Appendix A. Configuration Options

boot.blacklistedKernelModules

List of names of kernel modules that should not be loaded automatically by the hardware probing code.

Type: list of strings

Default: [ ]

Example: [ "cirrusfb" "i2c_piix4" ]

Declared by:

<nixpkgs/nixos/modules/system/boot/modprobe.nix>
boot.consoleLogLevel

The kernel console loglevel. All Kernel Messages with a log level smaller than this setting will be printed to the console.

Type: signed integer

Default: 4

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.devShmSize

This option has no description.

Type: string

Default: "50%"

Example: "256m"

Declared by:

<vpsadminos/os/modules/system/boot/stage-2.nix>
boot.devSize

This option has no description.

Type: string

Default: "5%"

Example: "32m"

Declared by:

<vpsadminos/os/modules/system/boot/stage-2.nix>
boot.extraModprobeConfig

Any additional configuration to be appended to the generated modprobe.conf. This is typically used to specify module options. See modprobe.d(5) for details.

Type: strings concatenated with "\n"

Default: ""

Example:

''
options parport_pc io=0x378 irq=7 dma=1
''

Declared by:

<nixpkgs/nixos/modules/system/boot/modprobe.nix>
boot.extraModulePackages

A list of additional packages supplying kernel modules.

Type: list of packages

Default: [ ]

Example:

[ config.boot.kernelPackages.nvidia_x11 ]

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.initrd.enable

Whether to enable the NixOS initial RAM disk (initrd). This may be needed to perform some initialisation tasks (like mounting network/encrypted file systems) before continuing the boot process.

Type: boolean

Default: "!config.boot.isContainer"

Declared by:

<vpsadminos/os/modules/system/boot/stage-1.nix>
boot.initrd.availableKernelModules

The set of kernel modules in the initial ramdisk used during the boot process. This set must include all modules necessary for mounting the root device. That is, it should include modules for the physical device (e.g., SCSI drivers) and for the file system (e.g., ext3). The set specified here is automatically closed under the module dependency relation, i.e., all dependencies of the modules list here are included automatically. The modules listed here are available in the initrd, but are only loaded on demand (e.g., the ext3 module is loaded automatically when an ext3 filesystem is mounted, and modules for PCI devices are loaded when they match the PCI ID of a device in your system). To force a module to be loaded, include it in boot.initrd.kernelModules.

Type: list of strings

Default: [ ]

Example: [ "sata_nv" "ext3" ]

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.initrd.kernelModules

List of modules that are always loaded by the initrd.

Type: list of strings

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.initrd.luks.cryptoModules

A list of cryptographic kernel modules needed to decrypt the root device(s). The default includes all common modules.

Type: list of strings

Default: [ "aes" "aes_generic" "blowfish" "twofish" "serpent" "cbc" "xts" "lrw" "sha1" "sha256" "sha512" "af_alg" "algif_skcipher" ]

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices

The encrypted disk that should be opened before the root filesystem is mounted. Both LVM-over-LUKS and LUKS-over-LVM setups are supported. The unencrypted devices can be accessed as /dev/mapper/name.

Type: attribute set of submodules

Default: { }

Example: { luksroot = { device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; } ; }

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.allowDiscards

Whether to allow TRIM requests to the underlying device. This option has security implications; please read the LUKS documentation before activating it.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.device

Path of the underlying encrypted block device.

Type: string

Example: "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.fallbackToPassword

Whether to fallback to interactive passphrase prompt if the keyfile cannot be found. This will prevent unattended boot should the keyfile go missing.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.fido2.credential

The FIDO2 credential ID.

Type: null or string

Default: null

Example: "f1d00200d8dc783f7fb1e10ace8da27f8312d72692abfca2f7e4960a73f48e82e1f7571f6ebfcee9fb434f9886ccc8fcc52a6614d8d2"

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.fido2.gracePeriod

Time in seconds to wait for the FIDO2 key.

Type: signed integer

Default: 10

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.fido2.passwordLess

Defines whatever to use an empty string as a default salt. Enable only when your device is PIN protected, such as Trezor.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.gpgCard

The option to use this LUKS device with a GPG encrypted luks password by the GPG Smartcard. If null (the default), GPG-Smartcard will be disabled for this device.

Type: null or submodule

Default: null

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.gpgCard.encryptedPass

Path to the GPG encrypted passphrase.

Type: path

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.gpgCard.gracePeriod

Time in seconds to wait for the GPG Smartcard.

Type: signed integer

Default: 10

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.gpgCard.publicKey

Path to the Public Key.

Type: path

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.header

The name of the file or block device that should be used as header for the encrypted device.

Type: null or string

Default: null

Example: "/root/header.img"

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.keyFile

The name of the file (can be a raw device or a partition) that should be used as the decryption key for the encrypted device. If not specified, you will be prompted for a passphrase instead.

Type: null or string

Default: null

Example: "/dev/sdb1"

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.keyFileOffset

The offset of the key file. Use this in combination with keyFileSize to use part of a file as key file (often the case if a raw device or partition is used as a key file). If not specified, the key begins at the first byte of keyFile.

Type: null or signed integer

Default: null

Example: 4096

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.keyFileSize

The size of the key file. Use this if only the beginning of the key file should be used as a key (often the case if a raw device or partition is used as key file). If not specified, the whole keyFile will be used decryption, instead of just the first keyFileSize bytes.

Type: null or signed integer

Default: null

Example: 4096

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.postOpenCommands

Commands that should be run right after we have mounted our LUKS device.

Type: strings concatenated with "\n"

Default: ""

Example:

''
umount /tmp/persistent
''

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.preLVM

Whether the luksOpen will be attempted before LVM scan or after it.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.preOpenCommands

Commands that should be run right before we try to mount our LUKS device. This can be useful, if the keys needed to open the drive is on another partion.

Type: strings concatenated with "\n"

Default: ""

Example:

''
mkdir -p /tmp/persistent
mount -t zfs rpool/safe/persistent /tmp/persistent
''

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.yubikey

The options to use for this LUKS device in Yubikey-PBA. If null (the default), Yubikey-PBA will be disabled for this device.

Type: null or submodule

Default: null

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.yubikey.gracePeriod

Time in seconds to wait for the Yubikey.

Type: signed integer

Default: 10

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.yubikey.iterationStep

How much the iteration count for PBKDF2 is increased at each successful authentication.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.yubikey.keyLength

Length of the LUKS slot key derived with PBKDF2 in byte.

Type: signed integer

Default: 64

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.yubikey.saltLength

Length of the new salt in byte (64 is the effective maximum).

Type: signed integer

Default: 16

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.yubikey.slot

Which slot on the Yubikey to challenge.

Type: signed integer

Default: 2

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.yubikey.storage.device

An unencrypted device that will temporarily be mounted in stage-1. Must contain the current salt to create the challenge for this LUKS device.

Type: path

Default: "/dev/sda1"

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.yubikey.storage.fsType

The filesystem of the unencrypted device.

Type: string

Default: "vfat"

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.yubikey.storage.path

Absolute path of the salt on the unencrypted device with that device's root directory as "/".

Type: string

Default: "/crypt-storage/default"

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.yubikey.twoFactor

Whether to use a passphrase and a Yubikey (true), or only a Yubikey (false).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.fido2Support

Enables support for authenticating with FIDO2 devices.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.gpgSupport

Enables support for authenticating with a GPG encrypted password.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.mitigateDMAAttacks

Unless enabled, encryption keys can be easily recovered by an attacker with physical access to any machine with PCMCIA, ExpressCard, ThunderBolt or FireWire port. More information is available at http://en.wikipedia.org/wiki/DMA_attack. This option blacklists FireWire drivers, but doesn't remove them. You can manually load the drivers if you need to use a FireWire device, but don't forget to unload them!

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.reusePassphrases

When opening a new LUKS device try reusing last successful passphrase. Useful for mounting a number of devices that use the same passphrase without retyping it several times. Such setup can be useful if you use cryptsetup luksSuspend. Different LUKS devices will still have different master keys even when using the same passphrase.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.yubikeySupport

Enables support for authenticating with a Yubikey on LUKS devices. See the NixOS wiki for information on how to properly setup a LUKS device and a Yubikey to work with this feature.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.network.enable

Add network connectivity support to initrd. The network may be configured using the ip kernel parameter, as described in the kernel documentation. Otherwise, if networking.useDHCP is enabled, an IP address is acquired using DHCP. You should add the module(s) required for your network card to boot.initrd.availableKernelModules. lspci -v | grep -iA8 'network\|ethernet' will tell you which.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-network.nix>
boot.initrd.network.flushBeforeStage2

Whether to clear the configuration of the interfaces that were set up in the initrd right before stage 2 takes over. Stage 2 will do the regular network configuration based on the NixOS networking options.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-network.nix>
boot.initrd.network.postCommands

Shell commands to be executed after stage 1 of the boot has initialised the network.

Type: strings concatenated with "\n"

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-network.nix>
boot.initrd.network.ssh.enable

Start SSH service during initrd boot. It can be used to debug failing boot on a remote server, enter pasphrase for an encrypted partition etc. Service is killed when stage-1 boot is finished. The sshd configuration is largely inherited from services.openssh.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
boot.initrd.network.ssh.authorizedKeys

Authorized keys for the root user on initrd.

Type: list of strings

Default: "config.users.users.root.openssh.authorizedKeys.keys"

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
boot.initrd.network.ssh.extraConfig

Verbatim contents of sshd_config.

Type: strings concatenated with "\n"

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
boot.initrd.network.ssh.hostKeys

Specify SSH host keys to import into the initrd. To generate keys, use ssh-keygen(1):

# ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
# ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key

Warning

Unless your bootloader supports initrd secrets, these keys are stored insecurely in the global Nix store. Do NOT use your regular SSH host private keys for this purpose or you'll expose them to regular users!

Additionally, even if your initrd supports secrets, if you're using initrd SSH to unlock an encrypted disk then using your regular host keys exposes the private keys on your unencrypted boot partition.

Type: list of string or paths

Default: [ ]

Example: [ "/etc/secrets/initrd/ssh_host_rsa_key" "/etc/secrets/initrd/ssh_host_ed25519_key" ]

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
boot.initrd.network.ssh.port

Port on which SSH initrd service should listen.

Type: signed integer

Default: 22

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
boot.initrd.network.ssh.shell

Login shell of the remote user. Can be used to limit actions user can do.

Type: string

Default: "/bin/ash"

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
boot.initrd.network.udhcpc.extraArgs

Additional command-line arguments passed verbatim to udhcpc if boot.initrd.network.enable and networking.useDHCP are enabled.

Type: list of strings

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-network.nix>
boot.initrd.postDeviceCommands

Shell commands to be executed immediately after stage 1 of the boot has loaded kernel modules and created device nodes in /dev.

Type: strings concatenated with "\n"

Default: ""

Declared by:

<vpsadminos/os/modules/system/boot/stage-1.nix>
boot.initrd.postMountCommands

Shell commands to be executed immediately after the stage 1 filesystems have been mounted.

