit call for all interactive zsh shells.
This option can be disabled if the user wants to extend its fpath and a custom compinit call in the local config is required.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
- programs.zsh.autosuggestions.enable
Whether to enable zsh-autosuggestions.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix>
- programs.zsh.autosuggestions.extraConfig
Attribute set with additional configuration values
Type: attribute set of strings
Default: { }
Example:
{ "ZSH_AUTOSUGGEST_BUFFER_MAX_SIZE" = "20"; }
Declared by:
<nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix>
- programs.zsh.autosuggestions.highlightStyle
Highlight style for suggestions ({fore,back}ground color)
Type: string
Default: "fg=8"
Example: "fg=cyan"
Declared by:
<nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix>
- programs.zsh.autosuggestions.strategy
Set ZSH_AUTOSUGGEST_STRATEGY to choose the strategy for generating suggestions. There are currently two to choose from:
* history: Chooses the most recent match. * match_prev_cmd: Chooses the most recent match whose preceding history item matches the most recently executed command (more info). Note that this strategy won't work as expected with ZSH options that don't preserve the history order such as HIST_IGNORE_ALL_DUPS or HIST_EXPIRE_DUPS_FIRST.
Type: one of "history", "match_prev_cmd"
Default: "history"
Declared by:
<nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix>
- programs.zsh.histFile
Change history file.
Type: string
Default: "$HOME/.zsh_history"
Declared by:
<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
- programs.zsh.histSize
Change history size.
Type: signed integer
Default: 2000
Declared by:
<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
- programs.zsh.interactiveShellInit
Shell script code called during interactive zsh shell initialisation.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
- programs.zsh.loginShellInit
Shell script code called during zsh login shell initialisation.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
- programs.zsh.ohMyZsh.enable
Enable oh-my-zsh.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix>
- programs.zsh.ohMyZsh.package
Package to install for `oh-my-zsh` usage.
Type: package
Default: pkgs.oh-my-zsh
Declared by:
<nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix>
- programs.zsh.ohMyZsh.cacheDir
Cache directory to be used by `oh-my-zsh`. Without this option it would default to the read-only nix store.
Type: string
Default: "$HOME/.cache/oh-my-zsh"
Declared by:
<nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix>
- programs.zsh.ohMyZsh.custom
Path to a custom oh-my-zsh package to override config of oh-my-zsh. (Can't be used along with `customPkgs`).
Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix>
- programs.zsh.ohMyZsh.customPkgs
List of custom packages that should be loaded into `oh-my-zsh`.
Type: list of packages
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix>
- programs.zsh.ohMyZsh.plugins
List of oh-my-zsh plugins
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix>
- programs.zsh.ohMyZsh.theme
Name of the theme to be used by oh-my-zsh.
Type: string
Default: ""
Declared by:
<nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix>
- programs.zsh.promptInit
Shell script code used to initialise the zsh prompt.
Type: strings concatenated with "\n"
Default:
'' # Note that to manually override this in ~/.zshrc you should run `prompt off` # before setting your PS1 and etc. Otherwise this will likely to interact with # your ~/.zshrc configuration in unexpected ways as the default prompt sets # a lot of different prompt variables. autoload -U promptinit && promptinit && prompt suse && setopt prompt_sp ''
Declared by:
<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
- programs.zsh.setOptions
Configure zsh options. See zshoptions(1).
Type: list of strings
Default: [ "HIST_IGNORE_DUPS" "SHARE_HISTORY" "HIST_FCNTL_LOCK" ]
Example: [ "EXTENDED_HISTORY" "RM_STAR_WAIT" ]
Declared by:
<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
- programs.zsh.shellAliases
Set of aliases for zsh shell, which overrides environment.shellAliases. See environment.shellAliases for an option format description.
Type: attribute set of null or string or paths
Default: { }
Declared by:
<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
- programs.zsh.shellInit
Shell script code called during zsh shell initialisation.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
- programs.zsh.syntaxHighlighting.enable
Whether to enable zsh-syntax-highlighting.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix>
- programs.zsh.syntaxHighlighting.highlighters
Specifies the highlighters to be used by zsh-syntax-highlighting.
The following defined options can be found here: https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters.md
Type: list of one of "main", "brackets", "pattern", "cursor", "root", "line"s
Default: [ "main" ]
Declared by:
<nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix>
- programs.zsh.syntaxHighlighting.patterns
Specifies custom patterns to be highlighted by zsh-syntax-highlighting.
Please refer to the docs for more information about the usage: https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters/pattern.md
Type: attribute set of strings
Default: { }
Example:
{ "rm -rf *" = "fg=white,bold,bg=red"; }
Declared by:
<nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix>
- programs.zsh.syntaxHighlighting.styles
Specifies custom styles to be highlighted by zsh-syntax-highlighting.
Please refer to the docs for more information about the usage: https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters/main.md
Type: attribute set of strings
Default: { }
Example:
{ "alias" = "fg=magenta,bold"; }
Declared by:
<nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix>
- programs.zsh.vteIntegration
Whether to enable Zsh integration for VTE terminals. This allows it to preserve the current directory of the shell across terminals.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/config/vte.nix>
- programs.zsh.zsh-autoenv.enable
Whether to enable zsh-autoenv.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/programs/zsh/zsh-autoenv.nix>
- programs.zsh.zsh-autoenv.package
Package to install for `zsh-autoenv` usage.
Type: package
Default: pkgs.zsh-autoenv
Declared by:
<nixpkgs/nixos/modules/programs/zsh/zsh-autoenv.nix>
- qt5.enable
Whether to enable Qt5 theming configuration.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/config/qt5.nix>
- qt5.platformTheme
Selects the platform theme to use for Qt5 applications.
The options are
- gtk
Use GTK theme with qtstyleplugins
- gnome
Use GNOME theme with qgnomeplatform
- Type: one of "gtk2", "gnome"
- Example: "gnome"
- Related packages:
- pkgs.qgnomeplatform (qgnomeplatform-0.8.0): QPlatformTheme for a better Qt application inclusion in GNOME.
- pkgs.libsForQt5.qtstyleplugins (qtstyleplugins-unstable-2017-03-11): Additional style plugins for Qt5, including BB10, GTK, Cleanlooks, Motif, Plastique.
Declared by:
<nixpkgs/nixos/modules/config/qt5.nix>
- qt5.style
Selects the style to use for Qt5 applications.
The options are
- adwaita, adwaita-dark
Use Adwaita Qt style with adwaita
- cleanlooks, gtk2, motif, plastique
Use styles from qtstyleplugins
- Type: one of "adwaita", "adwaita-dark", "cleanlooks", "gtk2", "motif", "plastique"
- Example: "adwaita"
- Related packages:
- pkgs.adwaita-qt (adwaita-qt-1.4.0): A style to bend Qt applications to look like they belong into GNOME Shell.
- pkgs.libsForQt5.qtstyleplugins (qtstyleplugins-unstable-2017-03-11): Additional style plugins for Qt5, including BB10, GTK, Cleanlooks, Motif, Plastique.
Declared by:
<nixpkgs/nixos/modules/config/qt5.nix>
- security.acme.enableDebugLogs
Whether to enable debug logging for all certificates by default.
Type: boolean
Default: true
Example: true
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.acceptTerms
Accept the CA's terms of service. The default provider is Let's Encrypt, you can find their ToS at https://letsencrypt.org/repository/.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.certs
Attribute set of certificates to get signed and renewed. Creates acme-${cert}.{service,timer} systemd units for each certificate defined here. Other services can add dependencies to those units if they rely on the certificates being present, or trigger restarts of the service if certificates get renewed.
Type: attribute set of submodules
Default: { }
Example:
{ "example.com" = { webroot = "/var/lib/acme/acme-challenge/"; email = "foo@example.com"; extraDomainNames = [ "www.example.com" "foo.example.com" ]; }; "bar.example.com" = { webroot = "/var/lib/acme/acme-challenge/"; email = "bar@example.com"; }; }
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.certs.<name>.enableDebugLogs
Whether to enable debug logging for this certificate.
Type: boolean
Default: true
Example: true
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.certs.<name>.credentialsFile
Path to an EnvironmentFile for the cert's service containing any required and optional environment variables for your selected dnsProvider. To find out what values you need to set, consult the documentation at https://go-acme.github.io/lego/dns/ for the corresponding dnsProvider.
Type: path
Example: "/var/src/secrets/example.org-route53-api-token"
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.certs.<name>.directory
Directory where certificate and other state is stored.
Type: string (read only)
Default: "/var/lib/acme/‹name›"
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.certs.<name>.dnsPropagationCheck
Toggles lego DNS propagation check, which is used alongside DNS-01 challenge to ensure the DNS entries required are available.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.certs.<name>.dnsProvider
DNS Challenge provider. For a list of supported providers, see the "code" field of the DNS providers listed at https://go-acme.github.io/lego/dns/.
Type: null or string
Default: null
Example: "route53"
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.certs.<name>.dnsResolver
Set the resolver to use for performing recursive DNS queries. Supported: host:port. The default is to use the system resolvers, or Google's DNS resolvers if the system's cannot be determined.
Type: null or string
Default: null
Example: "1.1.1.1:53"
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.certs.<name>.domain
Domain to fetch certificate for (defaults to the entry name).
Type: string
Default: "‹name›"
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.certs.<name>.email
Contact email address for the CA to be able to reach you.
Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.certs.<name>.extraDomainNames
A list of extra domain names, which are included in the one certificate to be issued.
Type: list of strings
Default: [ ]
Example:
[ "example.org" "mydomain.org" ]
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.certs.<name>.extraLegoFlags
Additional global flags to pass to all lego commands.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.certs.<name>.extraLegoRenewFlags
Additional flags to pass to lego renew.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.certs.<name>.extraLegoRunFlags
Additional flags to pass to lego run.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.certs.<name>.group
Group running the ACME client.
Type: string
Default: "acme"
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.certs.<name>.keyType
Key type to use for private keys. For an up to date list of supported values check the --key-type option at https://go-acme.github.io/lego/usage/cli/#usage.
Type: string
Default: "ec256"
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.certs.<name>.ocspMustStaple
Turns on the OCSP Must-Staple TLS extension. Make sure you know what you're doing! See:
- https://blog.apnic.net/2019/01/15/is-the-web-ready-for-ocsp-must-staple/
- https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.certs.<name>.postRun
Commands to run after new certificates go live. Note that these commands run as the root user.
Executed in the same directory with the new certificate.
Type: strings concatenated with "\n"
Default: ""
Example: "cp full.pem backup.pem"
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.certs.<name>.reloadServices
The list of systemd services to call systemctl try-reload-or-restart on.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.certs.<name>.server
ACME Directory Resource URI. Defaults to Let's Encrypt's production endpoint, https://acme-v02.api.letsencrypt.org/directory, if unset.
Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.certs.<name>.webroot
Where the webroot of the HTTP vhost is located. .well-known/acme-challenge/ directory will be created below the webroot if it doesn't exist. http://example.org/.well-known/acme-challenge/ must also be available (notice unencrypted HTTP).
Type: null or string
Default: null
Example: "/var/lib/acme/acme-challenge"
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.email
Contact email address for the CA to be able to reach you.
Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.preliminarySelfsigned
Whether a preliminary self-signed certificate should be generated before doing ACME requests. This can be useful when certificates are required in a webserver, but ACME needs the webserver to make its requests.
With preliminary self-signed certificate the webserver can be started and can later reload the correct ACME certificates.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.renewInterval
Systemd calendar expression when to check for renewal. See systemd.time(7).
Type: string
Default: "daily"
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.server
ACME Directory Resource URI. Defaults to Let's Encrypt's production endpoint, https://acme-v02.api.letsencrypt.org/directory, if unset.
Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.acme.validMinDays
Minimum remaining validity before renewal in days.
Type: signed integer
Default: 30
Declared by:
<nixpkgs/nixos/modules/security/acme.nix>
- security.allowSimultaneousMultithreading
Whether to allow SMT/hyperthreading. Disabling SMT means that only physical CPU cores will be usable at runtime, potentially at significant performance cost.
The primary motivation for disabling SMT is to mitigate the risk of leaking data between threads running on the same CPU core (due to e.g., shared caches). This attack vector is unproven.
Disabling SMT is a supplement to the L1 data cache flushing mitigation (see security.virtualisation.flushL1DataCache) versus malicious VM guests (SMT could "bring back" previously flushed data).
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/security/misc.nix>
- security.allowUserNamespaces
Whether to allow creation of user namespaces.
The motivation for disabling user namespaces is the potential presence of code paths where the kernel's permission checking logic fails to account for namespacing, instead permitting a namespaced process to act outside the namespace with the same privileges as it would have inside it. This is particularly damaging in the common case of running as root within the namespace.
When user namespace creation is disallowed, attempting to create a user namespace fails with "no space left on device" (ENOSPC). root may re-enable user namespace creation at runtime.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/security/misc.nix>
- security.apparmor.enable
Whether to enable the AppArmor Mandatory Access Control system.
If you're enabling this module on a running system, note that a reboot will be required to activate AppArmor in the kernel.
Also, beware that enabling this module privileges stability over security by not trying to kill unconfined but newly confinable running processes by default, though it would be needed because AppArmor can only confine new or already confined processes of an executable. This killing would for instance be necessary when upgrading to a NixOS revision introducing for the first time an AppArmor profile for the executable of a running process.
Enable security.apparmor.killUnconfinedConfinables if you want this service to do such killing by sending a SIGTERM to those running processes.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/security/apparmor.nix>
- security.apparmor.enableCache
Whether to enable caching of AppArmor policies in /var/cache/apparmor/.
Beware that AppArmor policies almost always contain Nix store paths, and thus produce at each change of these paths a new cached version accumulating in the cache.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/security/apparmor.nix>
- security.apparmor.packages
List of packages to be added to AppArmor's include path
Type: list of packages
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/security/apparmor.nix>
- security.apparmor.includes
List of paths to be added to AppArmor's searched paths when resolving include directives.
Type: attribute set of strings concatenated with "\n"s
Default: { }
Declared by:
<nixpkgs/nixos/modules/security/apparmor.nix>
- security.apparmor.killUnconfinedConfinables
Whether to enable killing of processes which have an AppArmor profile enabled (in security.apparmor.policies) but are not confined (because AppArmor can only confine new processes).
This is only sending a gracious SIGTERM signal to the processes, not a SIGKILL.
Beware that due to a current limitation of AppArmor, only profiles with exact paths (and no name) can enable such kills.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/security/apparmor.nix>
- security.apparmor.policies
AppArmor policies.
Type: attribute set of submodules
Default: { }
Declared by:
<nixpkgs/nixos/modules/security/apparmor.nix>
- security.apparmor.policies.<name>.enable
Whether to enable loading of the profile into the kernel.
Type: boolean
Default: true
Example: false
Declared by:
<nixpkgs/nixos/modules/security/apparmor.nix>
- security.apparmor.policies.<name>.enforce
Whether to enable enforcing of the policy or only complain in the logs.
Type: boolean
Default: true
Example: false
Declared by:
<nixpkgs/nixos/modules/security/apparmor.nix>
- security.apparmor.policies.<name>.profile
The policy of the profile.
Type: strings concatenated with "\n"
Declared by:
<nixpkgs/nixos/modules/security/apparmor.nix>
- security.audit.enable
Whether to enable the Linux audit system. The special `lock' value can be used to enable auditing and prevent disabling it until a restart. Be careful about locking this, as it will prevent you from changing your audit configuration until you restart. If possible, test your configuration using build-vm beforehand.
Type: one of false, true, "lock"
Default: false
Declared by:
<nixpkgs/nixos/modules/security/audit.nix>
- security.audit.backlogLimit
The maximum number of outstanding audit buffers allowed; exceeding this is considered a failure and handled in a manner specified by failureMode.
Type: signed integer
Default: 64
Declared by:
<nixpkgs/nixos/modules/security/audit.nix>
- security.audit.failureMode
How to handle critical errors in the auditing system
Type: one of "silent", "printk", "panic"
Default: "printk"
Declared by:
<nixpkgs/nixos/modules/security/audit.nix>
- security.audit.rateLimit
The maximum messages per second permitted before triggering a failure as specified by failureMode. Setting it to zero disables the limit.
Type: signed integer
Default: 0
Declared by:
<nixpkgs/nixos/modules/security/audit.nix>
- security.audit.rules
The ordered audit rules, with each string appearing as one line of the audit.rules file.
Type: list of strings
Default: [ ]
Example: [ "-a exit,always -F arch=b64 -S execve" ]
Declared by:
<nixpkgs/nixos/modules/security/audit.nix>
- security.auditd.enable
Whether to enable the Linux Audit daemon.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/security/auditd.nix>
- security.chromiumSuidSandbox.enable
Whether to install the Chromium SUID sandbox which is an executable that Chromium may use in order to achieve sandboxing.
If you get the error "The SUID sandbox helper binary was found, but is not configured correctly.", turning this on might help.
Also, if the URL chrome://sandbox tells you that "You are not adequately sandboxed!", turning this on might resolve the issue.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/chromium-suid-sandbox.nix>
- security.dhparams.enable
Whether to generate new DH params and clean up old DH params.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/dhparams.nix>
- security.dhparams.defaultBitSize
This allows to override the default bit size for all of the Diffie-Hellman parameters set in security.dhparams.params.
Type: integer of at least 16 bits
Default: 2048
Declared by:
<nixpkgs/nixos/modules/security/dhparams.nix>
- security.dhparams.params
Diffie-Hellman parameters to generate.
The value is the size (in bits) of the DH params to generate. The generated DH params path can be found in config.security.dhparams.params.name.path.
Note
The name of the DH params is taken as being the name of the service it serves and the params will be generated before the said service is started.Warning
If you are removing all dhparams from this list, you have to leave security.dhparams.enable for at least one activation in order to have them be cleaned up. This also means if you rollback to a version without any dhparams the existing ones won't be cleaned up. Of course this only applies if security.dhparams.stateful is true.For module implementers:
It's recommended to not set a specific bit size here, so that users can easily override this by setting security.dhparams.defaultBitSize.Type: attribute set of submodule or signed integer convertible to its
Default: { }
Example: { nginx.bits = 3072; }
Declared by:
<nixpkgs/nixos/modules/security/dhparams.nix>
- security.dhparams.params.<name>.bits
The bit size for the prime that is used during a Diffie-Hellman key exchange.