Type: strings concatenated with "\n"

Default: ""

Declared by:

<vpsadminos/os/modules/system/boot/stage-1.nix>
boot.initrd.preFailCommands

Shell commands to be executed before the failure prompt is shown.

Type: strings concatenated with "\n"

Default: ""

Declared by:

<vpsadminos/os/modules/system/boot/stage-1.nix>
boot.initrd.preLVMCommands

Shell commands to be executed immediately before LVM discovery. vpsAdminOS actually does not support LVM, this is just for compatibility with other modules.

Type: strings concatenated with "\n"

Default: ""

Declared by:

<vpsadminos/os/modules/system/boot/stage-1.nix>
boot.initrd.supportedFilesystems

Names of supported filesystem types in the initial ramdisk.

Type: list of strings

Default: [ ]

Example: [ "btrfs" ]

Declared by:

<vpsadminos/os/modules/system/boot/stage-1.nix>
boot.initrd.withHwSupport

Include hardware support kernel modules in initrd (so e.g. zfs sees disks)

Type: boolean

Default: true

Declared by:

<vpsadminos/os/modules/config/kernel.nix>
boot.isContainer

This option has no description.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/system/activation/top-level.nix>
boot.kernel.randstructSeed

Provides a custom seed for the RANDSTRUCT security option of the Linux kernel. Note that RANDSTRUCT is only enabled in NixOS hardened kernels. Using a custom seed requires building the kernel and dependent packages locally, since this customization happens at build time.

Type: string

Default: ""

Example: "my secret seed"

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.kernel.sysctl

Runtime parameters of the Linux kernel, as set by sysctl(8). Note that sysctl parameters names must be enclosed in quotes (e.g. "vm.swappiness" instead of vm.swappiness). The value of each parameter may be a string, integer, boolean, or null (signifying the option will not appear at all).

Type: attribute set of sysctl option values

Default: { }

Example:

{ "net.ipv4.tcp_syncookies" = false; "vm.swappiness" = 60; }

Declared by:

<nixpkgs/nixos/modules/config/sysctl.nix>
boot.kernelModules

The set of kernel modules to be loaded in the second stage of the boot process. Note that modules that are needed to mount the root file system should be added to boot.initrd.availableKernelModules or boot.initrd.kernelModules.

Type: list of strings

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.kernelPackage

base linux kernel package

Type: package

Default: (build of linux-5.10.25)

Declared by:

<vpsadminos/os/modules/config/kernel.nix>
boot.kernelPackages

This option allows you to override the Linux kernel used by NixOS. Since things like external kernel module packages are tied to the kernel you're using, it also overrides those. This option is a function that takes Nixpkgs as an argument (as a convenience), and returns an attribute set containing at the very least an attribute kernel. Additional attributes may be needed depending on your configuration. For instance, if you use the NVIDIA X driver, then it also needs to contain an attribute nvidia_x11.

Type: unspecified

Default: "pkgs.linuxPackages"

Example:

pkgs.linuxPackages_2_6_25

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.kernelParams

Parameters added to the kernel command line.

Type: list of strings

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.kernelPatches

A list of additional patches to apply to the kernel.

Type: list of attribute sets

Default: [ ]

Example:

[ pkgs.kernelPatches.ubuntu_fan_4_4 ]

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.loader.efi.canTouchEfiVariables

Whether the installation process is allowed to modify EFI boot variables.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/efi.nix>
boot.loader.efi.efiSysMountPoint

Where the EFI System Partition is mounted.

Type: string

Default: "/boot"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/efi.nix>
boot.loader.generationsDir.enable

Whether to create symlinks to the system generations under /boot. When enabled, /boot/default/kernel, /boot/default/initrd, etc., are updated to point to the current generation's kernel image, initial RAM disk, and other bootstrap files. This optional is not necessary with boot loaders such as GNU GRUB for which the menu is updated to point to the latest bootstrap files. However, it is needed for U-Boot on platforms where the boot command line is stored in flash memory rather than in a menu file.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/generations-dir/generations-dir.nix>
boot.loader.generationsDir.copyKernels

Whether copy the necessary boot files into /boot, so /nix/store is not needed by the boot loader.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/generations-dir/generations-dir.nix>
boot.loader.grub.enable

Whether to enable the GNU GRUB boot loader.

Type: boolean

Default: true

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.enableCryptodisk

Enable support for encrypted partitions. GRUB should automatically unlock the correct encrypted partition and look for filesystems.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.configurationLimit

Maximum of configurations in boot menu. GRUB has problems when there are too many entries.

Type: signed integer

Default: 100

Example: 120

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.configurationName

GRUB entry name instead of default.

Type: string

Default: ""

Example: "Stable 2.6.21"

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.copyKernels

Whether the GRUB menu builder should copy kernels and initial ramdisks to /boot. This is done automatically if /boot is on a different partition than /.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.default

Index of the default menu item to be booted.

Type: signed integer or string

Default: "0"

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.device

The device on which the GRUB boot loader will be installed. The special value nodev means that a GRUB boot menu will be generated, but GRUB itself will not actually be installed. To install GRUB on multiple devices, use boot.loader.grub.devices.

Type: string

Default: ""

Example: "/dev/disk/by-id/wwn-0x500001234567890a"

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.devices

The devices on which the boot loader, GRUB, will be installed. Can be used instead of device to install GRUB onto multiple devices.

Type: list of strings

Default: [ ]

Example: [ "/dev/disk/by-id/wwn-0x500001234567890a" ]

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.efiInstallAsRemovable

Whether to invoke grub-install with --removable.

Unless you turn this on, GRUB will install itself somewhere in boot.loader.efi.efiSysMountPoint (exactly where depends on other config variables). If you've set boot.loader.efi.canTouchEfiVariables *AND* you are currently booted in UEFI mode, then GRUB will use efibootmgr to modify the boot order in the EFI variables of your firmware to include this location. If you are *not* booted in UEFI mode at the time GRUB is being installed, the NVRAM will not be modified, and your system will not find GRUB at boot time. However, GRUB will still return success so you may miss the warning that gets printed ("efibootmgr: EFI variables are not supported on this system.").

If you turn this feature on, GRUB will install itself in a special location within efiSysMountPoint (namely EFI/boot/boot$arch.efi) which the firmwares are hardcoded to try first, regardless of NVRAM EFI variables.

To summarize, turn this on if:

  • You are installing vpsAdminOS and want it to boot in UEFI mode, but you are currently booted in legacy mode

  • You want to make a drive that will boot regardless of the NVRAM state of the computer (like a USB "removable" drive)

  • You simply dislike the idea of depending on NVRAM state to make your drive bootable

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.efiSupport

Whether GRUB should be built with EFI support. EFI support is only available for GRUB v2. This option is ignored for GRUB v1.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.extraConfig

Additional GRUB commands inserted in the configuration file just before the menu entries.

Type: strings concatenated with "\n"

Default: ""

Example: "serial; terminal_output.serial"

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.extraEntries

Any additional entries you want added to the GRUB boot menu.

Type: strings concatenated with "\n"

Default: ""

Example:

''
# GRUB 1 example (not GRUB 2 compatible)
title Windows
  chainloader (hd0,1)+1

# GRUB 2 example
menuentry "Windows 7" {
  chainloader (hd0,4)+1
}

# GRUB 2 with UEFI example, chainloading another distro
menuentry "Fedora" {
  set root=(hd1,1)
  chainloader /efi/fedora/grubx64.efi
}
''

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.extraEntriesBeforeVpsAdminOS

Whether extraEntries are included before the default option.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.extraFiles

A set of files to be copied to /boot. Each attribute name denotes the destination file name in /boot, while the corresponding attribute value specifies the source file.

Type: attribute set of paths

Default: { }

Example:

{ "memtest.bin" = "${pkgs.memtest86plus}/memtest.bin"; }

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.extraInitrd

The path to a second initramfs to be supplied to the kernel. This ramfs will not be copied to the store, so that it can contain secrets such as LUKS keyfiles or ssh keys. This implies that rolling back to a previous configuration won't rollback the state of this file.

Type: null or path

Default: null

Example: "/boot/extra_initramfs.gz"

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.extraPerEntryConfig

Additional GRUB commands inserted in the configuration file at the start of each vpsAdminOS menu entry.

Type: strings concatenated with "\n"

Default: ""

Example: "root (hd0)"

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.extraPrepareConfig

Additional bash commands to be run at the script that prepares the GRUB menu entries.

Type: strings concatenated with "\n"

Default: ""

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.font

Path to a TrueType, OpenType, or pf2 font to be used by Grub.

Type: null or path

Default: "\${pkgs.grub2}/share/grub/unicode.pf2"

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.fontSize

Font size for the grub menu. Ignored unless font is set to a ttf or otf font.

Type: null or signed integer

Default: null

Example:

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.forceInstall

Whether to try and forcibly install GRUB even if problems are detected. It is not recommended to enable this unless you know what you are doing.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.fsIdentifier

Determines how GRUB will identify devices when generating the configuration file. A value of uuid / label signifies that grub will always resolve the uuid or label of the device before using it in the configuration. A value of provided means that GRUB will use the device name as show in df or mount. Note, zfs zpools / datasets are ignored and will always be mounted using their labels.

Type: one of "uuid", "label", "provided"

Default: "uuid"

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.gfxmodeBios

The gfxmode to pass to GRUB when loading a graphical boot interface under BIOS.

Type: string

Default: "1024x768"

Example: "auto"

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.gfxmodeEfi

The gfxmode to pass to GRUB when loading a graphical boot interface under EFI.

Type: string

Default: "auto"

Example: "1024x768"

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.ipxe

Set of iPXE scripts available for booting from the GRUB boot menu.

Type: attribute set of path or strings

Default: { }

Example:

{ demo = ''
    #!ipxe
    dhcp
    chain http://boot.vpsadminos.org/script.ipxe
  '';
}

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/ipxe.nix>
boot.loader.grub.mirroredBoots

Mirror the boot configuration to multiple partitions and install grub to the respective devices corresponding to those partitions.

Type: list of submodules

Default: [ ]

Example: [ { devices = [ "/dev/disk/by-id/wwn-0x500001234567890a" ] ; path = "/boot1"; } { devices = [ "/dev/disk/by-id/wwn-0x500009876543210a" ] ; path = "/boot2"; } ]

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.mirroredBoots.*.devices

The path to the devices which will have the GRUB MBR written. Note these are typically device paths and not paths to partitions.

Type: list of strings

Default: [ ]

Example: [ "/dev/disk/by-id/wwn-0x500001234567890a" "/dev/disk/by-id/wwn-0x500009876543210a" ]

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.mirroredBoots.*.efiBootloaderId

The id of the bootloader to store in efi nvram. The default is to name it vpsAdminOS and append the path or efiSysMountPoint. This is only used if boot.loader.efi.canTouchEfiVariables is true.

Type: null or string

Default: null

Example: "vpsAdminOS-fsid"

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.mirroredBoots.*.efiSysMountPoint

The path to the efi system mount point. Usually this is the same partition as the above path and can be left as null.

Type: null or string

Default: null

Example: "/boot1/efi"

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.mirroredBoots.*.path

The path to the boot directory where GRUB will be written. Generally this boot path should double as an EFI path.

Type: string

Example: "/boot1"

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.splashImage

Background image used for GRUB. Set to null to run GRUB in text mode.

Note

For grub 1: It must be a 640x480, 14-colour image in XPM format, optionally compressed with gzip or bzip2.

Note

For grub 2: File must be one of .png, .tga, .jpg, or .jpeg. JPEG images must not be progressive. The image will be scaled if necessary to fit the screen.

Type: null or path

Example:

./my-background.png

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.storePath

Path to the Nix store when looking for kernels at boot. Only makes sense when copyKernels is false.

Type: string

Default: "/nix/store"

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.trustedBoot.enable

Enable trusted boot. GRUB will measure all critical components during the boot process to offer TCG (TPM) support.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.trustedBoot.isHPLaptop

Use a special version of TrustedGRUB that is needed by some HP laptops and works only for the HP laptops.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.trustedBoot.systemHasTPM

Assertion that the target system has an activated TPM. It is a safety check before allowing the activation of 'trustedBoot.enable'. TrustedBoot WILL FAIL TO BOOT YOUR SYSTEM if no TPM is available.

Type: string

Default: ""

Example: "YES_TPM_is_activated"

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.useOSProber

If set to true, append entries for other OSs detected by os-prober.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.version

The version of GRUB to use: 1 for GRUB Legacy (versions 0.9x), or 2 (the default) for GRUB 2.

Type: signed integer

Default: 2

Example: 1

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.zfsSupport

Whether GRUB should be built against libzfs. ZFS support is only available for GRUB v2. This option is ignored for GRUB v1.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
boot.loader.timeout

Timeout (in seconds) until loader boots the default menu item. Use null if the loader menu should be displayed indefinitely.

Type: null or signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/loader.nix>
boot.postBootCommands

Shell commands to be executed just before runit is started.

Type: strings concatenated with "\n"

Default: ""

Example: "rm -f /var/log/messages"

Declared by:

<vpsadminos/os/modules/system/boot/stage-2.nix>
boot.predefinedFailAction

Action to take automatically if stage-1 fails. n - create new pool (may also erase disks and run partitioning if configured) i - interactive shell r - reboot * - ignore Useful for unattended installations and testing.

Type: one of "", "n", "i", "r", "*"

Default: ""

Declared by:

<vpsadminos/os/modules/system/activation/top-level.nix>
boot.procHidePid

mount proc with hidepid=2

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/system/boot/stage-2.nix>
boot.qemu.disks

Disks available within the VM

Type: list of submodules

Default: [ { create = true; device = "sda.img"; size = "8G"; type = "file"; } ]

Declared by:

<vpsadminos/os/modules/system/boot/qemu.nix>
boot.qemu.disks.*.create

Create the device if it does not exist. Applicable only for file-backed devices.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/system/boot/qemu.nix>
boot.qemu.disks.*.device

Path to the disk device

Type: string

Declared by:

<vpsadminos/os/modules/system/boot/qemu.nix>
boot.qemu.disks.*.size

Device size

Type: string

Default: ""

Declared by:

<vpsadminos/os/modules/system/boot/qemu.nix>
boot.qemu.disks.*.type

Device type

Type: one of "file", "blockdev"

Declared by:

<vpsadminos/os/modules/system/boot/qemu.nix>
boot.runSize

This option has no description.

Type: string

Default: "25%"

Example: "256m"

Declared by:

<vpsadminos/os/modules/system/boot/stage-2.nix>
boot.specialFileSystems.<name>.device

Location of the device.

Type: null or string (with check: non-empty)

Default: null

Example: "/dev/sda"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
boot.specialFileSystems.<name>.fsType

Type of the file system.

Type: string (with check: non-empty)

Default: "auto"

Example: "ext3"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
boot.specialFileSystems.<name>.mountPoint

Location of the mounted the file system.

Type: string (with check: non-empty)

Example: "/mnt/usb"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
boot.specialFileSystems.<name>.options

Options used to mount the file system.

Type: list of string (with check: non-empty)s

Default: [ "defaults" ]

Example: [ "data=journal" ]

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
boot.supportedFilesystems

Names of supported filesystem types.

Type: list of strings

Default: [ ]

Example: [ "btrfs" ]

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
boot.vesa

(Deprecated) This option, if set, activates the VESA 800x600 video mode on boot and disables kernel modesetting. It is equivalent to specifying [ "vga=0x317" "nomodeset" ] in the boot.kernelParams option. This option is deprecated as of 2020: Xorg now works better with modesetting, and you might want a different VESA vga setting, anyway.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.zfs.devNodes

Directories used to search disk devices. This should be a path under /dev containing stable names for all devices needed, as import may fail if device nodes are renamed concurrently with a device failing.

Type: list of strings

Default: [ "/dev/disk/by-id" ]

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
boot.zfs.forceImportRoot

Forcibly import the ZFS root pool(s) during early boot.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
boot.zfs.pools

This option has no description.

Type: attribute set of submodules

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
boot.zfs.pools.<name>.cache

Devices used for secondary read cache (L2ARC).

Type: list of strings

Default: [ ]

Example: [ "sde2" "sdf2" ]

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
boot.zfs.pools.<name>.datasets

Declaratively create ZFS file systems or volumes and configure properties. Dataset names are relative to the pool and optionally may start with a slash. Configured properties are passed directly to ZFS, see man zfs(8) for more information. No dataset is ever destroyed and properties removed from the configuration are not unset once deployed. To reset a property, set its value to `inherit`.

Type: attribute set of submodules

Default: { / = { properties = { xattr = { _type = "override"; content = "sa"; priority = 1000; } ; } ; } ; }

Example: { / = { properties = { sharenfs = "on"; } ; } ; data = { properties = { quota = "100G"; } ; } ; volume = { properties = { volsize = "50G"; } ; type = "volume"; } ; }

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
boot.zfs.pools.<name>.datasets.<name>.properties

ZFS properties, see man zfs(8).

Type: attribute set

Default: { }

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
boot.zfs.pools.<name>.datasets.<name>.type

Dataset type

Type: one of "filesystem", "volume"

Default: "filesystem"

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
boot.zfs.pools.<name>.doCreate

Determines whether disks are partitioned and zpool is created when the pool cannot be imported, suggesting it does not exist. Do not enable this in production, existing pools might fail to import for unforeseen reasons and recreating them will result in data loss.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
boot.zfs.pools.<name>.guid

Pool ID used for importing.

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
boot.zfs.pools.<name>.install

Import the pool into osctld to be used for containers.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
boot.zfs.pools.<name>.layout

Pool layout to pass to zpool create. The pool can be created either manually using script do-create-pool-<pool> or automatically when boot.zfs.pools.<pool>.doCreate is set and the pool cannot be imported.

Type: list of submodules

Default: [ ]

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
boot.zfs.pools.<name>.layout.*.devices

List of device names.

Type: list of strings

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
boot.zfs.pools.<name>.layout.*.type

Virtual device type, see man zpool(8) for more information.

Type: one of "stripe", "mirror", "raidz", "raidz1", "raidz2", "raidz3"

Default: "stripe"

Example: "mirror"

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
boot.zfs.pools.<name>.log

Devices used for ZFS Intent Log (ZIL).

Type: list of submodules

Default: [ ]

Example: { devices = [ "sde1" "sdf1" ] ; mirror = true; }

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
boot.zfs.pools.<name>.log.*.devices

List of device names.

Type: list of strings

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
boot.zfs.pools.<name>.log.*.mirror

Determines whether the log devices will be mirrored or not.

Type: boolean

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
boot.zfs.pools.<name>.partition

Partition disks This creates a sfdisk input for simple partitioning, X in 'pX' means partition number. If sizeGB is not specified the rest of the dist will be used for this partition.

Type: attribute set of attribute set of submoduless

Default: { }

Example: { sde = { p1 = { sizeGB = 20; } ; p2 = { sizeGB = 10; type = "fd"; } ; p3 = { } ; } ; }

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
boot.zfs.pools.<name>.partition.<name>.<name>.sizeGB

Partition size in gigabytes

Type: null or positive integer, meaning >0

Default: null

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
boot.zfs.pools.<name>.partition.<name>.<name>.type

Partition type (list with `sfdisk -T`)

Type: one of "fd"

Default: "fd"

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
boot.zfs.pools.<name>.properties

zpool properties, see man zpool(8) for more information.

Type: attribute set

Default: { }

Example: { readonly = "on"; }

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
boot.zfs.pools.<name>.scrub.enable

Enables periodic scrubbing

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
boot.zfs.pools.<name>.scrub.interval

Date and time expression for when to scrub the pool in a crontab format, i.e. minute, hour, day of month, month and day of month separated by spaces.

Type: string

Default: "0 4 */14 * *"

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
boot.zfs.pools.<name>.share

Determines whether ZFS filesystems with sharenfs set should be exported. When set to always, zfs share is run every time the service is started. When set to once, filesystems are exported only once for this pool, e.g. when the service is restarted on upgrade, filesystems are not reexported. off disables automated exporting completely.

Type: one of "always", "once", "off"

Default: "always"

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
boot.zfs.pools.<name>.spare

List of devices to be used as hot spares.

Type: list of strings

Default: [ ]

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
boot.zfs.pools.<name>.wipe

Wipe disks prior to disk partitioning and pool creation (dangerous!). Uses dd to erase first and last 1024 sectors of the device.

Type: list of strings

Default: [ ]

Example: [ "sda" "sdb" ]

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
environment.enableDebugInfo

Some NixOS packages provide debug symbols. However, these are not included in the system closure by default to save disk space. Enabling this option causes the debug symbols to appear in /run/current-system/sw/lib/debug/.build-id, where tools such as gdb can find them. If you need debug symbols for a package that doesn't provide them by default, you can enable them as follows:

nixpkgs.config.packageOverrides = pkgs: {
  hello = pkgs.hello.overrideAttrs (oldAttrs: {
    separateDebugInfo = true;
  });
};

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/debug-info.nix>
environment.etc

Set of files that have to be linked in /etc.

Type: attribute set of submodules

Default: { }

Example:

{ example-configuration-file =
    { source = "/nix/store/.../etc/dir/file.conf.example";
      mode = "0440";
    };
  "default/useradd".text = "GROUP=100 ...";
}

Declared by:

<nixpkgs/nixos/modules/system/etc/etc.nix>
environment.etc.<name>.enable

Whether this /etc file should be generated. This option allows specific /etc files to be disabled.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/etc/etc.nix>
environment.etc.<name>.gid

GID of created file. Only takes effect when the file is copied (that is, the mode is not 'symlink').