Type: integer of at least 16 bits
Default: 2048
Declared by:
<nixpkgs/nixos/modules/security/dhparams.nix>
- security.dhparams.params.<name>.path
The resulting path of the generated Diffie-Hellman parameters file for other services to reference. This could be either a store path or a file inside the directory specified by security.dhparams.path.
Type: path (read only)
Declared by:
<nixpkgs/nixos/modules/security/dhparams.nix>
- security.dhparams.path
Path to the directory in which Diffie-Hellman parameters will be stored. This only is relevant if security.dhparams.stateful is true.
Type: string
Default: "/var/lib/dhparams"
Declared by:
<nixpkgs/nixos/modules/security/dhparams.nix>
- security.dhparams.stateful
Whether generation of Diffie-Hellman parameters should be stateful or not. If this is enabled, PEM-encoded files for Diffie-Hellman parameters are placed in the directory specified by security.dhparams.path. Otherwise the files are created within the Nix store.
Note
If this is false the resulting store path will be non-deterministic and will be rebuilt every time the openssl package changes.Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/security/dhparams.nix>
- security.doas.enable
Whether to enable the doas command, which allows non-root users to execute commands as root.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/doas.nix>
- security.doas.extraConfig
Extra configuration text appended to doas.conf.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/security/doas.nix>
- security.doas.extraRules
Define specific rules to be set in the /etc/doas.conf file. More specific rules should come after more general ones in order to yield the expected behavior. You can use mkBefore and/or mkAfter to ensure this is the case when configuration options are merged.
Type: list of submodules
Default: [ ]
Example:
[ # Allow execution of any command by any user in group doas, requiring # a password and keeping any previously-defined environment variables. { groups = [ "doas" ]; noPass = false; keepEnv = true; } # Allow execution of "/home/root/secret.sh" by user `backup` OR user # `database` OR any member of the group with GID `1006`, without a # password. { users = [ "backup" "database" ]; groups = [ 1006 ]; cmd = "/home/root/secret.sh"; noPass = true; } # Allow any member of group `bar` to run `/home/baz/cmd1.sh` as user # `foo` with argument `hello-doas`. { groups = [ "bar" ]; runAs = "foo"; cmd = "/home/baz/cmd1.sh"; args = [ "hello-doas" ]; } # Allow any member of group `bar` to run `/home/baz/cmd2.sh` as user # `foo` with no arguments. { groups = [ "bar" ]; runAs = "foo"; cmd = "/home/baz/cmd2.sh"; args = [ ]; } # Allow user `abusers` to execute "nano" and unset the value of # SSH_AUTH_SOCK, override the value of ALPHA to 1, and inherit the # value of BETA from the current environment. { users = [ "abusers" ]; cmd = "nano"; setEnv = [ "-SSH_AUTH_SOCK" "ALPHA=1" "BETA" ]; } ]
Declared by:
<nixpkgs/nixos/modules/security/doas.nix>
- security.doas.extraRules.*.args
Arguments that must be provided to the command. When set to [], the command must be run without any arguments.
Type: null or list of strings
Default: null
Declared by:
<nixpkgs/nixos/modules/security/doas.nix>
- security.doas.extraRules.*.cmd
The command the user is allowed to run. When set to null (the default), all commands are allowed.
NOTE: It is best practice to specify absolute paths. If a relative path is specified, only a restricted PATH will be searched.
Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/security/doas.nix>
- security.doas.extraRules.*.groups
The groups / GIDs this rule should apply for.
Type: list of string or signed integers
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/security/doas.nix>
- security.doas.extraRules.*.keepEnv
If true, environment variables other than those listed in doas(1) are kept when creating the environment for the new process.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/doas.nix>
- security.doas.extraRules.*.noLog
If true, successful executions will not be logged to syslogd(8).
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/doas.nix>
- security.doas.extraRules.*.noPass
If true, the user is not required to enter a password.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/doas.nix>
- security.doas.extraRules.*.persist
If true, do not ask for a password again for some time after the user successfully authenticates.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/doas.nix>
- security.doas.extraRules.*.runAs
Which user or group the specified command is allowed to run as. When set to null (the default), all users are allowed.
A user can be specified using just the username: "foo". It is also possible to only allow running as a specific group with ":bar".
Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/security/doas.nix>
- security.doas.extraRules.*.setEnv
Keep or set the specified variables. Variables may also be removed with a leading '-' or set using variable=value. If the first character of value is a '$', the value to be set is taken from the existing environment variable of the indicated name. This option is processed after the default environment has been created.
NOTE: All rules have setenv { SSH_AUTH_SOCK } by default. To prevent SSH_AUTH_SOCK from being inherited, add "-SSH_AUTH_SOCK" anywhere in this list.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/security/doas.nix>
- security.doas.extraRules.*.users
The usernames / UIDs this rule should apply for.
Type: list of string or signed integers
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/security/doas.nix>
- security.doas.wheelNeedsPassword
Whether users of the wheel group must provide a password to run commands as super user via doas.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/security/doas.nix>
- security.duosec.acceptEnvFactor
Look for factor selection or passcode in the $DUO_PASSCODE environment variable before prompting the user for input.
When $DUO_PASSCODE is non-empty, it will override autopush. The SSH client will need SendEnv DUO_PASSCODE in its configuration, and the SSH server will similarly need AcceptEnv DUO_PASSCODE.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/duosec.nix>
- security.duosec.allowTcpForwarding
By default, when SSH forwarding, enabling Duo Security will disable TCP forwarding. By enabling this, you potentially undermine some of the SSH based login security. Note this is not needed if you use PAM.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/duosec.nix>
- security.duosec.autopush
If true, Duo Unix will automatically send a push login request to the user’s phone, falling back on a phone call if push is unavailable. If false, the user will be prompted to choose an authentication method. When configured with autopush = yes, we recommend setting prompts = 1.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/duosec.nix>
- security.duosec.failmode
On service or configuration errors that prevent Duo authentication, fail "safe" (allow access) or "secure" (deny access). The default is "safe".
Type: one of "safe", "secure"
Default: "safe"
Declared by:
<nixpkgs/nixos/modules/security/duosec.nix>
- security.duosec.fallbackLocalIP
Duo Unix reports the IP address of the authorizing user, for the purposes of authorization and whitelisting. If Duo Unix cannot detect the IP address of the client, setting fallbackLocalIP = yes will cause Duo Unix to send the IP address of the server it is running on.
If you are using IP whitelisting, enabling this option could cause unauthorized logins if the local IP is listed in the whitelist.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/duosec.nix>
- security.duosec.groups
If specified, Duo authentication is required only for users whose primary group or supplementary group list matches one of the space-separated pattern lists. Refer to https://duo.com/docs/duounix for details.
Type: string
Default: ""
Example: "users,!wheel,!*admin guests"
Declared by:
<nixpkgs/nixos/modules/security/duosec.nix>
- security.duosec.host
Duo API hostname.
Type: string
Declared by:
<nixpkgs/nixos/modules/security/duosec.nix>
- security.duosec.integrationKey
Integration key.
Type: string
Declared by:
<nixpkgs/nixos/modules/security/duosec.nix>
- security.duosec.motd
Print the contents of /etc/motd to screen after a successful login.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/duosec.nix>
- security.duosec.pam.enable
If enabled, protect logins with Duo Security using PAM support.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/duosec.nix>
- security.duosec.prompts
If a user fails to authenticate with a second factor, Duo Unix will prompt the user to authenticate again. This option sets the maximum number of prompts that Duo Unix will display before denying access. Must be 1, 2, or 3. Default is 3.
For example, when prompts = 1, the user will have to successfully authenticate on the first prompt, whereas if prompts = 2, if the user enters incorrect information at the initial prompt, he/she will be prompted to authenticate again.
When configured with autopush = true, we recommend setting prompts = 1.
Type: one of 1, 2, 3
Default: 3
Declared by:
<nixpkgs/nixos/modules/security/duosec.nix>
- security.duosec.pushinfo
Include information such as the command to be executed in the Duo Push message.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/duosec.nix>
- security.duosec.secretKeyFile
A file containing your secret key. The security of your Duo application is tied to the security of your secret key.
Type: null or path
Default: null
Example: "/run/keys/duo-skey"
Declared by:
<nixpkgs/nixos/modules/security/duosec.nix>
- security.duosec.ssh.enable
If enabled, protect SSH logins with Duo Security.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/duosec.nix>
- security.forcePageTableIsolation
Whether to force-enable the Page Table Isolation (PTI) Linux kernel feature even on CPU models that claim to be safe from Meltdown.
This hardening feature is most beneficial to systems that run untrusted workloads that rely on address space isolation for security.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/misc.nix>
- security.googleOsLogin.enable
Whether to enable Google OS Login
The OS Login package enables the following components: AuthorizedKeysCommand to query valid SSH keys from the user's OS Login profile during ssh authentication phase. NSS Module to provide user and group information PAM Module for the sshd service, providing authorization and authentication support, allowing the system to use data stored in Google Cloud IAM permissions to control both, the ability to log into an instance, and to perform operations as root (sudo).
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/google_oslogin.nix>
- security.lockKernelModules
Disable kernel module loading once the system is fully initialised. Module loading is disabled until the next reboot. Problems caused by delayed module loading can be fixed by adding the module(s) in question to boot.kernelModules.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/lock-kernel-modules.nix>
- security.pam.enableEcryptfs
Whether to enable eCryptfs PAM module (mounting ecryptfs home directory on login).
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.enableOTPW
Whether to enable the OTPW (one-time password) PAM module.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.enableSSHAgentAuth
Enable sudo logins if the user's SSH agent provides a key present in ~/.ssh/authorized_keys. This allows machines to exclusively use SSH keys instead of passwords.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.loginLimits
Define resource limits that should apply to users or groups. Each item in the list should be an attribute set with a domain, type, item, and value attribute. The syntax and semantics of these attributes must be that described in the limits.conf(5) man page.
Note that these limits do not apply to systemd services, whose limits can be changed via systemd.extraConfig instead.
Type: unspecified
Default: [ ]
Example: [ { domain = "ftp"; item = "nproc"; type = "hard"; value = "0"; } { domain = "@student"; item = "maxlogins"; type = "-"; value = "4"; } ]
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.makeHomeDir.skelDirectory
Path to skeleton directory whose contents are copied to home directories newly created by pam_mkhomedir.
Type: string
Default: "/var/empty"
Example: "/etc/skel"
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.mount.enable
Enable PAM mount system to mount fileystems on user login.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam_mount.nix>
- security.pam.mount.additionalSearchPaths
Additional programs to include in the search path of pam_mount. Useful for example if you want to use some FUSE filesystems like bindfs.
Type: list of packages
Default: [ ]
Example: [ pkgs.bindfs ]
Declared by:
<nixpkgs/nixos/modules/security/pam_mount.nix>
- security.pam.mount.extraVolumes
List of volume definitions for pam_mount. For more information, visit http://pam-mount.sourceforge.net/pam_mount.conf.5.html.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/security/pam_mount.nix>
- security.pam.mount.fuseMountOptions
Global mount options that apply to every FUSE volume. You can define volume-specific options in the volume definitions.
Type: list of strings
Default: [ ]
Example:
[ "nodev" "nosuid" "force-user=%(USER)" "gid=%(USERGID)" "perms=0700" "chmod-deny" "chown-deny" "chgrp-deny" ]
Declared by:
<nixpkgs/nixos/modules/security/pam_mount.nix>
- security.pam.oath.enable
Enable the OATH (one-time password) PAM module.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/oath.nix>
- security.pam.oath.digits
Specify the length of the one-time password in number of digits.
Type: one of 6, 7, 8
Default: 6
Declared by:
<nixpkgs/nixos/modules/security/oath.nix>
- security.pam.oath.usersFile
Set the path to file where the user's credentials are stored. This file must not be world readable!
Type: path
Default: "/etc/users.oath"
Declared by:
<nixpkgs/nixos/modules/security/oath.nix>
- security.pam.oath.window
Specify the number of one-time passwords to check in order to accommodate for situations where the system and the client are slightly out of sync (iteration for HOTP or time steps for TOTP).
Type: signed integer
Default: 5
Declared by:
<nixpkgs/nixos/modules/security/oath.nix>
- security.pam.p11.enable
Enables P11 PAM (pam_p11) module.
If set, users can log in with SSH keys and PKCS#11 tokens.
More information can be found here.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.p11.control
This option sets pam "control". If you want to have multi factor authentication, use "required". If you want to use the PKCS#11 device instead of the regular password, use "sufficient".
Read pam.conf(5) for better understanding of this option.
Type: one of "required", "requisite", "sufficient", "optional"
Default: "sufficient"
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services
This option defines the PAM services. A service typically corresponds to a program that uses PAM, e.g. login or passwd. Each attribute of this set defines a PAM service, with the attribute name defining the name of the service.
Type: attribute set of submodules
Default: { }
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.enableAppArmor
Enable support for attaching AppArmor profiles at the user/group level, e.g., as part of a role based access control scheme.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.enableGnomeKeyring
If enabled, pam_gnome_keyring will attempt to automatically unlock the user's default Gnome keyring upon login. If the user login password does not match their keyring password, Gnome Keyring will prompt separately after login.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.enableKwallet
If enabled, pam_wallet will attempt to automatically unlock the user's default KDE wallet upon login. If the user has no wallet named "kdewallet", or the login password does not match their wallet password, KDE will prompt separately after login.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.allowNullPassword
Whether to allow logging into accounts that have no password set (i.e., have an empty password field in /etc/passwd or /etc/group). This does not enable logging into disabled accounts (i.e., that have the password field set to !). Note that regardless of what the pam_unix documentation says, accounts with hashed empty passwords are always allowed to log in.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.duoSecurity.enable
If set, use the Duo Security pam module pam_duo for authentication. Requires configuration of security.duosec options.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.forwardXAuth
Whether X authentication keys should be passed from the calling user to the target user (e.g. for su)
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.fprintAuth
If set, fingerprint reader will be used (if exists and your fingerprints are enrolled).
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.gnupg.enable
If enabled, pam_gnupg will attempt to automatically unlock the user's GPG keys with the login password via gpg-agent. The keygrips of all keys to be unlocked should be written to ~/.pam-gnupg, and can be queried with gpg -K --with-keygrip. Presetting passphrases must be enabled by adding allow-preset-passphrase in ~/.gnupg/gpg-agent.conf.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.gnupg.noAutostart
Don't start gpg-agent if it is not running. Useful in conjunction with starting gpg-agent as a systemd user service.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.gnupg.storeOnly
Don't send the password immediately after login, but store for PAM session.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.googleAuthenticator.enable
If set, users with enabled Google Authenticator (created ~/.google_authenticator) will be required to provide Google Authenticator token to log in.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.googleOsLoginAccountVerification
If set, will use the Google OS Login PAM modules (pam_oslogin_login, pam_oslogin_admin) to verify possible OS Login users and set sudoers configuration accordingly. This only makes sense to enable for the sshd PAM service.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.googleOsLoginAuthentication
If set, will use the pam_oslogin_login's user authentication methods to authenticate users using 2FA. This only makes sense to enable for the sshd PAM service.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.limits
Attribute set describing resource limits. Defaults to the value of security.pam.loginLimits.
Type: unspecified
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.logFailures
Whether to log authentication failures in /var/log/faillog.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.makeHomeDir
Whether to try to create home directories for users with $HOMEs pointing to nonexistent locations on session login.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.name
Name of the PAM service.
Type: string
Example: "sshd"
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.nodelay
Wheather the delay after typing a wrong password should be disabled.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.oathAuth
If set, the OATH Toolkit will be used.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.otpwAuth
If set, the OTPW system will be used (if ~/.otpw exists).
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.p11Auth
If set, keys listed in ~/.ssh/authorized_keys and ~/.eid/authorized_certificates can be used to log in with the associated PKCS#11 tokens.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.pamMount
Enable PAM mount (pam_mount) system to mount fileystems on user login.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.requireWheel
Whether to permit root access only to members of group wheel.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.rootOK
If set, root doesn't need to authenticate (e.g. for the useradd service).
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.setEnvironment
Whether the service should set the environment variables listed in environment.sessionVariables using pam_env.so.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.setLoginUid
Set the login uid of the process (/proc/self/loginuid) for auditing purposes. The login uid is only set by ‘entry points’ like login and sshd, not by commands like sudo.
Type: boolean
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.showMotd
Whether to show the message of the day.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.sshAgentAuth
If set, the calling user's SSH agent is used to authenticate against the keys in the calling user's ~/.ssh/authorized_keys. This is useful for sudo on password-less remote systems.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.sssdStrictAccess
enforce sssd access control
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.startSession
If set, the service will register a new session with systemd's login manager. For local sessions, this will give the user access to audio devices, CD-ROM drives. In the default PolicyKit configuration, it also allows the user to reboot the system.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.text
Contents of the PAM service file.
Type: null or strings concatenated with "\n"
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.ttyAudit.enable
Enable or disable TTY auditing for specified users
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.ttyAudit.enablePattern
For each user matching one of comma-separated glob patterns, enable TTY auditing
Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.ttyAudit.disablePattern
For each user matching one of comma-separated glob patterns, disable TTY auditing
Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.ttyAudit.openOnly
Set the TTY audit flag when opening the session, but do not restore it when closing the session. Using this option is necessary for some services that don't fork() to run the authenticated session, such as sudo.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.u2fAuth
If set, users listed in $XDG_CONFIG_HOME/Yubico/u2f_keys (or $HOME/.config/Yubico/u2f_keys if XDG variable is not set) are able to log in with the associated U2F key. Path can be changed using security.pam.u2f.authFile option.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.unixAuth
Whether users can log in with passwords defined in /etc/shadow.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.updateWtmp
Whether to update /var/log/wtmp.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.usbAuth
If set, users listed in /etc/pamusb.conf are able to log in with the associated USB key.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.services.<name>.yubicoAuth
If set, users listed in ~/.yubico/authorized_yubikeys are able to log in with the associated Yubikey tokens.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.u2f.enable
Enables U2F PAM (pam-u2f) module.
If set, users listed in $XDG_CONFIG_HOME/Yubico/u2f_keys (or $HOME/.config/Yubico/u2f_keys if XDG variable is not set) are able to log in with the associated U2F key. The path can be changed using security.pam.u2f.authFile option.
File format is: username:first_keyHandle,first_public_key: second_keyHandle,second_public_key This file can be generated using pamu2fcfg command.
More information can be found here.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.u2f.appId
By default pam-u2f module sets the application ID to pam://$HOSTNAME.
When using pamu2fcfg, you can specify your application ID with the -i flag.
More information can be found here
Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.u2f.authFile
By default pam-u2f module reads the keys from $XDG_CONFIG_HOME/Yubico/u2f_keys (or $HOME/.config/Yubico/u2f_keys if XDG variable is not set).
If you want to change auth file locations or centralize database (for example use /etc/u2f-mappings) you can set this option.
File format is: username:first_keyHandle,first_public_key: second_keyHandle,second_public_key This file can be generated using pamu2fcfg command.
More information can be found here.
Type: null or path
Default: null
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.u2f.control
This option sets pam "control". If you want to have multi factor authentication, use "required". If you want to use U2F device instead of regular password, use "sufficient".
Read pam.conf(5) for better understanding of this option.
Type: one of "required", "requisite", "sufficient", "optional"
Default: "sufficient"
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.u2f.cue
By default pam-u2f module does not inform user that he needs to use the u2f device, it just waits without a prompt.
If you set this option to true, cue option is added to pam-u2f module and reminder message will be displayed.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.u2f.debug
Debug output to stderr.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.u2f.interactive
Set to prompt a message and wait before testing the presence of a U2F device. Recommended if your device doesn’t have a tactile trigger.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.usb.enable
Enable USB login for all login systems that support it. For more information, visit https://github.com/aluzzardi/pam_usb/wiki/Getting-Started#setting-up-devices-and-users.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam_usb.nix>
- security.pam.yubico.enable
Enables Yubico PAM (yubico-pam) module.
If set, users listed in ~/.yubico/authorized_yubikeys are able to log in with the associated Yubikey tokens.
The file must have only one line: username:yubikey_token_id1:yubikey_token_id2 More information can be found here.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.yubico.challengeResponsePath
If not null, set the path used by yubico pam module where the challenge expected response is stored.
More information can be found here.
Type: null or path
Default: null
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.yubico.control
This option sets pam "control". If you want to have multi factor authentication, use "required". If you want to use Yubikey instead of regular password, use "sufficient".
Read pam.conf(5) for better understanding of this option.
Type: one of "required", "requisite", "sufficient", "optional"
Default: "sufficient"
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.yubico.debug
Debug output to stderr.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.yubico.id
client id
Type: string
Example: "42"
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pam.yubico.mode
Mode of operation.
Use "client" for online validation with a YubiKey validation service such as the YubiCloud.
Use "challenge-response" for offline validation using YubiKeys with HMAC-SHA-1 Challenge-Response configurations. See the man-page ykpamcfg(1) for further details on how to configure offline Challenge-Response validation.
More information can be found here.
Type: one of "client", "challenge-response"
Default: "client"
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
- security.pki.caCertificateBlacklist
A list of blacklisted CA certificate names that won't be imported from the Mozilla Trust Store into /etc/ssl/certs/ca-certificates.crt. Use the names from that file.
Type: list of strings
Default: [ ]
Example: [ "WoSign" "WoSign China" "CA WoSign ECC Root" "Certification Authority of WoSign G2" ]
Declared by:
<nixpkgs/nixos/modules/security/ca.nix>
- security.pki.certificateFiles
A list of files containing trusted root certificates in PEM format. These are concatenated to form /etc/ssl/certs/ca-certificates.crt, which is used by many programs that use OpenSSL, such as curl and git.
Type: list of paths
Default: [ ]
Example: [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]
Declared by:
<nixpkgs/nixos/modules/security/ca.nix>
- security.pki.certificates
A list of trusted root certificates in PEM format.
Type: list of strings
Default: [ ]
Example:
[ '' NixOS.org ========= -----BEGIN CERTIFICATE----- MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0 ... -----END CERTIFICATE----- '' ]
Declared by:
<nixpkgs/nixos/modules/security/ca.nix>
- security.polkit.enable
Whether to enable PolKit.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/security/polkit.nix>
- security.polkit.adminIdentities
Specifies which users are considered “administrators”, for those actions that require the user to authenticate as an administrator (i.e. have an auth_admin value). By default, this is all users in the wheel group.
Type: list of strings
Default: [ "unix-group:wheel" ]
Example: [ "unix-user:alice" "unix-group:admin" ]
Declared by:
<nixpkgs/nixos/modules/security/polkit.nix>
- security.polkit.extraConfig
Any polkit rules to be added to config (in JavaScript ;-). See: http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules
Type: strings concatenated with "\n"
Default: ""
Example:
'' /* Log authorization checks. */ polkit.addRule(function(action, subject) { polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid); }); /* Allow any local user to do anything (dangerous!). */ polkit.addRule(function(action, subject) { if (subject.local) return "yes"; }); ''
Declared by:
<nixpkgs/nixos/modules/security/polkit.nix>
- security.protectKernelImage
Whether to prevent replacing the running kernel image.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/misc.nix>
- security.rtkit.enable
Whether to enable the RealtimeKit system service, which hands out realtime scheduling priority to user processes on demand. For example, the PulseAudio server uses this to acquire realtime priority.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/rtkit.nix>
- security.sudo.enable
Whether to enable the sudo command, which allows non-root users to execute commands as root.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/security/sudo.nix>
- security.sudo.package
Which package to use for `sudo`.
Type: package
Default: pkgs.sudo
Declared by:
<nixpkgs/nixos/modules/security/sudo.nix>
- security.sudo.configFile
This string contains the contents of the sudoers file.
Type: strings concatenated with "\n"
Declared by:
<nixpkgs/nixos/modules/security/sudo.nix>
- security.sudo.execWheelOnly
Only allow members of the wheel group to execute sudo by setting the executable's permissions accordingly. This prevents users that are not members of wheel from exploiting vulnerabilities in sudo such as CVE-2021-3156.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/sudo.nix>
- security.sudo.extraConfig
Extra configuration text appended to sudoers.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/security/sudo.nix>
- security.sudo.extraRules
Define specific rules to be in the sudoers file. More specific rules should come after more general ones in order to yield the expected behavior. You can use mkBefore/mkAfter to ensure this is the case when configuration options are merged.
Type: list of submodules
Default: [ ]
Example:
[ # Allow execution of any command by all users in group sudo, # requiring a password. { groups = [ "sudo" ]; commands = [ "ALL" ]; } # Allow execution of "/home/root/secret.sh" by user `backup`, `database` # and the group with GID `1006` without a password. { users = [ "backup" "database" ]; groups = [ 1006 ]; commands = [ { command = "/home/root/secret.sh"; options = [ "SETENV" "NOPASSWD" ]; } ]; } # Allow all users of group `bar` to run two executables as user `foo` # with arguments being pre-set. { groups = [ "bar" ]; runAs = "foo"; commands = [ "/home/baz/cmd1.sh hello-sudo" { command = ''/home/baz/cmd2.sh ""''; options = [ "SETENV" ]; } ]; } ]
Declared by:
<nixpkgs/nixos/modules/security/sudo.nix>
- security.sudo.extraRules.*.commands
The commands for which the rule should apply.
Type: list of string or submodules
Declared by:
<nixpkgs/nixos/modules/security/sudo.nix>
- security.sudo.extraRules.*.groups
The groups / GIDs this rule should apply for.
Type: list of string or signed integers
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/security/sudo.nix>
- security.sudo.extraRules.*.host
For what host this rule should apply.
Type: string
Default: "ALL"
Declared by:
<nixpkgs/nixos/modules/security/sudo.nix>
- security.sudo.extraRules.*.runAs
Under which user/group the specified command is allowed to run.
A user can be specified using just the username: "foo". It is also possible to specify a user/group combination using "foo:bar" or to only allow running as a specific group with ":bar".
Type: string
Default: "ALL:ALL"
Declared by:
<nixpkgs/nixos/modules/security/sudo.nix>
- security.sudo.extraRules.*.users
The usernames / UIDs this rule should apply for.
Type: list of string or signed integers
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/security/sudo.nix>
- security.sudo.wheelNeedsPassword
Whether users of the wheel group must provide a password to run commands as super user via sudo.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/security/sudo.nix>
- security.tpm2.enable
Whether to enable Trusted Platform Module 2 support.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/security/tpm2.nix>
- security.tpm2.abrmd.enable
Whether to enable Trusted Platform 2 userspace resource manager daemon .
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/security/tpm2.nix>
- security.tpm2.abrmd.package
tpm2-abrmd package to use
Type: package
Default: pkgs.tpm2-abrmd
Declared by:
<nixpkgs/nixos/modules/security/tpm2.nix>
- security.tpm2.applyUdevRules
Whether to make the /dev/tpm[0-9] devices accessible by the tssUser, or the /dev/tpmrm[0-9] by tssGroup respectively
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/security/tpm2.nix>
- security.tpm2.pkcs11.enable
Whether to enable TPM2 PKCS#11 tool and shared library in system path (/run/current-system/sw/lib/libtpm2_pkcs11.so) .
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/security/tpm2.nix>
- security.tpm2.pkcs11.package
tpm2-pkcs11 package to use
Type: package
Default: pkgs.tpm2-pkcs11
Declared by:
<nixpkgs/nixos/modules/security/tpm2.nix>
- security.tpm2.tctiEnvironment.enable
Set common TCTI environment variables to the specified value. The variables are
- TPM2TOOLS_TCTI
- TPM2_PKCS11_TCTI
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/tpm2.nix>
- security.tpm2.tctiEnvironment.deviceConf
Configuration part of the device TCTI, e.g. the path to the TPM device. Applies if interface is set to "device". The format is specified in the tpm2-tools repository.
Type: string
Default: "/dev/tpmrm0"
Declared by:
<nixpkgs/nixos/modules/security/tpm2.nix>
- security.tpm2.tctiEnvironment.interface
The name of the TPM command transmission interface (TCTI) library to use.
Type: one of "tabrmd", "device"
Default: "device"
Declared by:
<nixpkgs/nixos/modules/security/tpm2.nix>
- security.tpm2.tctiEnvironment.tabrmdConf
Configuration part of the tabrmd TCTI, like the D-Bus bus name. Applies if interface is set to "tabrmd". The format is specified in the tpm2-tools repository.
Type: string
Default: "bus_name=com.intel.tss2.Tabrmd"
Declared by:
<nixpkgs/nixos/modules/security/tpm2.nix>
- security.tpm2.tssGroup
Group of the tpm kernel resource manager (tpmrm) device-group, set if applyUdevRules is set.
Type: null or string
Default: "tss"
Declared by:
<nixpkgs/nixos/modules/security/tpm2.nix>
- security.tpm2.tssUser
Name of the tpm device-owner and service user, set if applyUdevRules is set.
Type: null or string
Default: if config.security.tpm2.abrmd.enable then "tss" else "root"
Declared by:
<nixpkgs/nixos/modules/security/tpm2.nix>
- security.unprivilegedUsernsClone
When disabled, unprivileged users will not be able to create new namespaces. By default unprivileged user namespaces are disabled. This option only works in a hardened profile.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/misc.nix>
- security.virtualisation.flushL1DataCache
Whether the hypervisor should flush the L1 data cache before entering guests. See also security.allowSimultaneousMultithreading.
- null
uses the kernel default
- "never"
disables L1 data cache flushing entirely. May be appropriate if all guests are trusted.
- "cond"
flushes L1 data cache only for pre-determined code paths. May leak information about the host address space layout.
- "always"
flushes L1 data cache every time the hypervisor enters the guest. May incur significant performance cost.
Type: null or one of "never", "cond", "always"
Default: null
Declared by:
<nixpkgs/nixos/modules/security/misc.nix>
- security.wrappers
This option effectively allows adding setuid/setgid bits, capabilities, changing file ownership and permissions of a program without directly modifying it. This works by creating a wrapper program under the security.wrapperDir directory, which is then added to the shell PATH.
Type: attribute set of submodules
Default: { }
Example:
{ # a setuid root program doas = { setuid = true; owner = "root"; group = "root"; source = "${pkgs.doas}/bin/doas"; }; # a setgid program locate = { setgid = true; owner = "root"; group = "mlocate"; source = "${pkgs.locate}/bin/locate"; }; # a program with the CAP_NET_RAW capability ping = { owner = "root"; group = "root"; capabilities = "cap_net_raw+ep"; source = "${pkgs.iputils.out}/bin/ping"; }; }
Declared by:
<nixpkgs/nixos/modules/security/wrappers/default.nix>
- security.wrappers.<name>.capabilities
A comma-separated list of capabilities to be given to the wrapper program. For capabilities supported by the system check the capabilities(7) manual page.
Note
cap_setpcap, which is required for the wrapper program to be able to raise caps into the Ambient set is NOT raised to the Ambient set so that the real program cannot modify its own capabilities!! This may be too restrictive for cases in which the real program needs cap_setpcap but it at least leans on the side security paranoid vs. too relaxed.Type: strings concatenated with ","
Default: ""
Declared by:
<nixpkgs/nixos/modules/security/wrappers/default.nix>
- security.wrappers.<name>.group
The group of the wrapper program.
Type: string
Declared by:
<nixpkgs/nixos/modules/security/wrappers/default.nix>
- security.wrappers.<name>.owner
The owner of the wrapper program.
Type: string
Declared by:
<nixpkgs/nixos/modules/security/wrappers/default.nix>
- security.wrappers.<name>.permissions
The permissions of the wrapper program. The format is that of a symbolic or numeric file mode understood by chmod.
Type: file mode string
Default: "u+rx,g+x,o+x"
Example: "a+rx"
Declared by:
<nixpkgs/nixos/modules/security/wrappers/default.nix>
- security.wrappers.<name>.program
The name of the wrapper program. Defaults to the attribute name.
Type: null or string
Default: "‹name›"
Declared by:
<nixpkgs/nixos/modules/security/wrappers/default.nix>
- security.wrappers.<name>.setgid
Whether to add the setgid bit the wrapper program.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/wrappers/default.nix>
- security.wrappers.<name>.setuid
Whether to add the setuid bit the wrapper program.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/security/wrappers/default.nix>
- security.wrappers.<name>.source
The absolute path to the program to be wrapped.
Type: path
Declared by:
<nixpkgs/nixos/modules/security/wrappers/default.nix>
- services.packagekit.enable
Whether to enable PackageKit provides a cross-platform D-Bus abstraction layer for installing software. Software utilizing PackageKit can install software regardless of the package manager. .
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/misc/packagekit.nix>
- services.packagekit.settings
Additional settings passed straight through to PackageKit.conf
Type: attribute set of attribute set of INI atom (null, bool, int, float or string)ss
Default: { }
Declared by:
<nixpkgs/nixos/modules/services/misc/packagekit.nix>
- services.packagekit.vendorSettings
Additional settings passed straight through to Vendor.conf
Type: attribute set of attribute set of INI atom (null, bool, int, float or string)ss
Default: { }
Declared by:
<nixpkgs/nixos/modules/services/misc/packagekit.nix>
- services.SystemdJournal2Gelf.enable
Whether to enable SystemdJournal2Gelf.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/logging/SystemdJournal2Gelf.nix>
- services.SystemdJournal2Gelf.package
SystemdJournal2Gelf package to use.
Type: package
Default: pkgs.systemd-journal2gelf
Declared by:
<nixpkgs/nixos/modules/services/logging/SystemdJournal2Gelf.nix>
- services.SystemdJournal2Gelf.extraOptions
Any extra flags to pass to SystemdJournal2Gelf. Note that these are basically journalctl flags.
Type: strings concatenated with " "
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/logging/SystemdJournal2Gelf.nix>
- services.SystemdJournal2Gelf.graylogServer
Host and port of your graylog2 input. This should be a GELF UDP input.
Type: string
Example: "graylog2.example.com:11201"
Declared by:
<nixpkgs/nixos/modules/services/logging/SystemdJournal2Gelf.nix>
- services._3proxy.enable
Whether to enable 3proxy.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services._3proxy.confFile
Ignore all other 3proxy options and load configuration from this file.
Type: path
Example: "/var/lib/3proxy/3proxy.conf"
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services._3proxy.denyPrivate
Whether to deny access to private IP ranges including loopback.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services._3proxy.extraConfig
Extra configuration, appended to the 3proxy configuration file. Consult documentation for available options.
Type: null or strings concatenated with "\n"
Default: null
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services._3proxy.privateRanges
What IP ranges to deny access when denyPrivate is set tu true.
Type: list of strings
Default: [ "0.0.0.0/8" "127.0.0.0/8" "10.0.0.0/8" "100.64.0.0/10" "172.16.0.0/12" "192.168.0.0/16" "::" "::1" "fc00::/7" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services._3proxy.resolution
Use this option to configure name resolution and DNS caching.
Type: submodule
Default: { }
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services._3proxy.resolution.nscache
Set name cache size for IPv4.
Type: signed integer
Default: 65535
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services._3proxy.resolution.nscache6
Set name cache size for IPv6.
Type: signed integer
Default: 65535
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services._3proxy.resolution.nserver
List of nameservers to use.
Up to 5 nservers may be specified. If no nserver is configured, default system name resolution functions are used.
Type: list of strings
Default: [ ]
Example: [ "127.0.0.53" "192.168.1.3:5353/tcp" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services._3proxy.resolution.nsrecord
Adds static nsrecords.
Type: attribute set of strings
Default: { }
Example:
{ "files.local" = "192.168.1.12"; "site.local" = "192.168.1.43"; }
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services._3proxy.services
Use this option to define 3proxy services.
Type: list of submodules
Default: [ ]
Example:
[ { type = "proxy"; bindAddress = "192.168.1.24"; bindPort = 3128; auth = [ "none" ]; } { type = "proxy"; bindAddress = "10.10.1.20"; bindPort = 3128; auth = [ "iponly" ]; } { type = "socks"; bindAddress = "172.17.0.1"; bindPort = 1080; auth = [ "strong" ]; } ]
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services._3proxy.services.*.acl
Use this option to limit user access to resources.