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/system/etc/etc.nix>
environment.etc.<name>.group

Group name of created file. Only takes effect when the file is copied (that is, the mode is not 'symlink'). Changing this option takes precedence over gid.

Type: string

Default: "+0"

Declared by:

<nixpkgs/nixos/modules/system/etc/etc.nix>
environment.etc.<name>.mode

If set to something else than symlink, the file is copied instead of symlinked, with the given file mode.

Type: string

Default: "symlink"

Example: "0600"

Declared by:

<nixpkgs/nixos/modules/system/etc/etc.nix>
environment.etc.<name>.source

Path of the source file.

Type: path

Declared by:

<nixpkgs/nixos/modules/system/etc/etc.nix>
environment.etc.<name>.target

Name of symlink (relative to /etc). Defaults to the attribute name.

Type: string

Declared by:

<nixpkgs/nixos/modules/system/etc/etc.nix>
environment.etc.<name>.text

Text of the file.

Type: null or strings concatenated with "\n"

Default: null

Declared by:

<nixpkgs/nixos/modules/system/etc/etc.nix>
environment.etc.<name>.uid

UID of created file. Only takes effect when the file is copied (that is, the mode is not 'symlink').

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/system/etc/etc.nix>
environment.etc.<name>.user

User name of created file. Only takes effect when the file is copied (that is, the mode is not 'symlink'). Changing this option takes precedence over uid.

Type: string

Default: "+0"

Declared by:

<nixpkgs/nixos/modules/system/etc/etc.nix>
environment.extraInit

Shell script code called during global environment initialisation after all variables and profileVariables have been set. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.

Type: strings concatenated with "\n"

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.extraOutputsToInstall

List of additional package outputs to be symlinked into /run/current-system/sw.

Type: list of strings

Default: [ ]

Example: [ "doc" "info" "docdev" ]

Declared by:

<vpsadminos/os/modules/config/system-path.nix>
environment.homeBinInPath

Include ~/bin/ in $PATH.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.interactiveShellInit

Shell script code called during interactive shell initialisation. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.

Type: strings concatenated with "\n"

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.loginShellInit

Shell script code called during login shell initialisation. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.

Type: strings concatenated with "\n"

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.pathsToLink

List of directories to be symlinked in /run/current-system/sw.

Type: list of strings

Default: [ ]

Example: [ "/" ]

Declared by:

<vpsadminos/os/modules/config/system-path.nix>
environment.profileRelativeEnvVars

Attribute set of environment variable. Each attribute maps to a list of relative paths. Each relative path is appended to the each profile of environment.profiles to form the content of the corresponding environment variable.

Type: attribute set of list of stringss

Example: { MANPATH = [ "/man" "/share/man" ] ; PATH = [ "/bin" ] ; }

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.profileRelativeSessionVariables

Attribute set of environment variable used in the global environment. These variables will be set by PAM early in the login process. Variable substitution is available as described in pam_env.conf(5). Each attribute maps to a list of relative paths. Each relative path is appended to the each profile of environment.profiles to form the content of the corresponding environment variable. Also, these variables are merged into environment.profileRelativeEnvVars and it is therefore not possible to use PAM style variables such as @{HOME}.

Type: attribute set of list of stringss

Example: { MANPATH = [ "/man" "/share/man" ] ; PATH = [ "/bin" ] ; }

Declared by:

<nixpkgs/nixos/modules/config/system-environment.nix>
environment.profiles

A list of profiles used to setup the global environment.

Type: list of strings

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.sessionVariables

A set of environment variables used in the global environment. These variables will be set by PAM early in the login process. The value of each session variable can be either a string or a list of strings. The latter is concatenated, interspersed with colon characters. Note, due to limitations in the PAM format values may not contain the " character. Also, these variables are merged into environment.variables and it is therefore not possible to use PAM style variables such as @{HOME}.

Type: attribute set of string or list of stringss

Default: { }

Declared by:

<nixpkgs/nixos/modules/config/system-environment.nix>
environment.shellAliases

An attribute set that maps aliases (the top level attribute names in this option) to command strings or directly to build outputs. The aliases are added to all users' shells. Aliases mapped to null are ignored.

Type: attribute set of null or string or paths

Example: { l = null; ll = "ls -l"; }

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.shellInit

Shell script code called during shell initialisation. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.

Type: strings concatenated with "\n"

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.shells

A list of permissible login shells for user accounts. No need to mention /bin/sh here, it is placed into this list implicitly.

Type: list of package or paths

Default: [ ]

Example:

[ pkgs.bashInteractive pkgs.zsh ]

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.systemPackages

This option has no description.

Type: list of packages

Default: [ ]

Example:

[ pkgs.firefox pkgs.thunderbird ]

Declared by:

<vpsadminos/os/modules/config/system-path.nix>
environment.variables

A set of environment variables used in the global environment. These variables will be set on shell initialisation (e.g. in /etc/profile). The value of each variable can be either a string or a list of strings. The latter is concatenated, interspersed with colon characters.

Type: attribute set of string or list of stringss

Default: { }

Example: { EDITOR = "nvim"; VISUAL = "nvim"; }

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
fileSystems

The file systems to be mounted. It must include an entry for the root directory (mountPoint = "/"). Each entry in the list is an attribute set with the following fields: mountPoint, device, fsType (a file system type recognised by mount; defaults to "auto"), and options (the mount options passed to mount using the -o flag; defaults to [ "defaults" ]). Instead of specifying device, you can also specify a volume label (label) for file systems that support it, such as ext2/ext3 (see mke2fs -L).

Type: attribute set of submodules

Default: { }

Example:

{
  "/".device = "/dev/hda1";
  "/data" = {
    device = "/dev/hda2";
    fsType = "ext3";
    options = [ "data=journal" ];
  };
  "/bigdisk".label = "bigdisk";
}

Declared by:

<vpsadminos/os/modules/system/boot/stage-1.nix>
<nixpkgs/nixos/modules/tasks/filesystems.nix>
fileSystems.<name>.autoFormat

If the device does not currently contain a filesystem (as determined by blkid, then automatically format it with the filesystem type specified in fsType. Use with caution.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
fileSystems.<name>.autoResize

If set, the filesystem is grown to its maximum size before being mounted. (This is typically the size of the containing partition.) This is currently only supported for ext2/3/4 filesystems that are mounted during early boot.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
fileSystems.<name>.device

Location of the device.

Type: null or string (with check: non-empty)

Default: null

Example: "/dev/sda"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
fileSystems.<name>.formatOptions

If autoFormat option is set specifies extra options passed to mkfs.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
fileSystems.<name>.fsType

Type of the file system.

Type: string (with check: non-empty)

Default: "auto"

Example: "ext3"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
fileSystems.<name>.label

Label of the device (if any).

Type: null or string (with check: non-empty)

Default: null

Example: "root-partition"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
fileSystems.<name>.mountPoint

Location of the mounted the file system.

Type: string (with check: non-empty)

Example: "/mnt/usb"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
fileSystems.<name>.neededForBoot

If set, this file system will be mounted in the initial ramdisk. By default, this applies to the root file system and to the file system containing /nix/store.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/system/boot/stage-1.nix>
fileSystems.<name>.noCheck

Disable running fsck on this filesystem.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
fileSystems.<name>.options

Options used to mount the file system.

Type: list of string (with check: non-empty)s

Default: [ "defaults" ]

Example: [ "data=journal" ]

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
hardware.enableAllFirmware

Turn on this option if you want to enable all the firmware.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/all-firmware.nix>
hardware.enableRedistributableFirmware

Turn on this option if you want to enable all the firmware with a license allowing redistribution. (i.e. free firmware and firmware-linux-nonfree)

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/all-firmware.nix>
hardware.firmware

This option has no description.

Type: list of packages

Default: [ ]

Declared by:

<vpsadminos/os/modules/services/hardware/eudev.nix>
i18n.defaultLocale

The default locale. It determines the language for program messages, the format for dates and times, sort order, and so on. It also determines the character set, such as UTF-8.

Type: string

Default: "en_US.UTF-8"

Example: "nl_NL.UTF-8"

Declared by:

<nixpkgs/nixos/modules/config/i18n.nix>
i18n.extraLocaleSettings

A set of additional system-wide locale settings other than LANG which can be configured with i18n.defaultLocale.

Type: attribute set of strings

Default: { }

Example: { LC_MESSAGES = "en_US.UTF-8"; LC_TIME = "de_DE.UTF-8"; }

Declared by:

<nixpkgs/nixos/modules/config/i18n.nix>
i18n.glibcLocales

Customized pkg.glibcLocales package. Changing this option can disable handling of i18n.defaultLocale and supportedLocale.

Type: path

Default: (build of glibc-locales-2.31-74)

Example:

pkgs.glibcLocales

Declared by:

<nixpkgs/nixos/modules/config/i18n.nix>
i18n.supportedLocales

List of locales that the system should support. The value "all" means that all locales supported by Glibc will be installed. A full list of supported locales can be found at https://sourceware.org/git/?p=glibc.git;a=blob;f=localedata/SUPPORTED.

Type: list of strings

Default: [ "all" ]

Example: [ "en_US.UTF-8/UTF-8" "nl_NL.UTF-8/UTF-8" "nl_NL/ISO-8859-1" ]

Declared by:

<nixpkgs/nixos/modules/config/i18n.nix>
krb5

This option has no description.

Type: unspecified

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
lib

This option allows modules to define helper functions, constants, etc.

Type: attribute set of attribute sets

Default: { }

Declared by:

<nixpkgs/nixos/modules/misc/lib.nix>
location.latitude

Your current latitude, between -90.0 and 90.0. Must be provided along with longitude.

Type: floating point number

Declared by:

<nixpkgs/nixos/modules/config/locale.nix>
location.longitude

Your current longitude, between between -180.0 and 180.0. Must be provided along with latitude.

Type: floating point number

Declared by:

<nixpkgs/nixos/modules/config/locale.nix>
location.provider

The location provider to use for determining your location. If set to manual you must also provide latitude/longitude.

Type: one of "manual", "geoclue2"

Default: "manual"

Declared by:

<nixpkgs/nixos/modules/config/locale.nix>
manual.html.enable

Whether to install the HTML manual.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/misc/manual.nix>
manual.json.enable

Whether to install a JSON formatted list of all vpsAdminOS options. This can be located at <profile directory>/share/doc/vpsadminos/options.json, and may be used for navigating definitions, auto-completing, and other miscellaneous tasks.

Type: boolean

Default: false

Example: true

Declared by:

<vpsadminos/os/modules/misc/manual.nix>
manual.manpages.enable

Whether to install the configuration manual page. The manual can be reached by man vpsadminos-configuration.nix.

Type: boolean

Default: true

Example: false

Declared by:

<vpsadminos/os/modules/misc/manual.nix>
meta.maintainers

This option has no description.