Type: list of submodules
Default: [ ]
Example:
[ { rule = "allow"; users = [ "user1" ]; } { rule = "allow"; sources = [ "192.168.1.0/24" ]; } { rule = "deny"; } ]
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services._3proxy.services.*.acl.*.rule
ACL rule. The following values are valid:
- "allow": connections allowed.
- "deny": connections not allowed.
Type: one of "allow", "deny"
Example: "allow"
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services._3proxy.services.*.acl.*.sources
List of source IP range, use empty list for any.
Type: list of strings
Default: [ ]
Example: [ "127.0.0.1" "192.168.1.0/24" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services._3proxy.services.*.acl.*.targetPorts
List of target ports, use empty list for any.
Type: list of signed integers
Default: [ ]
Example: [ 80 443 ]
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services._3proxy.services.*.acl.*.targets
List of target IP ranges, use empty list for any. May also contain host names instead of addresses. It's possible to use wildmask in the begginning and in the the end of hostname, e.g. *badsite.com or *badcontent*. Hostname is only checked if hostname presents in request.
Type: list of strings
Default: [ ]
Example: [ "127.0.0.1" "192.168.1.0/24" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services._3proxy.services.*.acl.*.users
List of users, use empty list for any.
Type: list of strings
Default: [ ]
Example: [ "user1" "user2" "user3" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services._3proxy.services.*.auth
Authentication type. The following values are valid:
- "none": disables both authentication and authorization. You can not use ACLs.
- "iponly": specifies no authentication. ACLs authorization is used.
- "strong": authentication by username/password. If user is not registered their access is denied regardless of ACLs.
Double authentication is possible, e.g.
{ auth = [ "iponly" "strong" ]; acl = [ { rule = "allow"; targets = [ "192.168.0.0/16" ]; } { rule = "allow" users = [ "user1" "user2" ]; } ]; } In this example strong username authentication is not required to access 192.168.0.0/16.
Type: list of one of "none", "iponly", "strong"s
Example: [ "iponly" "strong" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services._3proxy.services.*.bindAddress
Address used for service.
Type: string
Default: "[::]"
Example: "127.0.0.1"
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services._3proxy.services.*.bindPort
Override default port used for service.
Type: null or signed integer
Default: null
Example: 3128
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services._3proxy.services.*.extraArguments
Extra arguments for service. Consult "Options" section in documentation for available arguments.
Type: null or string
Default: null
Example: "-46"
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services._3proxy.services.*.extraConfig
Extra configuration for service. Use this to configure things like bandwidth limiter or ACL-based redirection. Consult documentation for available options.
Type: null or strings concatenated with "\n"
Default: null
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services._3proxy.services.*.maxConnections
Maximum number of simulationeous connections to this service.
Type: signed integer
Default: 100
Example: 1000
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services._3proxy.services.*.type
Service type. The following values are valid:
- "proxy": HTTP/HTTPS proxy (default port 3128).
- "socks": SOCKS 4/4.5/5 proxy (default port 1080).
- "pop3p": POP3 proxy (default port 110).
- "ftppr": FTP proxy (default port 21).
- "admin": Web interface (default port 80).
- "dnspr": Caching DNS proxy (default port 53).
- "tcppm": TCP portmapper.
- "udppm": UDP portmapper.
Type: one of "proxy", "socks", "pop3p", "ftppr", "admin", "dnspr", "tcppm", "udppm"
Example: "proxy"
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services._3proxy.usersFile
Load users and passwords from this file.
Example users file with plain-text passwords:
test1:CL:password1 test2:CL:password2
Example users file with md5-crypted passwords:
test1:CR:$1$tFkisVd2$1GA8JXkRmTXdLDytM/i3a1 test2:CR:$1$rkpibm5J$Aq1.9VtYAn0JrqZ8M.1ME.
You can generate md5-crypted passwords via https://unix4lyfe.org/crypt/ Note that htpasswd tool generates incompatible md5-crypted passwords. Consult documentation for more information.
Type: null or path
Default: null
Example: "/var/lib/3proxy/3proxy.passwd"
Declared by:
<nixpkgs/nixos/modules/services/networking/3proxy.nix>
- services.accounts-daemon.enable
Whether to enable AccountsService, a DBus service for accessing the list of user accounts and information attached to those accounts.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/desktops/accountsservice.nix>
- services.acpid.enable
Whether to enable the ACPI daemon.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/hardware/acpid.nix>
- services.acpid.acEventCommands
Shell commands to execute on an ac_adapter.* event.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/hardware/acpid.nix>
- services.acpid.handlers
Event handlers.
Note
Handler can be a single command.Type: attribute set of submodules
Default: { }
Example: { ac-power = { action = "vals=($1) # space separated string to array of multiple values\ncase \${vals[3]} in\n 00000000)\n echo unplugged >> /tmp/acpi.log\n ;;\n 00000001)\n echo plugged in >> /tmp/acpi.log\n ;;\n *)\n echo unknown >> /tmp/acpi.log\n ;;\nesac\n"; event = "ac_adapter/*"; } ; }
Declared by:
<nixpkgs/nixos/modules/services/hardware/acpid.nix>
- services.acpid.handlers.<name>.action
Shell commands to execute when the event is triggered.
Type: strings concatenated with "\n"
Declared by:
<nixpkgs/nixos/modules/services/hardware/acpid.nix>
- services.acpid.handlers.<name>.event
Event type.
Type: string
Example: "button/power.*" "button/lid.*" "ac_adapter.*" "button/mute.*" "button/volumedown.*" "cd/play.*" "cd/next.*"
Declared by:
<nixpkgs/nixos/modules/services/hardware/acpid.nix>
- services.acpid.lidEventCommands
Shell commands to execute on a button/lid.* event.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/hardware/acpid.nix>
- services.acpid.logEvents
Log all event activity.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/hardware/acpid.nix>
- services.acpid.powerEventCommands
Shell commands to execute on a button/power.* event.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/hardware/acpid.nix>
- services.activemq.enable
Enable the Apache ActiveMQ message broker service.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/amqp/activemq/default.nix>
- services.activemq.baseDir
The base directory where ActiveMQ stores its persistent data and logs. This will be overridden if you set "activemq.base" and "activemq.data" in the javaProperties option. You can also override this in activemq.xml.
Type: string
Default: "/var/activemq"
Declared by:
<nixpkgs/nixos/modules/services/amqp/activemq/default.nix>
- services.activemq.configurationDir
The base directory for ActiveMQ's configuration. By default, this directory is searched for a file named activemq.xml, which should contain the configuration for the broker service.
Type: string
Default: "${pkgs.activemq}/conf"
Declared by:
<nixpkgs/nixos/modules/services/amqp/activemq/default.nix>
- services.activemq.configurationURI
The URI that is passed along to the BrokerFactory to set up the configuration of the ActiveMQ broker service. You should not need to change this. For custom configuration, set the configurationDir instead, and create an activemq.xml configuration file in it.
Type: string
Default: "xbean:activemq.xml"
Declared by:
<nixpkgs/nixos/modules/services/amqp/activemq/default.nix>
- services.activemq.extraJavaOptions
Add extra options here that you want to be sent to the Java runtime when the broker service is started.
Type: strings concatenated with " "
Default: ""
Example: "-Xmx2G -Xms2G -XX:MaxPermSize=512M"
Declared by:
<nixpkgs/nixos/modules/services/amqp/activemq/default.nix>
- services.activemq.javaProperties
Specifies Java properties that are sent to the ActiveMQ broker service with the "-D" option. You can set properties here to change the behaviour and configuration of the broker. All essential properties that are not set here are automatically given reasonable defaults.
Type: attribute set
Default: { }
Example:
{ "java.net.preferIPv4Stack" = "true"; }
Declared by:
<nixpkgs/nixos/modules/services/amqp/activemq/default.nix>
- services.actkbd.enable
Whether to enable the actkbd key mapping daemon.
Turning this on will start an actkbd instance for every evdev input that has at least one key (which is okay even for systems with tiny memory footprint, since actkbd normally uses <100 bytes of memory per instance).
This allows binding keys globally without the need for e.g. X11.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/hardware/actkbd.nix>
- services.actkbd.bindings
Key bindings for actkbd.
See actkbd README for documentation.
The example shows a piece of what sound.mediaKeys.enable does when enabled.
Type: list of submodules
Default: [ ]
Example:
[ { keys = [ 113 ]; events = [ "key" ]; command = "${pkgs.alsa-utils}/bin/amixer -q set Master toggle"; } ]
Declared by:
<nixpkgs/nixos/modules/services/hardware/actkbd.nix>
- services.actkbd.bindings.*.attributes
List of attributes.
Type: list of strings
Default: [ "exec" ]
Declared by:
<nixpkgs/nixos/modules/services/hardware/actkbd.nix>
- services.actkbd.bindings.*.command
What to run.
Type: string
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/hardware/actkbd.nix>
- services.actkbd.bindings.*.events
List of events to match.
Type: list of one of "key", "rep", "rel"s
Default: [ "key" ]
Declared by:
<nixpkgs/nixos/modules/services/hardware/actkbd.nix>
- services.actkbd.bindings.*.keys
List of keycodes to match.
Type: list of signed integers
Declared by:
<nixpkgs/nixos/modules/services/hardware/actkbd.nix>
- services.actkbd.extraConfig
Literal contents to append to the end of actkbd configuration file.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/hardware/actkbd.nix>
- services.adguardhome.enable
Whether to enable AdGuard Home network-wide ad blocker.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/networking/adguardhome.nix>
- services.adguardhome.extraArgs
Extra command line parameters to be passed to the adguardhome binary.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/services/networking/adguardhome.nix>
- services.adguardhome.host
Host address to bind HTTP server to.
Type: string
Default: "0.0.0.0"
Declared by:
<nixpkgs/nixos/modules/services/networking/adguardhome.nix>
- services.adguardhome.openFirewall
Open ports in the firewall for the AdGuard Home web interface. Does not open the port needed to access the DNS resolver.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/adguardhome.nix>
- services.adguardhome.port
Port to serve HTTP pages on.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: 3000
Declared by:
<nixpkgs/nixos/modules/services/networking/adguardhome.nix>
- services.aerospike.enable
Whether to enable Aerospike server.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/databases/aerospike.nix>
- services.aerospike.package
Which Aerospike derivation to use
Type: package
Default: pkgs.aerospike
Declared by:
<nixpkgs/nixos/modules/services/databases/aerospike.nix>
- services.aerospike.extraConfig
Extra configuration
Type: strings concatenated with "\n"
Default: ""
Example:
'' namespace test { replication-factor 2 memory-size 4G default-ttl 30d storage-engine memory } ''
Declared by:
<nixpkgs/nixos/modules/services/databases/aerospike.nix>
- services.aerospike.networkConfig
network section of configuration file
Type: strings concatenated with "\n"
Default:
'' service { address any port 3000 } heartbeat { address any mode mesh port 3002 interval 150 timeout 10 } fabric { address any port 3001 } info { address any port 3003 } ''
Declared by:
<nixpkgs/nixos/modules/services/databases/aerospike.nix>
- services.aerospike.workDir
Location where Aerospike stores its files
Type: string
Default: "/var/lib/aerospike"
Declared by:
<nixpkgs/nixos/modules/services/databases/aerospike.nix>
- services.airsonic.enable
Whether to enable Airsonic, the Free and Open Source media streaming server (fork of Subsonic and Libresonic).
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/misc/airsonic.nix>
- services.airsonic.contextPath
The context path, i.e., the last part of the Airsonic URL. Typically '/' or '/airsonic'. Default '/'
Type: path
Default: "/"
Declared by:
<nixpkgs/nixos/modules/services/misc/airsonic.nix>
- services.airsonic.home
The directory where Airsonic will create files. Make sure it is writable.
Type: path
Default: "/var/lib/airsonic"
Declared by:
<nixpkgs/nixos/modules/services/misc/airsonic.nix>
- services.airsonic.jre
JRE package to use.
Airsonic only supports Java 8, airsonic-advanced requires at least Java 11.
Type: package
Default: pkgs.jre8
Declared by:
<nixpkgs/nixos/modules/services/misc/airsonic.nix>
- services.airsonic.jvmOptions
Extra command line options for the JVM running AirSonic. Useful for sending jukebox output to non-default alsa devices.
Type: list of strings
Default: [ ]
Example: [ "-Djavax.sound.sampled.Clip='#CODEC [plughw:1,0]'" "-Djavax.sound.sampled.Port='#Port CODEC [hw:1]'" "-Djavax.sound.sampled.SourceDataLine='#CODEC [plughw:1,0]'" "-Djavax.sound.sampled.TargetDataLine='#CODEC [plughw:1,0]'" ]
Declared by:
<nixpkgs/nixos/modules/services/misc/airsonic.nix>
- services.airsonic.listenAddress
The host name or IP address on which to bind Airsonic. Only relevant if you have multiple network interfaces and want to make Airsonic available on only one of them. The default value will bind Airsonic to all available network interfaces.
Type: string
Default: "127.0.0.1"
Declared by:
<nixpkgs/nixos/modules/services/misc/airsonic.nix>
- services.airsonic.maxMemory
The memory limit (max Java heap size) in megabytes. Default: 100
Type: signed integer
Default: 100
Declared by:
<nixpkgs/nixos/modules/services/misc/airsonic.nix>
- services.airsonic.port
The port on which Airsonic will listen for incoming HTTP traffic. Set to 0 to disable.
Type: signed integer
Default: 4040
Declared by:
<nixpkgs/nixos/modules/services/misc/airsonic.nix>
- services.airsonic.transcoders
List of paths to transcoder executables that should be accessible from Airsonic. Symlinks will be created to each executable inside /var/lib/airsonic/transcoders.
Type: list of paths
Default: [ "${pkgs.ffmpeg.bin}/bin/ffmpeg" ]
Declared by:
<nixpkgs/nixos/modules/services/misc/airsonic.nix>
- services.airsonic.user
User account under which airsonic runs.
Type: string
Default: "airsonic"
Declared by:
<nixpkgs/nixos/modules/services/misc/airsonic.nix>
- services.airsonic.virtualHost
Name of the nginx virtualhost to use and setup. If null, do not setup any virtualhost.
Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/services/misc/airsonic.nix>
- services.airsonic.war
Airsonic war file to use.
Type: path
Default: "${pkgs.airsonic}/webapps/airsonic.war"
Declared by:
<nixpkgs/nixos/modules/services/misc/airsonic.nix>
- services.alerta.enable
Whether to enable alerta.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/monitoring/alerta.nix>
- services.alerta.authenticationRequired
Whether users must authenticate when using the web UI or command-line tool
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/monitoring/alerta.nix>
- services.alerta.bind
Address to bind to. The default is to bind to all addresses
Type: string
Default: "0.0.0.0"
Declared by:
<nixpkgs/nixos/modules/services/monitoring/alerta.nix>
- services.alerta.corsOrigins
List of URLs that can access the API for Cross-Origin Resource Sharing (CORS)
Type: list of strings
Default: [ "http://localhost" "http://localhost:5000" ]
Declared by:
<nixpkgs/nixos/modules/services/monitoring/alerta.nix>
- services.alerta.databaseName
Name of the database instance to connect to
Type: string
Default: "monitoring"
Declared by:
<nixpkgs/nixos/modules/services/monitoring/alerta.nix>
- services.alerta.databaseUrl
URL of the MongoDB or PostgreSQL database to connect to
Type: string
Default: "mongodb://localhost"
Declared by:
<nixpkgs/nixos/modules/services/monitoring/alerta.nix>
- services.alerta.extraConfig
These lines go into alertad.conf verbatim.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/monitoring/alerta.nix>
- services.alerta.logDir
Location where the logfiles are stored
Type: path
Default: "/var/log/alerta"
Declared by:
<nixpkgs/nixos/modules/services/monitoring/alerta.nix>
- services.alerta.port
Port of Alerta
Type: signed integer
Default: 5000
Declared by:
<nixpkgs/nixos/modules/services/monitoring/alerta.nix>
- services.alerta.signupEnabled
Whether to prevent sign-up of new users via the web UI
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/monitoring/alerta.nix>
- services.amule.enable
Whether to run the AMule daemon. You need to manually run "amuled --ec-config" to configure the service for the first time.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/amuled.nix>
- services.amule.dataDir
The directory holding configuration, incoming and temporary files.
Type: string
Default: "/home/amule/"
Declared by:
<nixpkgs/nixos/modules/services/networking/amuled.nix>
- services.amule.user
The user the AMule daemon should run as.
Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/services/networking/amuled.nix>
- services.ananicy.enable
Whether to enable Ananicy, an auto nice daemon.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/misc/ananicy.nix>
- services.ananicy.package
Which ananicy package to use.
Type: package
Default: pkgs.ananicy
Example: pkgs.ananicy-cpp
Declared by:
<nixpkgs/nixos/modules/services/misc/ananicy.nix>
- services.ananicy.extraRules
Extra rules in json format on separate lines. See: https://github.com/Nefelim4ag/Ananicy#configuration https://gitlab.com/ananicy-cpp/ananicy-cpp/#global-configuration
Type: string
Default: ""
Example:
'' { "name": "eog", "type": "Image-View" } { "name": "fdupes", "type": "BG_CPUIO" } ''
Declared by:
<nixpkgs/nixos/modules/services/misc/ananicy.nix>
- services.ananicy.settings
See https://github.com/Nefelim4ag/Ananicy/blob/master/ananicy.d/ananicy.conf
Type: attribute set of signed integer or boolean or strings
Default: { }
Example: { apply_nice = false; }
Declared by:
<nixpkgs/nixos/modules/services/misc/ananicy.nix>
- services.ankisyncd.enable
Whether to enable ankisyncd.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/misc/ankisyncd.nix>
- services.ankisyncd.package
The package to use for the ankisyncd command.
Type: package
Default: pkgs.ankisyncd
Declared by:
<nixpkgs/nixos/modules/services/misc/ankisyncd.nix>
- services.ankisyncd.host
ankisyncd host
Type: string
Default: "localhost"
Declared by:
<nixpkgs/nixos/modules/services/misc/ankisyncd.nix>
- services.ankisyncd.openFirewall
Whether to open the firewall for the specified port.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/misc/ankisyncd.nix>
- services.ankisyncd.port
ankisyncd port
Type: signed integer
Default: 27701
Declared by:
<nixpkgs/nixos/modules/services/misc/ankisyncd.nix>
- services.antennas.enable
Whether to enable Antennas.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/networking/antennas.nix>
- services.antennas.antennasUrl
URL of Antennas.
Type: string
Default: "http://127.0.0.1:5004"
Declared by:
<nixpkgs/nixos/modules/services/networking/antennas.nix>
- services.antennas.deviceUUID
Device tuner UUID. Change this if you are running multiple instances.
Type: string
Default: "2f70c0d7-90a3-4429-8275-cbeeee9cd605"
Declared by:
<nixpkgs/nixos/modules/services/networking/antennas.nix>
- services.antennas.tunerCount
Numbers of tuners in tvheadend.
Type: signed integer
Default: 6
Declared by:
<nixpkgs/nixos/modules/services/networking/antennas.nix>
- services.antennas.tvheadendUrl
URL of Tvheadend.
Type: string
Default: "http://localhost:9981"
Declared by:
<nixpkgs/nixos/modules/services/networking/antennas.nix>
- services.apache-kafka.enable
Whether to enable Apache Kafka.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
- services.apache-kafka.package
The kafka package to use
Type: package
Default: pkgs.apacheKafka
Declared by:
<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
- services.apache-kafka.brokerId
Broker ID.
Type: signed integer
Default: -1
Declared by:
<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
- services.apache-kafka.extraProperties
Extra properties for server.properties.
Type: null or strings concatenated with "\n"
Default: null
Declared by:
<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
- services.apache-kafka.hostname
Hostname the broker should bind to.
Type: string
Default: "localhost"
Declared by:
<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
- services.apache-kafka.jre
The JRE with which to run Kafka
Type: package
Default: pkgs.apacheKafka.passthru.jre
Declared by:
<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
- services.apache-kafka.jvmOptions
Extra command line options for the JVM running Kafka.
Type: list of strings
Default: [ ]
Example: [ "-Djava.net.preferIPv4Stack=true" "-Dcom.sun.management.jmxremote" "-Dcom.sun.management.jmxremote.local.only=true" ]
Declared by:
<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
- services.apache-kafka.log4jProperties
Kafka log4j property configuration.
Type: strings concatenated with "\n"
Default:
'' log4j.rootLogger=INFO, stdout log4j.appender.stdout=org.apache.log4j.ConsoleAppender log4j.appender.stdout.layout=org.apache.log4j.PatternLayout log4j.appender.stdout.layout.ConversionPattern=[%d] %p %m (%c)%n ''
Declared by:
<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
- services.apache-kafka.logDirs
Log file directories
Type: list of paths
Default: [ "/tmp/kafka-logs" ]
Declared by:
<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
- services.apache-kafka.port
Port number the broker should listen on.
Type: signed integer
Default: 9092
Declared by:
<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
- services.apache-kafka.serverProperties
Complete server.properties content. Other server.properties config options will be ignored if this option is used.
Type: null or strings concatenated with "\n"
Default: null
Declared by:
<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
- services.apache-kafka.zookeeper
Zookeeper connection string
Type: string
Default: "localhost:2181"
Declared by:
<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
- services.apcupsd.enable
Whether to enable the APC UPS daemon. apcupsd monitors your UPS and permits orderly shutdown of your computer in the event of a power failure. User manual: http://www.apcupsd.com/manual/manual.html. Note that apcupsd runs as root (to allow shutdown of computer). You can check the status of your UPS with the "apcaccess" command.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/monitoring/apcupsd.nix>
- services.apcupsd.configText
Contents of the runtime configuration file, apcupsd.conf. The default settings makes apcupsd autodetect USB UPSes, limit network access to localhost and shutdown the system when the battery level is below 50 percent, or when the UPS has calculated that it has 5 minutes or less of remaining power-on time. See man apcupsd.conf for details.
Type: strings concatenated with "\n"
Default:
'' UPSTYPE usb NISIP 127.0.0.1 BATTERYLEVEL 50 MINUTES 5 ''
Declared by:
<nixpkgs/nixos/modules/services/monitoring/apcupsd.nix>
- services.apcupsd.hooks
Each attribute in this option names an apcupsd event and the string value it contains will be executed in a shell, in response to that event (prior to the default action). See "man apccontrol" for the list of events and what they represent.
A hook script can stop apccontrol from doing its default action by exiting with value 99. Do not do this unless you know what you're doing.
Type: attribute set of strings concatenated with "\n"s
Default: { }
Example: { doshutdown = "# shell commands to notify that the computer is shutting down"; }
Declared by:
<nixpkgs/nixos/modules/services/monitoring/apcupsd.nix>
- services.arbtt.enable
Enable the arbtt statistics capture service.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/monitoring/arbtt.nix>
- services.arbtt.package
The package to use for the arbtt binaries.
Type: package
Default: pkgs.haskellPackages.arbtt
Declared by:
<nixpkgs/nixos/modules/services/monitoring/arbtt.nix>
- services.arbtt.logFile
The log file for captured samples.
Type: string
Default: "%h/.arbtt/capture.log"
Example: "/home/username/.arbtt-capture.log"
Declared by:
<nixpkgs/nixos/modules/services/monitoring/arbtt.nix>
- services.arbtt.sampleRate
The sampling interval in seconds.
Type: signed integer
Default: 60
Example: 120
Declared by:
<nixpkgs/nixos/modules/services/monitoring/arbtt.nix>
- services.aria2.enable
Whether or not to enable the headless Aria2 daemon service.
Aria2 daemon can be controlled via the RPC interface using one of many WebUI (http://localhost:6800/ by default).
Targets are downloaded to /var/lib/aria2/Downloads by default and are accessible to users in the "aria2" group.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/aria2.nix>
- services.aria2.downloadDir
Directory to store downloaded files.
Type: path
Default: "/var/lib/aria2/Downloads"
Declared by:
<nixpkgs/nixos/modules/services/networking/aria2.nix>
- services.aria2.extraArguments
Additional arguments to be passed to Aria2.
Type: strings concatenated with " "
Default: ""
Example: "--rpc-listen-all --remote-time=true"
Declared by:
<nixpkgs/nixos/modules/services/networking/aria2.nix>
- services.aria2.listenPortRange
Set UDP listening port range used by DHT(IPv4, IPv6) and UDP tracker.
Type: list of attribute sets
Default: [ { from = 6881; to = 6999; } ]
Declared by:
<nixpkgs/nixos/modules/services/networking/aria2.nix>
- services.aria2.openPorts
Open listen and RPC ports found in listenPortRange and rpcListenPort options in the firewall.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/aria2.nix>
- services.aria2.rpcListenPort
Specify a port number for JSON-RPC/XML-RPC server to listen to. Possible Values: 1024-65535
Type: signed integer
Default: 6800
Declared by:
<nixpkgs/nixos/modules/services/networking/aria2.nix>
- services.aria2.rpcSecret
Set RPC secret authorization token. Read https://aria2.github.io/manual/en/html/aria2c.html#rpc-auth to know how this option value is used.
Type: string
Default: "aria2rpc"
Declared by:
<nixpkgs/nixos/modules/services/networking/aria2.nix>
- services.asterisk.enable
Whether to enable the Asterisk PBX server.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/asterisk.nix>
- services.asterisk.package
The Asterisk package to use.
Type: package
Default: pkgs.asterisk
Declared by:
<nixpkgs/nixos/modules/services/networking/asterisk.nix>
- services.asterisk.confFiles
Sets the content of config files (typically ending with .conf) in the Asterisk configuration directory.
Note that if you want to change asterisk.conf, it is preferable to use the services.asterisk.extraConfig option over this option. If "asterisk.conf" is specified with the confFiles option (not recommended), you must be prepared to set your own astetcdir path.
See http://www.asterisk.org/community/documentation for more examples of what is possible here.
Type: attribute set of strings
Default: { }
Example:
{ "extensions.conf" = '' [tests] ; Dial 100 for "hello, world" exten => 100,1,Answer() same => n,Wait(1) same => n,Playback(hello-world) same => n,Hangup() [softphones] include => tests [unauthorized] ''; "sip.conf" = '' [general] allowguest=no ; Require authentication context=unauthorized ; Send unauthorized users to /dev/null srvlookup=no ; Don't do DNS lookup udpbindaddr=0.0.0.0 ; Listen on all interfaces nat=force_rport,comedia ; Assume device is behind NAT [softphone](!) type=friend ; Match on username first, IP second context=softphones ; Send to softphones context in ; extensions.conf file host=dynamic ; Device will register with asterisk disallow=all ; Manually specify codecs to allow allow=g722 allow=ulaw allow=alaw [myphone](softphone) secret=GhoshevFew ; Change this password! ''; "logger.conf" = '' [general] [logfiles] ; Add debug output to log syslog.local0 => notice,warning,error,debug ''; }
Declared by:
<nixpkgs/nixos/modules/services/networking/asterisk.nix>
- services.asterisk.extraArguments
Additional command line arguments to pass to Asterisk.
Type: list of strings
Default: [ ]
Example: [ "-vvvddd" "-e" "1024" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/asterisk.nix>
- services.asterisk.extraConfig
Extra configuration options appended to the default asterisk.conf file.
Type: strings concatenated with "\n"
Default: ""
Example:
'' [options] verbose=3 debug=3 ''
Declared by:
<nixpkgs/nixos/modules/services/networking/asterisk.nix>
- services.asterisk.useTheseDefaultConfFiles
Sets these config files to the default content. The default value for this option contains all necesscary files to avoid errors at startup. This does not override settings via services.asterisk.confFiles.
Type: list of strings
Default: [ "ari.conf" "acl.conf" "agents.conf" "amd.conf" "calendar.conf" "cdr.conf" "cdr_syslog.conf" "cdr_custom.conf" "cel.conf" "cel_custom.conf" "cli_aliases.conf" "confbridge.conf" "dundi.conf" "features.conf" "hep.conf" "iax.conf" "pjsip.conf" "pjsip_wizard.conf" "phone.conf" "phoneprov.conf" "queues.conf" "res_config_sqlite3.conf" "res_parking.conf" "statsd.conf" "udptl.conf" "unistim.conf" ]
Example: [ "sip.conf" "dundi.conf" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/asterisk.nix>
- services.atd.enable
Whether to enable the at daemon, a command scheduler.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/scheduling/atd.nix>
- services.atd.allowEveryone
Whether to make /var/spool/at{jobs,spool} writeable by everyone (and sticky). This is normally not needed since the at commands are setuid/setgid atd.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/scheduling/atd.nix>
- services.atftpd.enable
Whether to enable the atftpd TFTP server. By default, the server binds to address 0.0.0.0.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/atftpd.nix>
- services.atftpd.extraOptions
Extra command line arguments to pass to atftp.
Type: list of strings
Default: [ ]
Example:
[ "--bind-address 192.168.9.1" "--verbose=7" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/atftpd.nix>
- services.atftpd.root
Document root directory for the atftpd.
Type: path
Default: "/srv/tftp"
Declared by:
<nixpkgs/nixos/modules/services/networking/atftpd.nix>
- services.auto-cpufreq.enable
Whether to enable auto-cpufreq daemon.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/hardware/auto-cpufreq.nix>
- services.autofs.enable
Mount filesystems on demand. Unmount them automatically. You may also be interested in afuse.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/misc/autofs.nix>
- services.autofs.autoMaster
Contents of /etc/auto.master file. See auto.master(5) and autofs(5).
Type: string
Example:
let mapConf = pkgs.writeText "auto" '' kernel -ro,soft,intr ftp.kernel.org:/pub/linux boot -fstype=ext2 :/dev/hda1 windoze -fstype=smbfs ://windoze/c removable -fstype=ext2 :/dev/hdd cd -fstype=iso9660,ro :/dev/hdc floppy -fstype=auto :/dev/fd0 server -rw,hard,intr / -ro myserver.me.org:/ \ /usr myserver.me.org:/usr \ /home myserver.me.org:/home ''; in '' /auto file:${mapConf} ''
Declared by:
<nixpkgs/nixos/modules/services/misc/autofs.nix>
- services.autofs.debug
Pass -d and -7 to automount and write log to the system journal.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/misc/autofs.nix>
- services.autofs.timeout
Set the global minimum timeout, in seconds, until directories are unmounted
Type: signed integer
Default: 600
Declared by:
<nixpkgs/nixos/modules/services/misc/autofs.nix>
- services.automysqlbackup.enable
Whether to enable AutoMySQLBackup.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/backup/automysqlbackup.nix>
- services.automysqlbackup.calendar
Configured when to run the backup service systemd unit (DayOfWeek Year-Month-Day Hour:Minute:Second).
Type: string
Default: "01:15:00"
Declared by:
<nixpkgs/nixos/modules/services/backup/automysqlbackup.nix>
- services.automysqlbackup.config
automysqlbackup configuration. Refer to ${pkgs.automysqlbackup}/etc/automysqlbackup.conf for details on supported values.
Type: attribute set of string or signed integer or boolean or list of stringss
Default: { }
Example:
{ db_names = [ "nextcloud" "matomo" ]; table_exclude = [ "nextcloud.oc_users" "nextcloud.oc_whats_new" ]; mailcontent = "log"; mail_address = "admin@example.org"; }
Declared by:
<nixpkgs/nixos/modules/services/backup/automysqlbackup.nix>
- services.autorandr.enable
Whether to enable handling of hotplug and sleep events by autorandr.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/misc/autorandr.nix>
- services.autorandr.defaultTarget
Fallback if no monitor layout can be detected. See the docs (https://github.com/phillipberndt/autorandr/blob/v1.0/README.md#how-to-use) for further reference.
Type: string
Default: "default"
Declared by:
<nixpkgs/nixos/modules/services/misc/autorandr.nix>
- services.autossh.sessions
List of AutoSSH sessions to start as systemd services. Each service is named 'autossh-{session.name}'.
Type: list of submodules
Default: [ ]
Example: [ { extraArguments = "-N -D4343 billremote@socks.host.net"; monitoringPort = 20000; name = "socks-peer"; user = "bill"; } ]
Declared by:
<nixpkgs/nixos/modules/services/networking/autossh.nix>
- services.autossh.sessions.*.extraArguments
Arguments to be passed to AutoSSH and retransmitted to SSH process. Some meaningful options include -N (don't run remote command), -D (open SOCKS proxy on local port), -R (forward remote port), -L (forward local port), -v (Enable debug). Check ssh manual for the complete list.
Type: strings concatenated with " "
Example: "-N -D4343 bill@socks.example.net"
Declared by:
<nixpkgs/nixos/modules/services/networking/autossh.nix>
- services.autossh.sessions.*.monitoringPort
Port to be used by AutoSSH for peer monitoring. Note, that AutoSSH also uses mport+1. Value of 0 disables the keep-alive style monitoring
Type: signed integer
Default: 0
Example: 20000
Declared by:
<nixpkgs/nixos/modules/services/networking/autossh.nix>
- services.autossh.sessions.*.name
Name of the local AutoSSH session
Type: string
Example: "socks-peer"
Declared by:
<nixpkgs/nixos/modules/services/networking/autossh.nix>
- services.autossh.sessions.*.user
Name of the user the AutoSSH session should run as
Type: string
Example: "bill"
Declared by:
<nixpkgs/nixos/modules/services/networking/autossh.nix>
- services.avahi.enable
Whether to run the Avahi daemon, which allows Avahi clients to use Avahi's service discovery facilities and also allows the local machine to advertise its presence and services (through the mDNS responder implemented by `avahi-daemon').
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
- services.avahi.allowPointToPoint
Whether to use POINTTOPOINT interfaces. Might make mDNS unreliable due to usually large latencies with such links and opens a potential security hole by allowing mDNS access from Internet connections.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
- services.avahi.browseDomains
List of non-local DNS domains to be browsed.
Type: list of strings
Default: [ ]
Example: [ "0pointer.de" "zeroconf.org" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
- services.avahi.cacheEntriesMax
Number of resource records to be cached per interface. Use 0 to disable caching. Avahi daemon defaults to 4096 if not set.
Type: null or signed integer
Default: null
Declared by:
<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
- services.avahi.domainName
Domain name for all advertisements.
Type: string
Default: "local"
Declared by:
<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
- services.avahi.extraConfig
Extra config to append to avahi-daemon.conf.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
- services.avahi.extraServiceFiles
Specify custom service definitions which are placed in the avahi service directory. See the avahi.service(5) manpage for detailed information.
Type: attribute set of string or paths
Default: { }
Example:
{ ssh = "${pkgs.avahi}/etc/avahi/services/ssh.service"; smb = '' <?xml version="1.0" standalone='no'?><!--*-nxml-*--> <!DOCTYPE service-group SYSTEM "avahi-service.dtd"> <service-group> <name replace-wildcards="yes">%h</name> <service> <type>_smb._tcp</type> <port>445</port> </service> </service-group> ''; }
Declared by:
<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
- services.avahi.hostName
Host name advertised on the LAN. If not set, avahi will use the value of config.networking.hostName.
Type: string
Default: config.networking.hostName
Declared by:
<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
- services.avahi.interfaces
List of network interfaces that should be used by the avahi-daemon. Other interfaces will be ignored. If null, all local interfaces except loopback and point-to-point will be used.
Type: null or list of strings
Default: null
Declared by:
<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
- services.avahi.ipv4
Whether to use IPv4.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
- services.avahi.ipv6
Whether to use IPv6.
Type: boolean
Default: config.networking.enableIPv6
Declared by:
<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
- services.avahi.nssmdns
Whether to enable the mDNS NSS (Name Service Switch) plug-in. Enabling it allows applications to resolve names in the `.local' domain by transparently querying the Avahi daemon.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
- services.avahi.openFirewall
Whether to open the firewall for UDP port 5353.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
- services.avahi.publish.enable
Whether to allow publishing in general.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
- services.avahi.publish.addresses
Whether to register mDNS address records for all local IP addresses.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
- services.avahi.publish.domain
Whether to announce the locally used domain name for browsing by other hosts.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
- services.avahi.publish.hinfo
Whether to register a mDNS HINFO record which contains information about the local operating system and CPU.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
- services.avahi.publish.userServices
Whether to publish user services. Will set addresses=true.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
- services.avahi.publish.workstation
Whether to register a service of type "_workstation._tcp" on the local LAN.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
- services.avahi.reflector
Reflect incoming mDNS requests to all allowed network interfaces.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
- services.avahi.wideArea
Whether to enable wide-area service discovery.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
- services.awstats.enable
Whether to enable awstats.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/logging/awstats.nix>
- services.awstats.configs
Attribute set of domains to collect stats for.