Type: unspecified

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
networking.enableIPv6

This option has no description.

Type: unspecified

Default: true

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
networking.bird.enable

Whether to enable BIRD Internet Routing Daemon.

Type: boolean

Default: false

Example: true

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird.extraConfig

BIRD Internet Routing Daemon configuration file. http://bird.network.cz/

Type: strings concatenated with "\n"

Default: ""

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird.logFile

This option has no description.

Type: string

Default: "/var/log/bird.log"

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird.logVerbosity

This option has no description.

Type: string

Default: "all"

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird.protocol.bfd.enable

Enable BFD

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird.protocol.bfd.interfaces

BFD interfaces

Type: attribute set of submodules

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird.protocol.bfd.interfaces.<name>.idleTX

desired TX interval if neighbor not available or not running BFD (milliseconds)

Type: positive integer, meaning >0

Default: 1000

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird.protocol.bfd.interfaces.<name>.minRX

minimum RX interval (milliseconds)

Type: positive integer, meaning >0

Default: 10

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird.protocol.bfd.interfaces.<name>.minTX

desired TX interval (milliseconds)

Type: positive integer, meaning >0

Default: 100

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird.protocol.bgp

BGP instances

Type: attribute set of submodules

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird.protocol.bgp.<name>.as

BGP autonomous system ID

Type: positive integer, meaning >0

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird.protocol.bgp.<name>.extraConfig

This option has no description.

Type: strings concatenated with "\n"

Default: ""

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird.protocol.bgp.<name>.neighbor

Our neighbors

Type: attribute set of positive integer, meaning >0s

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird.protocol.bgp.<name>.nextHopSelf

Always advertise our own local address as a next hop

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird.protocol.device.extraConfig

Extra config for device protocol

Type: strings concatenated with "\n"

Default: ""

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird.protocol.device.scanTime

Time in seconds between two scans of the network interface list.

Type: positive integer, meaning >0

Default: 1

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird.protocol.direct.interface

Restrict devices used by direct protocol

Type: string

Default: "*"

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird.protocol.kernel.extraConfig

Extra config for kernel protocol

Type: strings concatenated with "\n"

Default: ""

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird.protocol.kernel.learn

Whether to enable Enable learning of routes added to the kernel routing tables by other routing daemons or by the system administrator..

Type: boolean

Default: false

Example: true

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird.protocol.kernel.persist

Whether to enable Tell BIRD to leave all its routes in the routing tables when it exits (instead of cleaning them up)..

Type: boolean

Default: false

Example: true

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird.protocol.kernel.scanTime

Time in seconds between two consecutive scans of the kernel routing table.

Type: positive integer, meaning >0

Default: 10

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird.routerId

Set BIRD's router ID based on an IP address of an interface specified by an interface pattern.

Type: string

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird6.enable

Whether to enable BIRD Internet Routing Daemon.

Type: boolean

Default: false

Example: true

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird6.extraConfig

BIRD Internet Routing Daemon configuration file. http://bird.network.cz/

Type: strings concatenated with "\n"

Default: ""

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird6.logFile

This option has no description.

Type: string

Default: "/var/log/bird6.log"

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird6.logVerbosity

This option has no description.

Type: string

Default: "all"

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird6.protocol.bfd.enable

Enable BFD

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird6.protocol.bfd.interfaces

BFD interfaces

Type: attribute set of submodules

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird6.protocol.bfd.interfaces.<name>.idleTX

desired TX interval if neighbor not available or not running BFD (milliseconds)

Type: positive integer, meaning >0

Default: 1000

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird6.protocol.bfd.interfaces.<name>.minRX

minimum RX interval (milliseconds)

Type: positive integer, meaning >0

Default: 10

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird6.protocol.bfd.interfaces.<name>.minTX

desired TX interval (milliseconds)

Type: positive integer, meaning >0

Default: 100

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird6.protocol.bgp

BGP instances

Type: attribute set of submodules

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird6.protocol.bgp.<name>.as

BGP autonomous system ID

Type: positive integer, meaning >0

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird6.protocol.bgp.<name>.extraConfig

This option has no description.

Type: strings concatenated with "\n"

Default: ""

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird6.protocol.bgp.<name>.neighbor

Our neighbors

Type: attribute set of positive integer, meaning >0s

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird6.protocol.bgp.<name>.nextHopSelf

Always advertise our own local address as a next hop

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird6.protocol.device.extraConfig

Extra config for device protocol

Type: strings concatenated with "\n"

Default: ""

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird6.protocol.device.scanTime

Time in seconds between two scans of the network interface list.

Type: positive integer, meaning >0

Default: 1

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird6.protocol.direct.interface

Restrict devices used by direct protocol

Type: string

Default: "*"

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird6.protocol.kernel.extraConfig

Extra config for kernel protocol

Type: strings concatenated with "\n"

Default: ""

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird6.protocol.kernel.learn

Whether to enable Enable learning of routes added to the kernel routing tables by other routing daemons or by the system administrator..

Type: boolean

Default: false

Example: true

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird6.protocol.kernel.persist

Whether to enable Tell BIRD to leave all its routes in the routing tables when it exits (instead of cleaning them up)..

Type: boolean

Default: false

Example: true

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird6.protocol.kernel.scanTime

Time in seconds between two consecutive scans of the kernel routing table.

Type: positive integer, meaning >0

Default: 10

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.bird6.routerId

Set BIRD's router ID based on an IP address of an interface specified by an interface pattern.

Type: string

Declared by:

<vpsadminos/os/modules/services/networking/bird.nix>
networking.chronyd

use Chrony daemon for network time synchronization

Type: boolean

Default: true

Declared by:

<vpsadminos/os/modules/services/networking/chronyd.nix>
networking.custom

Custom set of commands used to set-up networking

Type: strings concatenated with "\n"

Default: ""

Example:

''

          ip addr add 10.0.0.1 dev ix0
          ip link set ix0 up
        ''

Declared by:

<vpsadminos/os/modules/tasks/network-interfaces.nix>
networking.dhcp

use DHCP to obtain IP

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/tasks/network-interfaces.nix>
networking.dhcpd

Whether to enable Enable dhcpd for lxc containers.

Type: boolean

Default: false

Example: true

Declared by:

<vpsadminos/os/modules/services/networking/dhcpd.nix>
networking.domain

The domain. It can be left empty if it is auto-detected through DHCP.

Type: null or string

Default: null

Example: "home"

Declared by:

<vpsadminos/os/modules/tasks/network-interfaces.nix>
networking.extraHosts

Additional verbatim entries to be appended to /etc/hosts.

Type: strings concatenated with "\n"

Default: ""

Example: "192.168.0.1 lanlocalhost"

Declared by:

<vpsadminos/os/modules/tasks/network-interfaces.nix>
networking.firewall.enable

Whether to enable the firewall. This is a simple stateful firewall that blocks connection attempts to unauthorised TCP or UDP ports on this machine. It does not affect packet forwarding.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.package

The iptables package to use for running the firewall service."

Type: package

Default: "pkgs.iptables"

Example:

pkgs.iptables-nftables-compat

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.allowPing

Whether to respond to incoming ICMPv4 echo requests ("pings"). ICMPv6 pings are always allowed because the larger address space of IPv6 makes network scanning much less effective.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.allowedTCPPortRanges

A range of TCP ports on which incoming connections are accepted.

Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)ss

Default: [ ]

Example: [ { from = 8999; to = 9003; } ]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.allowedTCPPorts

List of TCP ports on which incoming connections are accepted.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)s

Default: [ ]

Example: [ 22 80 ]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.allowedUDPPortRanges

Range of open UDP ports.

Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)ss

Default: [ ]

Example: [ { from = 60000; to = 61000; } ]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.allowedUDPPorts

List of open UDP ports.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)s

Default: [ ]

Example: [ 53 ]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.autoLoadConntrackHelpers

Whether to auto-load connection-tracking helpers. See the description at networking.firewall.connectionTrackingModules (needs kernel 3.5+)

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.checkReversePath

Performs a reverse path filter test on a packet. If a reply to the packet would not be sent via the same interface that the packet arrived on, it is refused. If using asymmetric routing or other complicated routing, set this option to loose mode or disable it and setup your own counter-measures. This option can be either true (or "strict"), "loose" (only drop the packet if the source address is not reachable via any interface) or false. Defaults to the value of kernelHasRPFilter. (needs kernel 3.3+)

Type: boolean or one of "strict", "loose"

Default: true

Example: "loose"

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.connectionTrackingModules

List of connection-tracking helpers that are auto-loaded. The complete list of possible values is given in the example. As helpers can pose as a security risk, it is advised to set this to an empty list and disable the setting networking.firewall.autoLoadConntrackHelpers unless you know what you are doing. Connection tracking is disabled by default. Loading of helpers is recommended to be done through the CT target. More info: https://home.regit.org/netfilter-en/secure-use-of-helpers/

Type: list of strings

Default: [ ]

Example: [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.extraCommands

Additional shell commands executed as part of the firewall initialisation script. These are executed just before the final "reject" firewall rule is added, so they can be used to allow packets that would otherwise be refused.

Type: strings concatenated with "\n"

Default: ""

Example: "iptables -A INPUT -p icmp -j ACCEPT"

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.extraPackages

Additional packages to be included in the environment of the system as well as the path of networking.firewall.extraCommands.

Type: list of packages

Default: [ ]

Example:

[ pkgs.ipset ]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.extraStopCommands

Additional shell commands executed as part of the firewall shutdown script. These are executed just after the removal of the NixOS input rule, or if the service enters a failed state.

Type: strings concatenated with "\n"

Default: ""

Example: "iptables -P INPUT ACCEPT"

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.interfaces

Interface-specific open ports.

Type: attribute set of submodules

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.interfaces.<name>.allowedTCPPortRanges

A range of TCP ports on which incoming connections are accepted.

Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)ss

Default: [ ]

Example: [ { from = 8999; to = 9003; } ]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.interfaces.<name>.allowedTCPPorts

List of TCP ports on which incoming connections are accepted.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)s

Default: [ ]

Example: [ 22 80 ]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.interfaces.<name>.allowedUDPPortRanges

Range of open UDP ports.

Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)ss

Default: [ ]

Example: [ { from = 60000; to = 61000; } ]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.interfaces.<name>.allowedUDPPorts

List of open UDP ports.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)s

Default: [ ]

Example: [ 53 ]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.logRefusedConnections

Whether to log rejected or dropped incoming connections.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.logRefusedPackets

Whether to log all rejected or dropped incoming packets. This tends to give a lot of log messages, so it's mostly useful for debugging.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.logRefusedUnicastsOnly

If networking.firewall.logRefusedPackets and this option are enabled, then only log packets specifically directed at this machine, i.e., not broadcasts or multicasts.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.logReversePathDrops

Logs dropped packets failing the reverse path filter test if the option networking.firewall.checkReversePath is enabled.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.pingLimit

If pings are allowed, this allows setting rate limits on them. If non-null, this option should be in the form of flags like "--limit 1/minute --limit-burst 5"

Type: null or strings concatenated with " "

Default: null

Example: "--limit 1/minute --limit-burst 5"

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.rejectPackets

If set, refused packets are rejected rather than dropped (ignored). This means that an ICMP "port unreachable" error message is sent back to the client (or a TCP RST packet in case of an existing connection). Rejecting packets makes port scanning somewhat easier.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.trustedInterfaces

Traffic coming in from these interfaces will be accepted unconditionally. Traffic from the loopback (lo) interface will always be accepted.