Type: attribute set of submodules
Default: { }
Example:
{ "mysite" = { domain = "example.com"; logFile = "/var/log/nginx/access.log"; }; }
Declared by:
<nixpkgs/nixos/modules/services/logging/awstats.nix>
- services.awstats.configs.<name>.domain
The domain name to collect stats for.
Type: string
Default: "‹name›"
Example: "example.com"
Declared by:
<nixpkgs/nixos/modules/services/logging/awstats.nix>
- services.awstats.configs.<name>.extraConfig
Extra configuration to be appended to awstats.${name}.conf.
Type: attribute set of strings
Default: { }
Example:
{ "ValidHTTPCodes" = "404"; }
Declared by:
<nixpkgs/nixos/modules/services/logging/awstats.nix>
- services.awstats.configs.<name>.hostAliases
List of aliases the site has.
Type: list of strings
Default: [ ]
Example: [ "www.example.org" ]
Declared by:
<nixpkgs/nixos/modules/services/logging/awstats.nix>
- services.awstats.configs.<name>.logFile
The log file to be scanned.
For mail, set this to journalctl $OLD_CURSOR -u postfix.service | ${pkgs.perl}/bin/perl ${pkgs.awstats.out}/share/awstats/tools/maillogconvert.pl standard |
Type: string
Example: "/var/log/nginx/access.log"
Declared by:
<nixpkgs/nixos/modules/services/logging/awstats.nix>
- services.awstats.configs.<name>.logFormat
The log format being used.
For mail, set this to %time2 %email %email_r %host %host_r %method %url %code %bytesd
Type: string
Default: "1"
Declared by:
<nixpkgs/nixos/modules/services/logging/awstats.nix>
- services.awstats.configs.<name>.type
The type of log being collected.
Type: one of "mail", "web"
Default: "web"
Example: "mail"
Declared by:
<nixpkgs/nixos/modules/services/logging/awstats.nix>
- services.awstats.configs.<name>.webService.enable
Whether to enable awstats web service.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/logging/awstats.nix>
- services.awstats.configs.<name>.webService.hostname
The hostname the web service appears under.
Type: string
Default: "‹name›"
Declared by:
<nixpkgs/nixos/modules/services/logging/awstats.nix>
- services.awstats.configs.<name>.webService.urlPrefix
The URL prefix under which the awstats pages appear.
Type: string
Default: "/awstats"
Declared by:
<nixpkgs/nixos/modules/services/logging/awstats.nix>
- services.awstats.dataDir
The directory where awstats data will be stored.
Type: path
Default: "/var/lib/awstats"
Declared by:
<nixpkgs/nixos/modules/services/logging/awstats.nix>
- services.awstats.updateAt
Specification of the time at which awstats will get updated. (in the format described by systemd.time(7))
Type: null or string
Default: null
Example: "hourly"
Declared by:
<nixpkgs/nixos/modules/services/logging/awstats.nix>
- services.babeld.enable
Whether to enable the babeld network routing daemon.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/networking/babeld.nix>
- services.babeld.extraConfig
Options that will be copied to babeld.conf. See babeld(8) for details.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/networking/babeld.nix>
- services.babeld.interfaceDefaults
A set describing default parameters for babeld interfaces. See babeld(8) for options.
Type: null or attribute set of unspecifieds
Default: null
Example: { split-horizon = true; type = "tunnel"; }
Declared by:
<nixpkgs/nixos/modules/services/networking/babeld.nix>
- services.babeld.interfaces
A set describing babeld interfaces. See babeld(8) for options.
Type: attribute set of attribute set of unspecifiedss
Default: { }
Example: { enp0s2 = { hello-interval = 5; split-horizon = "auto"; type = "wired"; } ; }
Declared by:
<nixpkgs/nixos/modules/services/networking/babeld.nix>
- services.bacula-dir.enable
Whether to enable Bacula Director Daemon.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-dir.extraConfig
Extra configuration for Bacula Director Daemon.
Type: strings concatenated with "\n"
Default: ""
Example:
'' TODO ''
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-dir.extraDirectorConfig
Extra configuration to be passed in Director directive.
Type: strings concatenated with "\n"
Default: ""
Example:
'' Maximum Concurrent Jobs = 20; Heartbeat Interval = 30; ''
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-dir.extraMessagesConfig
Extra configuration to be passed in Messages directive.
Type: strings concatenated with "\n"
Default: ""
Example:
'' console = all ''
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-dir.name
The director name used by the system administrator. This directive is required.
Type: string
Default: "nixos-dir"
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-dir.password
Specifies the password that must be supplied for a Director.
Type: string
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-dir.port
Specify the port (a positive integer) on which the Director daemon will listen for Bacula Console connections. This same port number must be specified in the Director resource of the Console configuration file. The default is 9101, so normally this directive need not be specified. This directive should not be used if you specify DirAddresses (N.B plural) directive.
Type: signed integer
Default: 9101
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-fd.enable
Whether to enable the Bacula File Daemon.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-fd.director
This option defines director resources in Bacula File Daemon.
Type: attribute set of submodules
Default: { }
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-fd.director.<name>.monitor
If Monitor is set to no, this director will have full access to this Storage daemon. If Monitor is set to yes, this director will only be able to fetch the current status of this Storage daemon.
Please note that if this director is being used by a Monitor, we highly recommend to set this directive to yes to avoid serious security problems.
Type: one of "no", "yes"
Default: "no"
Example: "yes"
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-fd.director.<name>.password
Specifies the password that must be supplied for the default Bacula Console to be authorized. The same password must appear in the Director resource of the Console configuration file. For added security, the password is never passed across the network but instead a challenge response hash code created with the password. This directive is required. If you have either /dev/random or bc on your machine, Bacula will generate a random password during the configuration process, otherwise it will be left blank and you must manually supply it.
The password is plain text. It is not generated through any special process but as noted above, it is better to use random text for security reasons.
Type: string
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-fd.extraClientConfig
Extra configuration to be passed in Client directive.
Type: strings concatenated with "\n"
Default: ""
Example:
'' Maximum Concurrent Jobs = 20; Heartbeat Interval = 30; ''
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-fd.extraMessagesConfig
Extra configuration to be passed in Messages directive.
Type: strings concatenated with "\n"
Default: ""
Example:
'' console = all ''
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-fd.name
The client name that must be used by the Director when connecting. Generally, it is a good idea to use a name related to the machine so that error messages can be easily identified if you have multiple Clients. This directive is required.
Type: string
Default: "nixos-fd"
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-fd.port
This specifies the port number on which the Client listens for Director connections. It must agree with the FDPort specified in the Client resource of the Director's configuration file.
Type: signed integer
Default: 9102
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-sd.enable
Whether to enable Bacula Storage Daemon.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-sd.autochanger
This option defines Autochanger resources in Bacula Storage Daemon.
Type: attribute set of submodules
Default: { }
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-sd.autochanger.<name>.changerCommand
The name-string specifies an external program to be called that will automatically change volumes as required by Bacula. Normally, this directive will be specified only in the AutoChanger resource, which is then used for all devices. However, you may also specify the different Changer Command in each Device resource. Most frequently, you will specify the Bacula supplied mtx-changer script as follows:
"/path/mtx-changer %c %o %S %a %d"
and you will install the mtx on your system (found in the depkgs release). An example of this command is in the default bacula-sd.conf file. For more details on the substitution characters that may be specified to configure your autochanger please see the AutochangersAutochangersChapter chapter of this manual. For FreeBSD users, you might want to see one of the several chio scripts in examples/autochangers.
Type: string
Default: "/etc/bacula/mtx-changer %c %o %S %a %d"
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-sd.autochanger.<name>.changerDevice
The specified name-string must be the generic SCSI device name of the autochanger that corresponds to the normal read/write Archive Device specified in the Device resource. This generic SCSI device name should be specified if you have an autochanger or if you have a standard tape drive and want to use the Alert Command (see below). For example, on Linux systems, for an Archive Device name of /dev/nst0, you would specify /dev/sg0 for the Changer Device name. Depending on your exact configuration, and the number of autochangers or the type of autochanger, what you specify here can vary. This directive is optional. See the Using AutochangersAutochangersChapter chapter of this manual for more details of using this and the following autochanger directives.
Type: string
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-sd.autochanger.<name>.devices
Type: list of strings
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-sd.autochanger.<name>.extraAutochangerConfig
Extra configuration to be passed in Autochanger directive.
Type: strings concatenated with "\n"
Default: ""
Example:
'' ''
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-sd.device
This option defines Device resources in Bacula Storage Daemon.
Type: attribute set of submodules
Default: { }
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-sd.device.<name>.archiveDevice
The specified name-string gives the system file name of the storage device managed by this storage daemon. This will usually be the device file name of a removable storage device (tape drive), for example /dev/nst0 or /dev/rmt/0mbn. For a DVD-writer, it will be for example /dev/hdc. It may also be a directory name if you are archiving to disk storage. In this case, you must supply the full absolute path to the directory. When specifying a tape device, it is preferable that the "non-rewind" variant of the device file name be given.
Type: string
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-sd.device.<name>.extraDeviceConfig
Extra configuration to be passed in Device directive.
Type: strings concatenated with "\n"
Default: ""
Example:
'' LabelMedia = yes Random Access = no AutomaticMount = no RemovableMedia = no MaximumOpenWait = 60 AlwaysOpen = no ''
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-sd.device.<name>.mediaType
The specified name-string names the type of media supported by this device, for example, DLT7000. Media type names are arbitrary in that you set them to anything you want, but they must be known to the volume database to keep track of which storage daemons can read which volumes. In general, each different storage type should have a unique Media Type associated with it. The same name-string must appear in the appropriate Storage resource definition in the Director's configuration file.
Even though the names you assign are arbitrary (i.e. you choose the name you want), you should take care in specifying them because the Media Type is used to determine which storage device Bacula will select during restore. Thus you should probably use the same Media Type specification for all drives where the Media can be freely interchanged. This is not generally an issue if you have a single Storage daemon, but it is with multiple Storage daemons, especially if they have incompatible media.
For example, if you specify a Media Type of DDS-4 then during the restore, Bacula will be able to choose any Storage Daemon that handles DDS-4. If you have an autochanger, you might want to name the Media Type in a way that is unique to the autochanger, unless you wish to possibly use the Volumes in other drives. You should also ensure to have unique Media Type names if the Media is not compatible between drives. This specification is required for all devices.
In addition, if you are using disk storage, each Device resource will generally have a different mount point or directory. In order for Bacula to select the correct Device resource, each one must have a unique Media Type.
Type: string
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-sd.director
This option defines Director resources in Bacula Storage Daemon.
Type: attribute set of submodules
Default: { }
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-sd.director.<name>.monitor
If Monitor is set to no, this director will have full access to this Storage daemon. If Monitor is set to yes, this director will only be able to fetch the current status of this Storage daemon.
Please note that if this director is being used by a Monitor, we highly recommend to set this directive to yes to avoid serious security problems.
Type: one of "no", "yes"
Default: "no"
Example: "yes"
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-sd.director.<name>.password
Specifies the password that must be supplied for the default Bacula Console to be authorized. The same password must appear in the Director resource of the Console configuration file. For added security, the password is never passed across the network but instead a challenge response hash code created with the password. This directive is required. If you have either /dev/random or bc on your machine, Bacula will generate a random password during the configuration process, otherwise it will be left blank and you must manually supply it.
The password is plain text. It is not generated through any special process but as noted above, it is better to use random text for security reasons.
Type: string
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-sd.extraMessagesConfig
Extra configuration to be passed in Messages directive.
Type: strings concatenated with "\n"
Default: ""
Example:
'' console = all ''
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-sd.extraStorageConfig
Extra configuration to be passed in Storage directive.
Type: strings concatenated with "\n"
Default: ""
Example:
'' Maximum Concurrent Jobs = 20; Heartbeat Interval = 30; ''
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-sd.name
Specifies the Name of the Storage daemon.
Type: string
Default: "nixos-sd"
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bacula-sd.port
Specifies port number on which the Storage daemon listens for Director connections.
Type: signed integer
Default: 9103
Declared by:
<nixpkgs/nixos/modules/services/backup/bacula.nix>
- services.bamf.enable
Whether to enable bamf.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/desktops/bamf.nix>
- services.bazarr.enable
Whether to enable bazarr, a subtitle manager for Sonarr and Radarr.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/misc/bazarr.nix>
- services.bazarr.group
Group under which bazarr runs.
Type: string
Default: "bazarr"
Declared by:
<nixpkgs/nixos/modules/services/misc/bazarr.nix>
- services.bazarr.listenPort
Port on which the bazarr web interface should listen
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: 6767
Declared by:
<nixpkgs/nixos/modules/services/misc/bazarr.nix>
- services.bazarr.openFirewall
Open ports in the firewall for the bazarr web interface.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/misc/bazarr.nix>
- services.bazarr.user
User account under which bazarr runs.
Type: string
Default: "bazarr"
Declared by:
<nixpkgs/nixos/modules/services/misc/bazarr.nix>
- services.beanstalkd.enable
Whether to enable the Beanstalk work queue.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/misc/beanstalkd.nix>
- services.beanstalkd.listen.address
IP address to listen on.
Type: string
Default: "127.0.0.1"
Example: "0.0.0.0"
Declared by:
<nixpkgs/nixos/modules/services/misc/beanstalkd.nix>
- services.beanstalkd.listen.port
TCP port that will be used to accept client connections.
Type: signed integer
Default: 11300
Declared by:
<nixpkgs/nixos/modules/services/misc/beanstalkd.nix>
- services.beanstalkd.openFirewall
Whether to open ports in the firewall for the server.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/misc/beanstalkd.nix>
- services.bee.enable
Whether to enable Ethereum Swarm Bee.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/networking/bee.nix>
- services.bee.package
The package providing the bee binary for the service.
Type: package
Default: pkgs.bee
Example: pkgs.bee-unstable
Declared by:
<nixpkgs/nixos/modules/services/networking/bee.nix>
- services.bee.daemonNiceLevel
Daemon process priority for bee. 0 is the default Unix process priority, 19 is the lowest.
Type: signed integer
Default: 0
Declared by:
<nixpkgs/nixos/modules/services/networking/bee.nix>
- services.bee.group
Group the bee binary should execute under.
Type: string
Default: "bee"
Declared by:
<nixpkgs/nixos/modules/services/networking/bee.nix>
- services.bee.settings
Ethereum Swarm Bee configuration. Refer to https://gateway.ethswarm.org/bzz/docs.swarm.eth/docs/installation/configuration/ for details on supported values.
Type: YAML value
Declared by:
<nixpkgs/nixos/modules/services/networking/bee.nix>
- services.bee.user
User the bee binary should execute under.
Type: string
Default: "bee"
Declared by:
<nixpkgs/nixos/modules/services/networking/bee.nix>
- services.bee-clef.enable
Whether to enable clef external signer instance for Ethereum Swarm Bee.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/networking/bee-clef.nix>
- services.bee-clef.dataDir
Data dir for bee-clef. Beware that some helper scripts may not work when changed! The service itself should work fine, though.
Type: null or string
Default: "/var/lib/bee-clef"
Declared by:
<nixpkgs/nixos/modules/services/networking/bee-clef.nix>
- services.bee-clef.group
Group the bee-clef daemon should execute under.
Type: string
Default: "bee-clef"
Declared by:
<nixpkgs/nixos/modules/services/networking/bee-clef.nix>
- services.bee-clef.passwordFile
Password file for bee-clef.
Type: null or string
Default: "/var/lib/bee-clef/password"
Declared by:
<nixpkgs/nixos/modules/services/networking/bee-clef.nix>
- services.bee-clef.user
User the bee-clef daemon should execute under.
Type: string
Default: "bee-clef"
Declared by:
<nixpkgs/nixos/modules/services/networking/bee-clef.nix>
- services.beesd.filesystems
BTRFS filesystems to run block-level deduplication on.
Type: attribute set of submodules
Default: { }
Example:
{ root = { spec = "LABEL=root"; hashTableSizeMB = 2048; verbosity = "crit"; extraOptions = [ "--loadavg-target" "5.0" ]; }; }
Declared by:
<nixpkgs/nixos/modules/services/misc/bees.nix>
- services.beesd.filesystems.<name>.extraOptions
Extra command-line options passed to the daemon. See upstream bees documentation.
Type: list of strings
Default: [ ]
Example:
[ "--thread-count" "4" ]
Declared by:
<nixpkgs/nixos/modules/services/misc/bees.nix>
- services.beesd.filesystems.<name>.hashTableSizeMB
Hash table size in MB; must be a multiple of 16.
A larger ratio of index size to storage size means smaller blocks of duplicate content are recognized.
If you have 1TB of data, a 4GB hash table (which is to say, a value of 4096) will permit 4KB extents (the smallest possible size) to be recognized, whereas a value of 1024 -- creating a 1GB hash table -- will recognize only aligned duplicate blocks of 16KB.
Type: signed integer
Default: 1024
Declared by:
<nixpkgs/nixos/modules/services/misc/bees.nix>
- services.beesd.filesystems.<name>.spec
Description of how to identify the filesystem to be duplicated by this instance of bees. Note that deduplication crosses subvolumes; one must not configure multiple instances for subvolumes of the same filesystem (or block devices which are part of the same filesystem), but only for completely independent btrfs filesystems.
This must be in a format usable by findmnt; that could be a key=value pair, or a bare path to a mount point.
Type: string
Example: "LABEL=MyBulkDataDrive"
Declared by:
<nixpkgs/nixos/modules/services/misc/bees.nix>
- services.beesd.filesystems.<name>.verbosity
Log verbosity (syslog keyword/level).
Type: one of "alert", "crit", "debug", "emerg", "err", "info", "notice", "warning", 1, 2, 7, 0, 3, 6, 5, 4
Default: "info"
Declared by:
<nixpkgs/nixos/modules/services/misc/bees.nix>
- services.beesd.filesystems.<name>.workDir
Name (relative to the root of the filesystem) of the subvolume where the hash table will be stored.
Type: string
Default: ".beeshome"
Declared by:
<nixpkgs/nixos/modules/services/misc/bees.nix>
- services.bepasty.enable
Whether to enable Bepasty servers.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/misc/bepasty.nix>
- services.bepasty.servers
configure a number of bepasty servers which will be started with gunicorn.
Type: attribute set of submodules
Default: { }
Declared by:
<nixpkgs/nixos/modules/services/misc/bepasty.nix>
- services.bepasty.servers.<name>.bind
Bind address to be used for this server.
Type: string
Default: "127.0.0.1:8000"
Example: "0.0.0.0:8000"
Declared by:
<nixpkgs/nixos/modules/services/misc/bepasty.nix>
- services.bepasty.servers.<name>.dataDir
Path to the directory where the pastes will be saved to
Type: string
Default: "/var/lib/bepasty/data"
Declared by:
<nixpkgs/nixos/modules/services/misc/bepasty.nix>
- services.bepasty.servers.<name>.defaultPermissions
default permissions for all unauthenticated accesses.
Type: string
Default: "read"
Example: "read,create,delete"
Declared by:
<nixpkgs/nixos/modules/services/misc/bepasty.nix>
- services.bepasty.servers.<name>.extraConfig
Extra configuration for bepasty server to be appended on the configuration. see https://bepasty-server.readthedocs.org/en/latest/quickstart.html#configuring-bepasty for all options.
Type: strings concatenated with "\n"
Default: ""
Example:
'' PERMISSIONS = { 'myadminsecret': 'admin,list,create,read,delete', } MAX_ALLOWED_FILE_SIZE = 5 * 1000 * 1000 ''
Declared by:
<nixpkgs/nixos/modules/services/misc/bepasty.nix>
- services.bepasty.servers.<name>.secretKey
server secret for safe session cookies, must be set.
Warning: this secret is stored in the WORLD-READABLE Nix store!
It's recommended to use secretKeyFile which takes precedence over secretKey.
Type: string
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/misc/bepasty.nix>
- services.bepasty.servers.<name>.secretKeyFile
A file that contains the server secret for safe session cookies, must be set.
secretKeyFile takes precedence over secretKey.
Warning: when secretKey is non-empty secretKeyFile defaults to a file in the WORLD-READABLE Nix store containing that secret.
Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/services/misc/bepasty.nix>
- services.bepasty.servers.<name>.workDir
Path to the working directory (used for config and pidfile). Defaults to the users home directory.
Type: string
Default: "/var/lib/bepasty"
Declared by:
<nixpkgs/nixos/modules/services/misc/bepasty.nix>
- services.biboumi.enable
Whether to enable the Biboumi XMPP gateway to IRC.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/networking/biboumi.nix>
- services.biboumi.credentialsFile
Path to a configuration file to be merged with the settings. Beware not to surround "=" with spaces when setting biboumi's options in this file. Useful to merge a file which is better kept out of the Nix store because it contains sensible data like password.
Type: path
Default: "/dev/null"
Example: "/run/keys/biboumi.cfg"
Declared by:
<nixpkgs/nixos/modules/services/networking/biboumi.nix>
- services.biboumi.openFirewall
Whether to enable opening of the identd port in the firewall.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/networking/biboumi.nix>
- services.biboumi.settings
See biboumi 8.5 for documentation.
Type: settings option
Default: { }
Declared by:
<nixpkgs/nixos/modules/services/networking/biboumi.nix>
- services.biboumi.settings.admin
The bare JID of the gateway administrator. This JID will have more privileges than other standard users, for example some administration ad-hoc commands will only be available to that JID.
Type: list of strings
Default: [ ]
Example: [ "admin@example.org" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/biboumi.nix>
- services.biboumi.settings.ca_file
Specifies which file should be used as the list of trusted CA when negociating a TLS session.
Type: path
Default: "/etc/ssl/certs/ca-certificates.crt"
Declared by:
<nixpkgs/nixos/modules/services/networking/biboumi.nix>
- services.biboumi.settings.db_name
The name of the database to use.
Type: path or string
Default: "/var/lib/biboumi/biboumi.sqlite"
Example: "postgresql://user:secret@localhost"
Declared by:
<nixpkgs/nixos/modules/services/networking/biboumi.nix>
- services.biboumi.settings.hostname
The hostname served by the XMPP gateway. This domain must be configured in the XMPP server as an external component.
Type: string
Example: "biboumi.example.org"
Declared by:
<nixpkgs/nixos/modules/services/networking/biboumi.nix>
- services.biboumi.settings.identd_port
The TCP port on which to listen for identd queries.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: 113
Example: 0
Declared by:
<nixpkgs/nixos/modules/services/networking/biboumi.nix>
- services.biboumi.settings.log_level
Indicate what type of log messages to write in the logs. 0 is debug, 1 is info, 2 is warning, 3 is error.
Type: integer between 0 and 3 (both inclusive)
Default: 1
Declared by:
<nixpkgs/nixos/modules/services/networking/biboumi.nix>
- services.biboumi.settings.password
The password used to authenticate the XMPP component to your XMPP server. This password must be configured in the XMPP server, associated with the external component on hostname.
Set it to null and use credentialsFile if you do not want this password to go into the Nix store.
Type: null or string
Declared by:
<nixpkgs/nixos/modules/services/networking/biboumi.nix>
- services.biboumi.settings.persistent_by_default
Whether all rooms will be persistent by default: the value of the “persistent” option in the global configuration of each user will be “true”, but the value of each individual room will still default to false. This means that a user just needs to change the global “persistent” configuration option to false in order to override this.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/biboumi.nix>
- services.biboumi.settings.policy_directory
A directory that should contain the policy files, used to customize Botan’s behaviour when negociating the TLS connections with the IRC servers.
Type: path
Default: "${pkgs.biboumi}/etc/biboumi"
Declared by:
<nixpkgs/nixos/modules/services/networking/biboumi.nix>
- services.biboumi.settings.port
The TCP port to use to connect to the local XMPP component.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: 5347
Declared by:
<nixpkgs/nixos/modules/services/networking/biboumi.nix>
- services.biboumi.settings.realname_customization
Whether the users will be able to use the ad-hoc commands that lets them configure their realname and username.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/networking/biboumi.nix>
- services.biboumi.settings.realname_from_jid
Whether the realname and username of each biboumi user will be extracted from their JID. Otherwise they will be set to the nick they used to connect to the IRC server.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/biboumi.nix>
- services.biboumi.settings.xmpp_server_ip
The IP address to connect to the XMPP server on. The connection to the XMPP server is unencrypted, so the biboumi instance and the server should normally be on the same host.
Type: string
Default: "127.0.0.1"
Declared by:
<nixpkgs/nixos/modules/services/networking/biboumi.nix>
- services.bind.enable
Whether to enable BIND domain name server.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/networking/bind.nix>
- services.bind.package
The BIND package to use.
Type: package
Default: pkgs.bind
Declared by:
<nixpkgs/nixos/modules/services/networking/bind.nix>
- services.bind.blockedNetworks
What networks are just blocked.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/services/networking/bind.nix>
- services.bind.cacheNetworks
What networks are allowed to use us as a resolver. Note that this is for recursive queries -- all networks are allowed to query zones configured with the `zones` option. It is recommended that you limit cacheNetworks to avoid your server being used for DNS amplification attacks.
Type: list of strings
Default: [ "127.0.0.0/24" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/bind.nix>
- services.bind.configFile
Overridable config file to use for named. By default, that generated by nixos.
Type: path
Default: confFile
Declared by:
<nixpkgs/nixos/modules/services/networking/bind.nix>
- services.bind.directory
Working directory of BIND.
Type: string
Default: "/run/named"
Declared by:
<nixpkgs/nixos/modules/services/networking/bind.nix>
- services.bind.extraConfig
Extra lines to be added verbatim to the generated named configuration file.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/networking/bind.nix>
- services.bind.extraOptions
Extra lines to be added verbatim to the options section of the generated named configuration file.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/networking/bind.nix>
- services.bind.forwarders
List of servers we should forward requests to.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/services/networking/bind.nix>
- services.bind.ipv4Only
Only use ipv4, even if the host supports ipv6.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/bind.nix>
- services.bind.listenOn
Interfaces to listen on.
Type: list of strings
Default: [ "any" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/bind.nix>
- services.bind.listenOnIpv6
Ipv6 interfaces to listen on.
Type: list of strings
Default: [ "any" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/bind.nix>
- services.bind.zones
List of zones we claim authority over.
Type: attribute set of submodules or list of attribute sets convertible to it
Default: [ ]
Example: { example.com = { extraConfig = ""; file = "/var/dns/example.com"; master = false; masters = [ "192.168.0.1" ] ; slaves = [ ] ; } ; }
Declared by:
<nixpkgs/nixos/modules/services/networking/bind.nix>
- services.bind.zones.<name>.extraConfig
Extra zone config to be appended at the end of the zone section.
Type: string
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/networking/bind.nix>
- services.bind.zones.<name>.file
Zone file resource records contain columns of data, separated by whitespace, that define the record.
Type: string or path
Declared by:
<nixpkgs/nixos/modules/services/networking/bind.nix>
- services.bind.zones.<name>.master
Master=false means slave server
Type: boolean
Declared by:
<nixpkgs/nixos/modules/services/networking/bind.nix>
- services.bind.zones.<name>.masters
List of servers for inclusion in stub and secondary zones.
Type: list of strings
Declared by:
<nixpkgs/nixos/modules/services/networking/bind.nix>
- services.bind.zones.<name>.name
Name of the zone.
Type: string
Default: "‹name›"
Declared by:
<nixpkgs/nixos/modules/services/networking/bind.nix>
- services.bind.zones.<name>.slaves
Addresses who may request zone transfers.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/services/networking/bind.nix>
- services.bird.enable
Whether to enable BIRD Internet Routing Daemon (1.6.x with IPv4 support).
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/networking/bird.nix>
- services.bird.checkConfig
Whether the config should be checked at build time. Disabling this might become necessary if the config includes files not present during build time.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/networking/bird.nix>
- services.bird.config
BIRD Internet Routing Daemon configuration file. http://bird.network.cz/
Type: strings concatenated with "\n"
Declared by:
<nixpkgs/nixos/modules/services/networking/bird.nix>
- services.bird2.enable
Whether to enable BIRD Internet Routing Daemon (2.x).
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/networking/bird.nix>
- services.bird2.checkConfig
Whether the config should be checked at build time. Disabling this might become necessary if the config includes files not present during build time.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/networking/bird.nix>
- services.bird2.config
BIRD Internet Routing Daemon configuration file. http://bird.network.cz/
Type: strings concatenated with "\n"
Declared by:
<nixpkgs/nixos/modules/services/networking/bird.nix>
- services.bird6.enable
Whether to enable BIRD Internet Routing Daemon (1.6.x with IPv6 support).
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/networking/bird.nix>
- services.bird6.checkConfig
Whether the config should be checked at build time. Disabling this might become necessary if the config includes files not present during build time.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/networking/bird.nix>
- services.bird6.config
BIRD Internet Routing Daemon configuration file. http://bird.network.cz/
Type: strings concatenated with "\n"
Declared by:
<nixpkgs/nixos/modules/services/networking/bird.nix>
- services.bitcoind
Specification of one or more bitcoind instances.
Type: attribute set of submodules
Default: { }
Declared by:
<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
- services.bitcoind.<name>.enable
Whether to enable Bitcoin daemon.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
- services.bitcoind.<name>.package
The package providing bitcoin binaries.
Type: package
Default: pkgs.bitcoind
Declared by:
<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
- services.bitcoind.<name>.configFile
The configuration file path to supply bitcoind.
Type: null or path
Default: null
Example: "/var/lib/‹name›/bitcoin.conf"
Declared by:
<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
- services.bitcoind.<name>.dataDir
The data directory for bitcoind.
Type: path
Default: "/var/lib/bitcoind-‹name›"
Declared by:
<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
- services.bitcoind.<name>.dbCache
Override the default database cache size in MiB.
Type: null or integer between 4 and 16384 (both inclusive)
Default: null
Example: 4000
Declared by:
<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
- services.bitcoind.<name>.extraCmdlineOptions
Extra command line options to pass to bitcoind. Run bitcoind --help to list all available options.
Type: list of strings
Default: [ ]
Declared by:
<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
- services.bitcoind.<name>.extraConfig
Additional configurations to be appended to bitcoin.conf.
Type: strings concatenated with "\n"
Default: ""
Example:
'' par=16 rpcthreads=16 logips=1 ''
Declared by:
<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
- services.bitcoind.<name>.group
The group as which to run bitcoind.
Type: string
Default: "bitcoind-‹name›"
Declared by:
<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
- services.bitcoind.<name>.pidFile
Location of bitcoind pid file.
Type: path
Default: "/var/lib/bitcoind-‹name›/bitcoind.pid"
Declared by:
<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
- services.bitcoind.<name>.port
Override the default port on which to listen for connections.
Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: null
Declared by:
<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
- services.bitcoind.<name>.prune
Reduce storage requirements by enabling pruning (deleting) of old blocks. This allows the pruneblockchain RPC to be called to delete specific blocks, and enables automatic pruning of old blocks if a target size in MiB is provided. This mode is incompatible with -txindex and -rescan. Warning: Reverting this setting requires re-downloading the entire blockchain. ("disable" = disable pruning blocks, "manual" = allow manual pruning via RPC, >=550 = automatically prune block files to stay under the specified target size in MiB).
Type: null or unsigned integer, meaning >=0 or one of "disable", "manual" convertible to it
Default: null
Example: 10000
Declared by:
<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
- services.bitcoind.<name>.rpc.port
Override the default port on which to listen for JSON-RPC connections.
Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: null
Declared by:
<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
- services.bitcoind.<name>.rpc.users
RPC user information for JSON-RPC connnections.
Type: attribute set of submodules
Default: { }
Example:
{ alice.passwordHMAC = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae"; bob.passwordHMAC = "b2dd077cb54591a2f3139e69a897ac$4e71f08d48b4347cf8eff3815c0e25ae2e9a4340474079f55705f40574f4ec99"; }
Declared by:
<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
- services.bitcoind.<name>.rpc.users.<name>.name
Username for JSON-RPC connections.
Type: string
Example: "alice"
Declared by:
<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
- services.bitcoind.<name>.rpc.users.<name>.passwordHMAC
Password HMAC-SHA-256 for JSON-RPC connections. Must be a string of the format <SALT-HEX>$<HMAC-HEX>.
Tool (Python script) for HMAC generation is available here: https://github.com/bitcoin/bitcoin/blob/master/share/rpcauth/rpcauth.py
Type: string matching the pattern [0-9a-f]+\$[0-9a-f]{64}
Example: "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae"
Declared by:
<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
- services.bitcoind.<name>.testnet
Whether to use the testnet instead of mainnet.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
- services.bitcoind.<name>.user
The user as which to run bitcoind.
Type: string
Default: "bitcoind-‹name›"
Declared by:
<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
- services.bitlbee.enable
Whether to run the BitlBee IRC to other chat network gateway. Running it allows you to access the MSN, Jabber, Yahoo! and ICQ chat networks via an IRC client.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
- services.bitlbee.authBackend
How users are authenticated storage -- save passwords internally pam -- Linux PAM authentication
Type: one of "storage", "pam"
Default: "storage"
Declared by:
<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
- services.bitlbee.authMode
The following authentication modes are available: Open -- Accept connections from anyone, use NickServ for user authentication. Closed -- Require authorization (using the PASS command during login) before allowing the user to connect at all. Registered -- Only allow registered users to use this server; this disables the register- and the account command until the user identifies himself.
Type: one of "Open", "Closed", "Registered"
Default: "Open"
Declared by:
<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
- services.bitlbee.configDir
Specify an alternative directory to store all the per-user configuration files.
Type: path
Default: "/var/lib/bitlbee"
Declared by:
<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
- services.bitlbee.extraDefaults
Will be inserted in the Default section of the config file.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
- services.bitlbee.extraSettings
Will be inserted in the Settings section of the config file.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
- services.bitlbee.hostName
Normally, BitlBee gets a hostname using getsockname(). If you have a nicer alias for your BitlBee daemon, you can set it here and BitlBee will identify itself with that name instead.
Type: string
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
- services.bitlbee.interface
The interface the BitlBee deamon will be listening to. If `127.0.0.1', only clients on the local host can connect to it; if `0.0.0.0', clients can access it from any network interface.
Type: string
Default: "127.0.0.1"
Declared by:
<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
- services.bitlbee.libpurple_plugins
The list of libpurple plugins to install.
Type: list of packages
Default: [ ]
Example: [ pkgs.purple-matrix ]
Declared by:
<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
- services.bitlbee.plugins
The list of bitlbee plugins to install.
Type: list of packages
Default: [ ]
Example: [ pkgs.bitlbee-facebook ]
Declared by:
<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
- services.bitlbee.portNumber
Number of the port BitlBee will be listening to.
Type: signed integer
Default: 6667
Declared by:
<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
- services.bitlbee.protocols
This option allows to remove the support of protocol, even if compiled in. If nothing is given, there are no restrictions.
Type: string
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
- services.blackfire-agent.enable
Whether to enable Blackfire profiler agent.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/development/blackfire.nix>
- services.blackfire-agent.settings
See https://blackfire.io/docs/up-and-running/configuration/agent
Type: attribute set of strings
Declared by:
<nixpkgs/nixos/modules/services/development/blackfire.nix>
- services.blackfire-agent.settings.server-id
Sets the server id used to authenticate with Blackfire
You can find your personal server-id at https://blackfire.io/my/settings/credentials
Type: string
Declared by:
<nixpkgs/nixos/modules/services/development/blackfire.nix>
- services.blackfire-agent.settings.server-token
Sets the server token used to authenticate with Blackfire
You can find your personal server-token at https://blackfire.io/my/settings/credentials
Type: string
Declared by:
<nixpkgs/nixos/modules/services/development/blackfire.nix>
- services.blockbook-frontend
Specification of one or more blockbook-frontend instances.