Type: list of strings

Default: [ ]

Example: [ "enp0s2" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.hostId

This option has no description.

Type: unspecified

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
networking.hostName

machine hostname

Type: string

Default: "default"

Declared by:

<vpsadminos/os/modules/tasks/network-interfaces.nix>
networking.hosts

Locally defined maps of hostnames to IP addresses.

Type: attribute set of list of stringss

Default: { }

Example:

{
  "127.0.0.1" = [ "foo.bar.baz" ];
  "192.168.0.2" = [ "fileserver.local" "nameserver.local" ];
};

Declared by:

<vpsadminos/os/modules/tasks/network-interfaces.nix>
networking.lxcbr

create lxc bridge interface

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/tasks/network-interfaces.nix>
networking.nameservers

The list of nameservers. It can be left empty if it is auto-detected through DHCP.

Type: list of strings

Default: [ ]

Example: [ "208.67.222.222" "208.67.220.220" ]

Declared by:

<vpsadminos/os/modules/tasks/network-interfaces.nix>
networking.nat

enable NAT for containers

Type: boolean

Default: true

Declared by:

<vpsadminos/os/modules/tasks/network-interfaces.nix>
networking.preConfig

Set of commands run prior to any other network configuration

Type: strings concatenated with "\n"

Default: ""

Declared by:

<vpsadminos/os/modules/tasks/network-interfaces.nix>
networking.search

The list of search paths used when resolving domain names.

Type: list of strings

Default: [ ]

Example: [ "example.com" "local.domain" ]

Declared by:

<vpsadminos/os/modules/tasks/network-interfaces.nix>
networking.static.enable

use static networking configuration

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/tasks/network-interfaces.nix>
networking.static.gw

gateway IP address for static networking configuration

Type: string

Default: "10.0.2.2"

Declared by:

<vpsadminos/os/modules/tasks/network-interfaces.nix>
networking.static.interface

interface for static networking configuration

Type: string

Default: "eth0"

Declared by:

<vpsadminos/os/modules/tasks/network-interfaces.nix>
networking.static.ip

IP address for static networking configuration

Type: string

Default: "10.0.2.15"

Declared by:

<vpsadminos/os/modules/tasks/network-interfaces.nix>
networking.static.route

route

Type: string

Default: "10.0.2.0/24"

Declared by:

<vpsadminos/os/modules/tasks/network-interfaces.nix>
networking.timeServers

The set of NTP servers from which to synchronise.

Type: unspecified

Default: [ "0.nixos.pool.ntp.org" "1.nixos.pool.ntp.org" "2.nixos.pool.ntp.org" "3.nixos.pool.ntp.org" ]

Declared by:

<vpsadminos/os/modules/services/networking/chronyd.nix>
networking.useDHCP

Alias of networking.dhcp.

Type: boolean

Declared by:

<vpsadminos/os/modules/rename.nix>
nix.package

This option specifies the Nix package instance to use throughout the system.

Type: package

Default: "pkgs.nix"

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.allowedUsers

A list of names of users (separated by whitespace) that are allowed to connect to the Nix daemon. As with nix.trustedUsers, you can specify groups by prefixing them with @. Also, you can allow all users by specifying *. The default is *. Note that trusted users are always allowed to connect.

Type: list of strings

Default: [ "*" ]

Example: [ "@wheel" "@builders" "alice" "bob" ]

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.autoOptimiseStore

If set to true, Nix automatically detects files in the store that have identical contents, and replaces them with hard links to a single copy. This saves disk space. If set to false (the default), you can still run nix-store --optimise to get rid of duplicate files.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.binaryCachePublicKeys

List of public keys used to sign binary caches. If nix.requireSignedBinaryCaches is enabled, then Nix will use a binary from a binary cache if and only if it is signed by any of the keys listed here. By default, only the key for cache.nixos.org is included.

Type: list of strings

Example: [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.binaryCaches

List of binary cache URLs used to obtain pre-built binaries of Nix packages. By default https://cache.nixos.org/ is added, to override it use lib.mkForce [].

Type: list of strings

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.buildCores

This option defines the maximum number of concurrent tasks during one build. It affects, e.g., -j option for make. The special value 0 means that the builder should use all available CPU cores in the system. Some builds may become non-deterministic with this option; use with care! Packages will only be affected if enableParallelBuilding is set for them.

Type: signed integer

Default: 0

Example: 64

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.buildMachines

This option lists the machines to be used if distributed builds are enabled (see nix.distributedBuilds). Nix will perform derivations on those machines via SSH by copying the inputs to the Nix store on the remote machine, starting the build, then copying the output back to the local Nix store.

Type: list of submodules

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.buildMachines.*.hostName

The hostname of the build machine.

Type: string

Example: "nixbuilder.example.org"

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.buildMachines.*.mandatoryFeatures

A list of features mandatory for this builder. The builder will be ignored for derivations that don't require all features in this list. All mandatory features are automatically included in supportedFeatures.

Type: list of strings

Default: [ ]

Example: [ "big-parallel" ]

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.buildMachines.*.maxJobs

The number of concurrent jobs the build machine supports. The build machine will enforce its own limits, but this allows hydra to schedule better since there is no work-stealing between build machines.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.buildMachines.*.speedFactor

The relative speed of this builder. This is an arbitrary integer that indicates the speed of this builder, relative to other builders. Higher is faster.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.buildMachines.*.sshKey

The path to the SSH private key with which to authenticate on the build machine. The private key must not have a passphrase. If null, the building user (root on NixOS machines) must have an appropriate ssh configuration to log in non-interactively. Note that for security reasons, this path must point to a file in the local filesystem, *not* to the nix store.

Type: null or string

Default: null

Example: "/root/.ssh/id_buildhost_builduser"

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.buildMachines.*.sshUser

The username to log in as on the remote host. This user must be able to log in and run nix commands non-interactively. It must also be privileged to build derivations, so must be included in nix.trustedUsers.

Type: null or string

Default: null

Example: "builder"

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.buildMachines.*.supportedFeatures

A list of features supported by this builder. The builder will be ignored for derivations that require features not in this list.

Type: list of strings

Default: [ ]

Example: [ "kvm" "big-parallel" ]

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.buildMachines.*.system

The system type the build machine can execute derivations on. Either this attribute or systems must be present, where system takes precedence if both are set.

Type: null or string

Default: null

Example: "x86_64-linux"

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.buildMachines.*.systems

The system types the build machine can execute derivations on. Either this attribute or system must be present, where system takes precedence if both are set.

Type: list of strings

Default: [ ]

Example: [ "x86_64-linux" "aarch64-linux" ]

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.checkConfig

If enabled (the default), checks that Nix can parse the generated nix.conf.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.daemon.enable

Whether to enable Enable nix daemon.

Type: boolean

Default: false

Example: true

Declared by:

<vpsadminos/os/modules/services/misc/nix-daemon.nix>
nix.daemonIONiceLevel

Nix daemon process I/O priority. This priority propagates to build processes. 0 is the default Unix process I/O priority, 7 is the lowest.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.daemonNiceLevel

Nix daemon process priority. This priority propagates to build processes. 0 is the default Unix process priority, 19 is the lowest.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.distributedBuilds

Whether to distribute builds to the machines listed in nix.buildMachines.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.extraOptions

Additional text appended to nix.conf.

Type: strings concatenated with "\n"

Default: ""

Example:

''
keep-outputs = true
keep-derivations = true
''

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.maxJobs

This option defines the maximum number of jobs that Nix will try to build in parallel. The default is auto, which means it will use all available logical cores. It is recommend to set it to the total number of logical cores in your system (e.g., 16 for two CPUs with 4 cores each and hyper-threading).

Type: signed integer or one of "auto"

Default: "auto"

Example: 64

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.nixPath

The default Nix expression search path, used by the Nix evaluator to look up paths enclosed in angle brackets (e.g. <nixpkgs>).

Type: list of strings

Default: [ "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos" "nixos-config=/etc/nixos/configuration.nix" "/nix/var/nix/profiles/per-user/root/channels" ]

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.nrBuildUsers

Number of nixbld user accounts created to perform secure concurrent builds. If you receive an error message saying that “all build users are currently in use”, you should increase this value.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.readOnlyStore

If set, NixOS will enforce the immutability of the Nix store by making /nix/store a read-only bind mount. Nix will automatically make the store writable when needed.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.registry

A system-wide flake registry.

Type: attribute set of submodules

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.registry.<name>.exact

Whether the from reference needs to match exactly. If set, a from reference like nixpkgs does not match with a reference like nixpkgs/nixos-20.03.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.registry.<name>.flake

The flake input to which from> is to be rewritten.

Type: unspecified

Default: null

Example:

nixpkgs

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.registry.<name>.from

The flake reference to be rewritten.

Type: attribute set of string or signed integer or boolean or packages

Example: { id = "nixpkgs"; type = "indirect"; }

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.registry.<name>.to

The flake reference to which from> is to be rewritten.

Type: attribute set of string or signed integer or boolean or packages

Example: { owner = "my-org"; repo = "my-nixpkgs"; type = "github"; }

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.requireSignedBinaryCaches

If enabled (the default), Nix will only download binaries from binary caches if they are cryptographically signed with any of the keys listed in nix.binaryCachePublicKeys. If disabled, signatures are neither required nor checked, so it's strongly recommended that you use only trustworthy caches and https to prevent man-in-the-middle attacks.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.sandboxPaths

Directories from the host filesystem to be included in the sandbox.

Type: list of strings

Default: [ ]

Example: [ "/dev" "/proc" ]

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.systemFeatures

The supported features of a machine

Type: list of strings

Example: [ "kvm" "big-parallel" "gccarch-skylake" ]

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.trustedBinaryCaches

List of binary cache URLs that non-root users can use (in addition to those specified using nix.binaryCaches) by passing --option binary-caches to Nix commands.

Type: list of strings

Default: [ ]

Example: [ "https://hydra.nixos.org/" ]

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.trustedUsers

A list of names of users that have additional rights when connecting to the Nix daemon, such as the ability to specify additional binary caches, or to import unsigned NARs. You can also specify groups by prefixing them with @; for instance, @wheel means all users in the wheel group.