Type: attribute set of submodules
Default: { }
Declared by:
<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
- services.blockbook-frontend.<name>.enable
Whether to enable blockbook-frontend application..
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
- services.blockbook-frontend.<name>.package
Which blockbook package to use.
Type: package
Default: pkgs.blockbook
Declared by:
<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
- services.blockbook-frontend.<name>.certFile
To enable SSL, specify path to the name of certificate files without extension. Expecting certFile.crt and certFile.key.
Type: null or path
Default: null
Example: "/etc/secrets/blockbook-frontend-‹name›/certFile"
Declared by:
<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
- services.blockbook-frontend.<name>.coinName
See https://github.com/trezor/blockbook/blob/master/bchain/coins/blockchain.go#L61 for current of coins supported in master (Note: may differ from release).
Type: string
Default: "Bitcoin"
Declared by:
<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
- services.blockbook-frontend.<name>.configFile
Location of the blockbook configuration file.
Type: null or path
Default: null
Example: "/var/lib/blockbook-frontend-‹name›/config.json"
Declared by:
<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
- services.blockbook-frontend.<name>.cssDir
Location of the dir with main.css CSS file. By default, the one shipped with the package is used.
Type: path
Default: "${package}/share/css/"
Example: "${dataDir}/static/css/"
Declared by:
<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
- services.blockbook-frontend.<name>.dataDir
Location of blockbook-frontend-‹name› data directory.
Type: path
Default: "/var/lib/blockbook-frontend-‹name›"
Declared by:
<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
- services.blockbook-frontend.<name>.debug
Debug mode, return more verbose errors, reload templates on each request.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
- services.blockbook-frontend.<name>.extraCmdLineOptions
Extra command line options to pass to Blockbook. Run blockbook --help to list all available options.
Type: list of strings
Default: [ ]
Example: [ "-workers=1" "-dbcache=0" "-logtosderr" ]
Declared by:
<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
- services.blockbook-frontend.<name>.extraConfig
Additional configurations to be appended to coin.conf. Overrides any already defined configuration options. See https://github.com/trezor/blockbook/tree/master/configs/coins for current configuration options supported in master (Note: may differ from release).
Type: attribute set
Default: { }
Example:
{ "alternative_estimate_fee" = "whatthefee-disabled"; "alternative_estimate_fee_params" = "{\"url\": \"https://whatthefee.io/data.json\", \"periodSeconds\": 60}"; "fiat_rates" = "coingecko"; "fiat_rates_params" = "{\"url\": \"https://api.coingecko.com/api/v3\", \"coin\": \"bitcoin\", \"periodSeconds\": 60}"; "coin_shortcut" = "BTC"; "coin_label" = "Bitcoin"; "parse" = true; "subversion" = ""; "address_format" = ""; "xpub_magic" = 76067358; "xpub_magic_segwit_p2sh" = 77429938; "xpub_magic_segwit_native" = 78792518; "mempool_workers" = 8; "mempool_sub_workers" = 2; "block_addresses_to_keep" = 300; }
Declared by:
<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
- services.blockbook-frontend.<name>.group
The group as which to run blockbook-frontend-‹name›.
Type: string
Default: "blockbook-frontend-‹name›"
Declared by:
<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
- services.blockbook-frontend.<name>.internal
Internal http server binding [address]:port.
Type: null or string
Default: ":9030"
Declared by:
<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
- services.blockbook-frontend.<name>.messageQueueBinding
Message Queue Binding address:port.
Type: string
Default: "tcp://127.0.0.1:38330"
Declared by:
<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
- services.blockbook-frontend.<name>.public
Public http server binding [address]:port.
Type: null or string
Default: ":9130"
Declared by:
<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
- services.blockbook-frontend.<name>.rpc.password
RPC password for JSON-RPC connections. Warning: this is stored in cleartext in the Nix store!!! Use configFile or passwordFile if needed.
Type: string
Default: "rpc"
Declared by:
<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
- services.blockbook-frontend.<name>.rpc.passwordFile
File containing password of the RPC user. Note: This options is ignored when configFile is used.
Type: null or path
Default: null
Declared by:
<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
- services.blockbook-frontend.<name>.rpc.port
Port for JSON-RPC connections.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: 8030
Declared by:
<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
- services.blockbook-frontend.<name>.rpc.url
URL for JSON-RPC connections.
Type: string
Default: "http://127.0.0.1"
Declared by:
<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
- services.blockbook-frontend.<name>.rpc.user
Username for JSON-RPC connections.
Type: string
Default: "rpc"
Declared by:
<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
- services.blockbook-frontend.<name>.sync
Synchronizes until tip, if together with zeromq, keeps index synchronized.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
- services.blockbook-frontend.<name>.templateDir
Location of the HTML templates. By default, ones shipped with the package are used.
Type: path
Default: "${package}/share/templates/"
Example: "${dataDir}/templates/static/"
Declared by:
<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
- services.blockbook-frontend.<name>.user
The user as which to run blockbook-frontend-‹name›.
Type: string
Default: "blockbook-frontend-‹name›"
Declared by:
<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
- services.bloop.extraOptions
Specifies additional command line argument to pass to bloop java process.
Type: list of strings
Default: [ ]
Example: [ "-J-Xmx2G" "-J-XX:MaxInlineLevel=20" "-J-XX:+UseParallelGC" ]
Declared by:
<nixpkgs/nixos/modules/services/development/bloop.nix>
- services.bloop.install
Whether to install a user service for the Bloop server.
The service must be manually started for each user with "systemctl --user start bloop".
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/development/bloop.nix>
- services.blueman.enable
Whether to enable blueman.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/desktops/blueman.nix>
- services.boinc.enable
Whether to enable the BOINC distributed computing client. If this option is set to true, the boinc_client daemon will be run as a background service. The boinccmd command can be used to control the daemon.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/computing/boinc/client.nix>
- services.boinc.package
Which BOINC package to use.
Type: package
Default: pkgs.boinc
Declared by:
<nixpkgs/nixos/modules/services/computing/boinc/client.nix>
- services.boinc.allowRemoteGuiRpc
If set to true, any remote host can connect to and control this BOINC client (subject to password authentication). If instead set to false, only the hosts listed in dataDir/remote_hosts.cfg will be allowed to connect.
See also: http://boinc.berkeley.edu/wiki/Controlling_BOINC_remotely#Remote_access
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/computing/boinc/client.nix>
- services.boinc.dataDir
The directory in which to store BOINC's configuration and data files.
Type: path
Default: "/var/lib/boinc"
Declared by:
<nixpkgs/nixos/modules/services/computing/boinc/client.nix>
- services.boinc.extraEnvPackages
Additional packages to make available in the environment in which BOINC will run. Common choices are:
- pkgs.virtualbox
The VirtualBox virtual machine framework. Required by some BOINC projects, such as ATLAS@home.
- pkgs.ocl-icd
OpenCL infrastructure library. Required by BOINC projects that use OpenCL, in addition to a device-specific OpenCL driver.
- pkgs.linuxPackages.nvidia_x11
Provides CUDA libraries. Required by BOINC projects that use CUDA. Note that this requires an NVIDIA graphics device to be present on the system.
Also provides OpenCL drivers for NVIDIA GPUs; pkgs.ocl-icd is also needed in this case.
Type: list of packages
Default: [ ]
Example: [ pkgs.virtualbox ]
Declared by:
<nixpkgs/nixos/modules/services/computing/boinc/client.nix>
- services.bookstack.enable
Whether to enable BookStack.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.appKeyFile
A file containing the AppKey. Used for encryption where needed. Can be generated with head -c 32 /dev/urandom| base64 and must be prefixed with base64:.
Type: path
Example: "/run/keys/bookstack-appkey"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.appURL
The root URL that you want to host BookStack on. All URLs in BookStack will be generated using this value. If you change this in the future you may need to run a command to update stored URLs in the database. Command example: php artisan bookstack:update-url https://old.example.com https://new.example.com
Type: string
Example: "https://example.com"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.cacheDir
BookStack cache directory
Type: path
Default: "/var/cache/bookstack"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.dataDir
BookStack data directory
Type: path
Default: "/var/lib/bookstack"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.database.createLocally
Create the database and database user locally.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.database.host
Database host address.
Type: string
Default: "localhost"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.database.name
Database name.
Type: string
Default: "bookstack"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.database.passwordFile
A file containing the password corresponding to database.user.
Type: null or path
Default: null
Example: "/run/keys/bookstack-dbpassword"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.database.port
Database host port.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: 3306
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.database.user
Database username.
Type: string
Default: user
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.extraConfig
Lines to be appended verbatim to the BookStack configuration. Refer to https://www.bookstackapp.com/docs/ for details on supported values.
Type: null or strings concatenated with "\n"
Default: null
Example:
'' ALLOWED_IFRAME_HOSTS="https://example.com" WKHTMLTOPDF=/home/user/bins/wkhtmltopdf ''
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.group
Group bookstack runs as.
Type: string
Default: "bookstack"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.mail.driver
Mail driver to use.
Type: one of "smtp", "sendmail"
Default: "smtp"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.mail.encryption
SMTP encryption mechanism to use.
Type: null or value "tls" (singular enum)
Default: null
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.mail.from
Mail "from" email.
Type: string
Default: "mail@bookstackapp.com"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.mail.fromName
Mail "from" name.
Type: string
Default: "BookStack"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.mail.host
Mail host address.
Type: string
Default: "localhost"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.mail.passwordFile
A file containing the password corresponding to mail.user.
Type: null or path
Default: null
Example: "/run/keys/bookstack-mailpassword"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.mail.port
Mail host port.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: 1025
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.mail.user
Mail username.
Type: null or string
Default: null
Example: "bookstack"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.maxUploadSize
The maximum size for uploads (e.g. images).
Type: string
Default: "18M"
Example: "1G"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx
With this option, you can customize the nginx virtualHost settings.
Type: submodule
Default: { }
Example:
{ serverAliases = [ "bookstack.${config.networking.domain}" ]; # To enable encryption and let let's encrypt take care of certificate forceSSL = true; enableACME = true; }
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.enableACME
Whether to ask Let's Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.acmeFallbackHost
Host which to proxy requests to if acme challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.
Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.acmeRoot
Directory for the acme challenge which is PUBLIC, don't put certs or keys in here
Type: string
Default: "/var/lib/acme/acme-challenge"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.addSSL
Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.basicAuth
Basic Auth protection for a vhost.
WARNING: This is implemented to store the password in plain text in the Nix store.
Type: attribute set of strings
Default: { }
Example:
{ user = "password"; };
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.basicAuthFile
Basic Auth password file for a vhost. Can be created via: htpasswd -c <filename> <username>.
WARNING: The generate file contains the users' passwords in a non-cryptographically-securely hashed way.
Type: null or path
Default: null
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.default
Makes this vhost the default.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.extraConfig
These lines go to the end of the vhost verbatim.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.forceSSL
Whether to add a separate nginx server block that permanently redirects (301) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.globalRedirect
If set, all requests for this host are redirected permanently to the given hostname.
Type: null or string
Default: null
Example: "newserver.example.org"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.http2
Whether to enable HTTP 2. Note that (as of writing) due to nginx's implementation, to disable HTTP 2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2,then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.http3
Whether to enable HTTP 3. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that HTTP 3 support is experimental and *not* yet recommended for production. Read more at https://quic.nginx.org/
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.listen
Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.
If you only want to set the addresses manually and not the ports, take a look at listenAddresses
Type: list of submodules
Default: [ ]
Example: [ { addr = "195.154.1.1"; port = 443; ssl = true; } { addr = "192.154.1.1"; port = 80; } ]
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.listen.*.addr
IP address.
Type: string
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.listen.*.extraParameters
Extra parameters of this listen directive.
Type: list of strings
Default: [ ]
Example: [ "reuseport" "deferred" ]
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.listen.*.port
Port number.
Type: signed integer
Default: 80
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.listen.*.ssl
Enable SSL.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.listenAddresses
Listen addresses for this virtual host. Compared to listen this only sets the addreses and the ports are choosen automatically.
Note: This option overrides enableIPv6
Type: list of strings
Default: [ ]
Example: [ "127.0.0.1" "::1" ]
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.locations
Declarative location config
Type: attribute set of submodules
Default: { }
Example:
{ "/" = { proxyPass = "http://localhost:3000"; }; };
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.locations.<name>.alias
Alias directory for requests.
Type: null or path
Default: null
Example: "/your/alias/directory"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.locations.<name>.basicAuth
Basic Auth protection for a vhost.
WARNING: This is implemented to store the password in plain text in the Nix store.
Type: attribute set of strings
Default: { }
Example:
{ user = "password"; };
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.locations.<name>.basicAuthFile
Basic Auth password file for a vhost. Can be created via: htpasswd -c <filename> <username>.
WARNING: The generate file contains the users' passwords in a non-cryptographically-securely hashed way.
Type: null or path
Default: null
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.locations.<name>.extraConfig
These lines go to the end of the location verbatim.
Type: strings concatenated with "\n"
Default: ""
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.locations.<name>.fastcgiParams
FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won't unset the default values for other parameters.
Type: attribute set of strings
Default: { }
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.locations.<name>.index
Adds index directive.
Type: null or string
Default: null
Example: "index.php index.html"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.locations.<name>.priority
Order of this location block in relation to the others in the vhost. The semantics are the same as with `lib.mkOrder`. Smaller values have a greater priority.
Type: signed integer
Default: 1000
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.locations.<name>.proxyPass
Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.
Type: null or string
Default: null
Example: "http://www.example.org/"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.locations.<name>.proxyWebsockets
Whether to support proxying websocket connections with HTTP/1.1.
Type: boolean
Default: false
Example: true
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.locations.<name>.return
Adds a return directive, for e.g. redirections.
Type: null or string
Default: null
Example: "301 http://example.com$request_uri"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.locations.<name>.root
Root directory for requests.
Type: null or path
Default: null
Example: "/your/root/directory"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.locations.<name>.tryFiles
Adds try_files directive.
Type: null or string
Default: null
Example: "$uri =404"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.onlySSL
Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.rejectSSL
Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.
Type: boolean
Default: false
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.root
The path of the web root directory.
Type: null or path
Default: null
Example: "/data/webserver/docs"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.serverAliases
Additional names of virtual hosts served by this virtual host configuration.
Type: list of strings
Default: [ ]
Example: [ "www.example.org" "example.org" ]
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.serverName
Name of this virtual host. Defaults to attribute name in virtualHosts.
Type: null or string
Default: null
Example: "example.org"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.sslCertificate
Path to server SSL certificate.
Type: path
Example: "/var/host.cert"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.sslCertificateKey
Path to server SSL certificate key.
Type: path
Example: "/var/host.key"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.sslTrustedCertificate
Path to root SSL certificate for stapling and client certificates.
Type: null or path
Default: null
Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.nginx.useACMEHost
A host of an existing Let's Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.
Type: null or string
Default: null
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.poolConfig
Options for the bookstack PHP pool. See the documentation on php-fpm.conf for details on configuration directives.
Type: attribute set of string or signed integer or booleans
Default: { pm = "dynamic"; pm.max_children = 32; pm.max_requests = 500; pm.max_spare_servers = 4; pm.min_spare_servers = 2; pm.start_servers = 2; }
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.bookstack.user
User bookstack runs as.
Type: string
Default: "bookstack"
Declared by:
<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
- services.borgbackup.jobs
Deduplicating backups using BorgBackup. Adding a job will cause a borg-job-NAME wrapper to be added to your system path, so that you can perform maintenance easily. See also the chapter about BorgBackup in the NixOS manual.
Type: attribute set of submodules
Default: { }
Example:
{ # for a local backup rootBackup = { paths = "/"; exclude = [ "/nix" ]; repo = "/path/to/local/repo"; encryption = { mode = "repokey"; passphrase = "secret"; }; compression = "auto,lzma"; startAt = "weekly"; }; } { # Root backing each day up to a remote backup server. We assume that you have # * created a password less key: ssh-keygen -N "" -t ed25519 -f /path/to/ssh_key # best practices are: use -t ed25519, /path/to = /run/keys # * the passphrase is in the file /run/keys/borgbackup_passphrase # * you have initialized the repository manually paths = [ "/etc" "/home" ]; exclude = [ "/nix" "'**/.cache'" ]; doInit = false; repo = "user3@arep.repo.borgbase.com:repo"; encryption = { mode = "repokey-blake2"; passCommand = "cat /path/to/passphrase"; }; environment = { BORG_RSH = "ssh -i /path/to/ssh_key"; }; compression = "auto,lzma"; startAt = "daily"; };
Declared by:
<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
- services.borgbackup.jobs.<name>.appendFailedSuffix
Append a .failed suffix to the archive name, which is only removed if borg create has a zero exit status.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
- services.borgbackup.jobs.<name>.archiveBaseName
How to name the created archives. A timestamp, whose format is determined by dateFormat, will be appended. The full name can be modified at runtime ($archiveName). Placeholders like {hostname} must not be used.
Type: string matching the pattern [^/{}]+
Default: "${config.networking.hostName}-<name>"
Declared by:
<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
- services.borgbackup.jobs.<name>.compression
Compression method to use. Refer to borg help compression for all available options.
Type: string matching the pattern none|(auto,)?(lz4|zstd|zlib|lzma)(,[[:digit:]]{1,2})?
Default: "lz4"
Example: "auto,lzma"
Declared by:
<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
- services.borgbackup.jobs.<name>.dateFormat
Arguments passed to date to create a timestamp suffix for the archive name.
Type: string
Default: "+%Y-%m-%dT%H:%M:%S"
Example: "-u +%s"
Declared by:
<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
- services.borgbackup.jobs.<name>.doInit
Run borg init if the specified repo does not exist. You should set this to false if the repository is located on an external drive that might not always be mounted.
Type: boolean
Default: true
Declared by:
<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
- services.borgbackup.jobs.<name>.dumpCommand
Backup the stdout of this program instead of filesystem paths. Mutually exclusive with paths.
Type: null or path
Default: null
Example: "/path/to/createZFSsend.sh"
Declared by:
<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
- services.borgbackup.jobs.<name>.encryption.mode
Encryption mode to use. Setting a mode other than "none" requires you to specify a passCommand or a passphrase.
Type: one of "repokey", "keyfile", "repokey-blake2", "keyfile-blake2", "authenticated", "authenticated-bl