Type: list of strings

Default: [ "root" ]

Example: [ "root" "alice" "@wheel" ]

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.useSandbox

If set, Nix will perform builds in a sandboxed environment that it will set up automatically for each build. This prevents impurities in builds by disallowing access to dependencies outside of the Nix store by using network and mount namespaces in a chroot environment. This is enabled by default even though it has a possible performance impact due to the initial setup time of a sandbox for each build. It doesn't affect derivation hashes, so changing this option will not trigger a rebuild of packages.

Type: boolean or one of "relaxed"

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nixpkgs.config

The configuration of the Nix Packages collection. (For details, see the Nixpkgs documentation.) It allows you to set package configuration options. Ignored when nixpkgs.pkgs is set.

Type: nixpkgs config

Default: { }

Example:

{ allowBroken = true; allowUnfree = true; }

Declared by:

<nixpkgs/nixos/modules/misc/nixpkgs.nix>
nixpkgs.crossSystem

Specifies the platform for which NixOS should be built. Specify this only if it is different from nixpkgs.localSystem, the platform on which NixOS should be built. In other words, specify this to cross-compile NixOS. Otherwise it should be set as null, the default. See its description in the Nixpkgs manual for more details. Ignored when nixpkgs.pkgs is set.

Type: null or attribute set

Default: null

Example: { config = "aarch64-unknown-linux-gnu"; system = "aarch64-linux"; }

Declared by:

<nixpkgs/nixos/modules/misc/nixpkgs.nix>
nixpkgs.localSystem

Specifies the platform on which NixOS should be built. When nixpkgs.crossSystem is unset, it also specifies the platform for which NixOS should be built. If this option is unset, it defaults to the platform type of the machine where evaluation happens. Specifying this option is useful when doing distributed multi-platform deployment, or when building virtual machines. See its description in the Nixpkgs manual for more details. Ignored when nixpkgs.pkgs is set.

Type: attribute set

Default: (import "${nixos}/../lib").lib.systems.examples.aarch64-multiplatform

Example: { config = "aarch64-unknown-linux-gnu"; system = "aarch64-linux"; }

Declared by:

<nixpkgs/nixos/modules/misc/nixpkgs.nix>
nixpkgs.overlays

List of overlays to use with the Nix Packages collection. (For details, see the Nixpkgs documentation.) It allows you to override packages globally. Each function in the list takes as an argument the original Nixpkgs. The first argument should be used for finding dependencies, and the second should be used for overriding recipes. If nixpkgs.pkgs is set, overlays specified here will be applied after the overlays that were already present in nixpkgs.pkgs.

Type: list of nixpkgs overlays

Default: [ ]

Example:

[
  (self: super: {
    openssh = super.openssh.override {
      hpnSupport = true;
      kerberos = self.libkrb5;
    };
  })
]

Declared by:

<nixpkgs/nixos/modules/misc/nixpkgs.nix>
nixpkgs.pkgs

If set, the pkgs argument to all NixOS modules is the value of this option, extended with nixpkgs.overlays, if that is also set. Either nixpkgs.crossSystem or nixpkgs.localSystem will be used in an assertion to check that the NixOS and Nixpkgs architectures match. Any other options in nixpkgs.*, notably config, will be ignored. If unset, the pkgs argument to all NixOS modules is determined as shown in the default value for this option. The default value imports the Nixpkgs source files relative to the location of this NixOS module, because NixOS and Nixpkgs are distributed together for consistency, so the nixos in the default value is in fact a relative path. The config, overlays, localSystem, and crossSystem come from this option's siblings. This option can be used by applications like NixOps to increase the performance of evaluation, or to create packages that depend on a container that should be built with the exact same evaluation of Nixpkgs, for example. Applications like this should set their default value using lib.mkDefault, so user-provided configuration can override it without using lib. Note that using a distinct version of Nixpkgs with NixOS may be an unexpected source of problems. Use this option with care.

Type: An evaluation of Nixpkgs; the top level attribute set of packages

Default: import "${nixos}/.." { inherit (cfg) config overlays localSystem crossSystem; }

Example:

import <nixpkgs> {}

Declared by:

<nixpkgs/nixos/modules/misc/nixpkgs.nix>
nixpkgs.system

Specifies the Nix platform type on which NixOS should be built. It is better to specify nixpkgs.localSystem instead.

{
  nixpkgs.system = ..;
}

is the same as

{
  nixpkgs.localSystem.system = ..;
}

See nixpkgs.localSystem for more information. Ignored when nixpkgs.localSystem is set. Ignored when nixpkgs.pkgs is set.

Type: string

Example: "i686-linux"

Declared by:

<nixpkgs/nixos/modules/misc/nixpkgs.nix>
os.channel-registration.enable

This option has no description.

Type: boolean

Default: true

Declared by:

<vpsadminos/os/modules/installer/cd-dvd/channel.nix>
osctl.exporter.enable

Enable osctl-exporter.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/osctl/osctl-exporter.nix>
osctl.exporter.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<vpsadminos/os/modules/osctl/osctl-exporter.nix>
osctl.exporter.port

Port to listen on.

Type: signed integer

Default: 9101

Declared by:

<vpsadminos/os/modules/osctl/osctl-exporter.nix>
osctl.exportfs.enable

Enable osctl-exportfs integration.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/osctl/osctl-exportfs.nix>
osctl.pools

osctl pools to configure

Type: attribute set of submodules

Default: { }

Example:

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers

osctl containers to include

Type: attribute set of submodules

Default: { }

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.arch

Architecture of the distribution to install, must be compatible with the host's architecture.

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.autostart

Autostart options See also https://vpsadminos.org/containers/auto-starting/

Type: null or submodule

Default: null

Example: { delay = 5; enable = true; priority = 10; }

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.autostart.enable

Whether to enable Enable container autostart.

Type: boolean

Default: false

Example: true

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.autostart.delay

Autostart delay

Type: positive integer, meaning >0

Default: 5

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.autostart.priority

Autostart priority

Type: positive integer, meaning >0

Default: 10

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.cgparams

CGroup parameters See also https://vpsadminos.org/containers/resources/

Type: list of submodules

Default: [ ]

Example: [ { name = "memory.limit_in_bytes"; subsystem = "memory"; value = "10G"; } ]

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.cgparams.*.name

CGroup parameter name

Type: string

Example: "memory.limit_in_bytes"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.cgparams.*.subsystem

CGroup subsystem name. If left empty, it is deduced from cgroup parameter name.

Type: string

Default: ""

Example: "memory"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.cgparams.*.value

CGroup parameter value

Type: string

Example: "10G"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.config

A specification of the desired configuration of this container, as a NixOS module.

Type: Toplevel NixOS config

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.devices

Devices allowed in this group See also https://vpsadminos.org/containers/devices/

Type: list of submodules

Default: [ ]

Example: [ { major = 10; minor = 229; mode = "rw"; name = "/dev/fuse"; } ]

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.devices.*.major

Device major ID

Type: string

Example: "229"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.devices.*.minor

Device minor ID

Type: string

Example: "10"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.devices.*.mode

Device access mode. r for read, w for write and m for mknod.

Type: one of "r", "rw", "w", "m", "wm", "rm", "rwm"

Example: "rwm"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.devices.*.name

Device name

Type: string

Default: ""

Example: "/dev/fuse"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.devices.*.provide

Determines whether the device should be provided to descendant groups, i.e. whether they should inherit it.

Type: boolean

Default: true

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.devices.*.type

Device type

Type: one of "char", "block"

Example: "char"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.distribution

Name of the distribution to install.

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.group

Name of an osctl group declared by osctl.groups that the container belongs to.

Type: string

Default: "/default"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.hooks.on-create

on-create hook is run in the host's namespace after the container was created and configured, but before it is started. The script hook's exit status is not evaluated.

Type: null or path

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.hooks.on-start

on-start is run in the host's namespace, after the container has been mounted and right before its init process is executed. If on-start exits with a non-zero status, the container's start is aborted.

Type: null or path

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.hooks.on-stop

on-stop is run in the host's namespace when the container enters state stopping. The hook's exit status is not evaluated.

Type: null or path

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.hooks.post-create

post-create hook is run in the host's namespace after the container was created, configured and started. The script hook's exit status is not evaluated.

Type: null or path

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.hooks.post-mount

post-mount is run in the container's mount namespace, after its rootfs and all LXC mount entries are mounted. The path to the container's runtime rootfs is in environment variable OSCTL_CT_ROOTFS_MOUNT. If post-mount exits with a non-zero status, the container's start is aborted.

Type: null or path

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.hooks.post-start

post-start is run in the host's namespace after the container entered state running. The container's init PID is passed in environment varible OSCTL_CT_INIT_PID. The script hook's exit status is not evaluated.

Type: null or path

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.hooks.post-stop

post-stop is run in the host's namespace when the container enters state stopped. The hook's exit status is not evaluated.

Type: null or path

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.hooks.pre-create

pre-create hook is run in the host's namespace before the container is created. If pre-create exits with status `1`, the creation attempt will be aborted and retried repeatedly, as the container's runit service restarts until the hook script exits with `0`. If pre-create exits with status `2`, the container will not be created and the runit service will not be automatically restarted.

Type: null or path

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.hooks.pre-mount

pre-mount is run in the container's mount namespace, before its rootfs is mounted. The path to the container's runtime rootfs is in environment variable OSCTL_CT_ROOTFS_MOUNT. If pre-mount exits with a non-zero status, the container's start is aborted.

Type: null or path

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.hooks.pre-start

pre-start hook is run in the host's namespace before the container is mounted. The container's cgroups have already been configured and distribution-support code has been run. If pre-start exits with a non-zero status, the container's start is aborted.

Type: null or path

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.hooks.pre-stop

pre-stop hook is run in the host's namespace when the container is being stopped using ct stop. If pre-stop exits with a non-zero exit status, the container will not be stopped. This hook is not called when the container is shutdown from the inside.

Type: null or path

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.hooks.veth-down

veth-down hook is run in the host's namespace when the veth pair is removed. Names of the removed veth interfaces are available in environment variables OSCTL_HOST_VETH and OSCTL_CT_VETH. The hook's exit status is not evaluated.

Type: null or path

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.hooks.veth-up

veth-up hook is run in the host's namespace when the veth pair is created. Names of created veth interfaces are available in environment variables OSCTL_HOST_VETH and OSCTL_CT_VETH. If veth-up exits with a non-zero status, the container's start is aborted.

Type: null or path

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.image.path

Path to container image.

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.image.repository

Name of the remote repository the container image is searched in.

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.interfaces

Network interface configuration See also https://vpsadminos.org/user-guide/networking/

Type: list of submodules

Default: [ ]

Example: [ { ipv4 = { addresses = [ { address = "10.0.0.1"; prefixLength = 16; } ] ; } ; link = "lxcbr0"; name = "eth0"; type = "bridge"; } { ipv4 = { addresses = [ { address = "172.17.66.66"; prefixLength = 32; } ] ; } ; ipv6 = { addresses = [ { address = "2a03:3b40:7:667::1"; prefixLength = 64; } ] ; } ; name = "eth1"; type = "routed"; } ]

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.interfaces.*.dhcp

Determines whether the interface is configured using DHCP client within the container, (type = "bridge" only)

Type: null or boolean

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.interfaces.*.hwaddr

Network interface hardware address

Type: string

Default: ""

Example: "52:54:00:2d:09:26"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.interfaces.*.ipv4.addresses

List of IPv4 addresses that will be statically assigned to the interface.

Type: list of submodules

Default: [ ]

Example: [ { address = "10.0.0.1"; prefixLength = 16; } { address = "192.168.1.1"; prefixLength = 24; } ]

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.interfaces.*.ipv4.addresses.*.address

IPv4 address.

Type: string

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.interfaces.*.ipv4.addresses.*.prefixLength

Subnet mask of the address, specified as the number of bits in the prefix (24).

Type: signed integer

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.interfaces.*.ipv4.gateway

IPv4 gateway for statically configured bridged interfaces. Set to auto to use the primary address from the linked interface, none to do not set any gateway or an IPv4 address. (type = "bridge" only)

Type: string

Default: "auto"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.interfaces.*.ipv4.routes

List of IPv4 addresses that will be routed to the interface.

Type: list of submodules

Default: [ ]

Example: [ { address = "10.0.0.0"; prefixLength = 16; } { address = "192.168.1.0"; prefixLength = 24; } ]

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.interfaces.*.ipv4.routes.*.address

IPv4 address.

Type: string

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.interfaces.*.ipv4.routes.*.prefixLength

Subnet mask of the address, specified as the number of bits in the prefix (24).

Type: signed integer

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.interfaces.*.ipv6.addresses

List of IPv6 addresses that will be statically assigned to the interface.

Type: list of submodules

Default: [ ]

Example: [ { address = "2a03:3b40:7:666::"; prefixLength = 64; } ]

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.interfaces.*.ipv6.addresses.*.address

IPv6 address.

Type: string

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.interfaces.*.ipv6.addresses.*.prefixLength

Subnet mask of the address, specified as the number of bits in the prefix (64).

Type: signed integer

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.interfaces.*.ipv6.gateway

IPv6 gateway for statically configured bridged interfaces. Set to auto to use the primary address from the linked interface, none to do not set any gateway or an IPv6 address. (type = "bridge" only)

Type: string

Default: "auto"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.interfaces.*.ipv6.routes

List of IPv6 addresses that will be routed to the interface.

Type: list of submodules

Default: [ ]

Example: [ { address = "2a03:3b40:7:666::"; prefixLength = 64; } ]

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.interfaces.*.ipv6.routes.*.address

IPv4 address.

Type: string

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.interfaces.*.ipv6.routes.*.prefixLength

Subnet mask of the address, specified as the number of bits in the prefix (24).

Type: signed integer

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.interfaces.*.link

Link this network interface to bridge (type = "bridge" only)

Type: string

Default: ""

Example: "lxcbr0"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.interfaces.*.name

Network interface name

Type: string

Example: "eth0"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.interfaces.*.type

Network interface type

Type: one of "bridge", "routed"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.mounts

Container mounts See also https://vpsadminos.org/user-guide/mounts/

Type: list of submodules

Default: [ ]

Example: [ { fs = "/var/shared"; mountpoint = "/mnt"; } ]

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.mounts.*.automount

Mount automatically

Type: boolean

Default: true

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.mounts.*.dataset

Relative path to containers dataset

Type: null or string

Default: null

Example: "subdataset"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.mounts.*.fs

Filesystem mountpoint (host side)

Type: string

Default: ""

Example: "/var/shared"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.mounts.*.mountpoint

Filesystem mountpoint (container side)

Type: string

Example: "/mnt"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.mounts.*.opts

Mount options

Type: string

Default: "bind,create=dir,rw"

Example: "bind,create=dir,rw"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.mounts.*.type

Mount type

Type: one of "bind"

Default: "bind"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.nesting

Whether to enable Enable container nesting.

Type: boolean

Default: false

Example: true

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.path

As an alternative to specifying config, you can specify the path to the evaluated NixOS system configuration, typically a symlink to a system profile.

Type: path

Example: "/nix/var/nix/profiles/containers/webserver"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.as

Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits

Type: null or submodule

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.as.hard

Hard limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.as.soft

Soft limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.core

Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits

Type: null or submodule

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.core.hard

Hard limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.core.soft

Soft limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.cpu

Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits

Type: null or submodule

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.cpu.hard

Hard limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.cpu.soft

Soft limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.data

Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits

Type: null or submodule

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.data.hard

Hard limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.data.soft

Soft limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.fsize

Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits

Type: null or submodule

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.fsize.hard

Hard limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.fsize.soft

Soft limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.memlock

Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits

Type: null or submodule

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.memlock.hard

Hard limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.memlock.soft

Soft limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.msgqueue

Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits

Type: null or submodule

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.msgqueue.hard

Hard limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.msgqueue.soft

Soft limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.nice

Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits

Type: null or submodule

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.nice.hard

Hard limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.nice.soft

Soft limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.nofile

Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits

Type: null or submodule

Default: { hard = 1048576; soft = 1024; }

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.nofile.hard

Hard limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.nofile.soft

Soft limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.nproc

Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits

Type: null or submodule

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.nproc.hard

Hard limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.nproc.soft

Soft limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.rss

Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits

Type: null or submodule

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.rss.hard

Hard limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.rss.soft

Soft limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.rtprio

Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits

Type: null or submodule

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.rtprio.hard

Hard limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.rtprio.soft

Soft limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.rttime

Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits

Type: null or submodule

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.rttime.hard

Hard limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.rttime.soft

Soft limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.sigpending

Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits

Type: null or submodule

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.sigpending.hard

Hard limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.sigpending.soft

Soft limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.stack

Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits

Type: null or submodule

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.stack.hard

Hard limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.prlimits.stack.soft

Soft limit

Type: positive integer, meaning >0 or one of "unlimited"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.resolvers

List of nameservers

Type: list of strings

Default: [ ]

Example: [ "1.1.1.1" "10.0.0.1" ]

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.seccomp

Path to seccomp profile

Type: string

Default: ""

Example: "/run/osctl/configs/lxc/common.seccomp"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.user

Name of an osctl user declared by osctl.users that the container belongs to. If not provided, a new user is created with its name matching the container ID. If such user already exists, it is used instead.

Type: null or string

Default: null

Example: "myuser01"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.variant

Template variant for use with osctl remote repositories.

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.vendor

Template vendor for use with osctl remote repositories.

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.containers.<name>.version

Version of the distribution to install.

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.destroyMethod

If set to manual, the garbage collector has to be run manually for every pool by the user by calling script gc-sweep-‹pool. When set to auto, the garbage collector is run in the background by runit service gc-<pool>. Options osctl.pools.<pool>.pure and osctl.pools.<pool>.destroyUndeclared are honored in the automated mode. Destructive operations using the manual invocation have to be enabled using command-line options.

Type: one of "manual", "auto"

Default: "manual"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.destroyUndeclared

Determines whether declarative users, groups and containers removed from Nix configuration should be deleted from the system or not. When turned off, undeclared containers are stopped, but not destroyed. When enabled, undeclared containers, groups and users are destroyed. WARNING: enabling this option is dangerous, as it will irreversibly destroy containers that are not defined by the current system. For example, if you temporarily roll back the system for whatever reason, containers that were not declared in the older version will be destroyed.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.groups

osctl groups to include. In addition to groups defined by this options, there are always two groups present: / and /default.

Type: attribute set of submodules

Default: { }

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.groups.<name>.cgparams

CGroup parameters See also https://vpsadminos.org/containers/resources/

Type: list of submodules

Default: [ ]

Example: [ { name = "memory.limit_in_bytes"; subsystem = "memory"; value = "10G"; } ]

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.groups.<name>.cgparams.*.name

CGroup parameter name

Type: string

Example: "memory.limit_in_bytes"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.groups.<name>.cgparams.*.subsystem

CGroup subsystem name. If left empty, it is deduced from cgroup parameter name.

Type: string

Default: ""

Example: "memory"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.groups.<name>.cgparams.*.value

CGroup parameter value

Type: string

Example: "10G"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.groups.<name>.devices

Devices allowed in this group See also https://vpsadminos.org/containers/devices/

Type: list of submodules

Default: [ ]

Example: [ { major = 10; minor = 229; mode = "rw"; name = "/dev/fuse"; } ]

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.groups.<name>.devices.*.major

Device major ID

Type: string

Example: "229"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.groups.<name>.devices.*.minor

Device minor ID

Type: string

Example: "10"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.groups.<name>.devices.*.mode

Device access mode. r for read, w for write and m for mknod.

Type: one of "r", "rw", "w", "m", "wm", "rm", "rwm"

Example: "rwm"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.groups.<name>.devices.*.name

Device name

Type: string

Default: ""

Example: "/dev/fuse"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.groups.<name>.devices.*.provide

Determines whether the device should be provided to descendant groups, i.e. whether they should inherit it.

Type: boolean

Default: true

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.groups.<name>.devices.*.type

Device type

Type: one of "char", "block"

Example: "char"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.idRanges

ID ranges are used to track user/group ID allocations into user namespace maps. There is one default ID range on each pool, with the possibility of creating custom ID ranges. User namespace maps allocated from one ID range are guaranteed to be unique, i.e. no two containers can share the same user/group IDs, making them isolated. Created ID ranges cannot be declaratively modified. Delete them manually or using the garbage collector, then recreate them if changes are needed.

Type: attribute set of submodules

Default: { }

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.idRanges.<name>.blockCount

How many blocks from osctl.pools.<pool>.idRanges.<range>.startId should the range include. Defines the maximum number of user namespace maps that can be allocated from this range.

Type: unsigned integer, meaning >=0

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.idRanges.<name>.blockSize

Number of user/group IDs that make up the minimum allocation unit

Type: unsigned integer, meaning >=0

Default: 65536

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.idRanges.<name>.startId

The first user/group ID

Type: unsigned integer, meaning >=0

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.idRanges.<name>.table

Allocate blocks from the range. Allocated blocks removed from configuration will not be automatically freed.

Type: list of submodules

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.idRanges.<name>.table.*.count

Number of blocks to allocate

Type: unsigned integer, meaning >=0

Default: 1

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.idRanges.<name>.table.*.index

Index of the starting block

Type: unsigned integer, meaning >=0

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.idRanges.<name>.table.*.owner

Optional allocation owner

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.parallelStart

Number of containers to start in parallel during pool import.

Type: positive integer, meaning >0

Default: 2

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.parallelStop

Number of containers to stop in parallel during pool export.

Type: positive integer, meaning >0

Default: 4

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.pure

Determines whether the pool contains only users, groups and containers declared by Nix configuration. Users, groups and containers that are not declared are deleted when found. WARNING: enabling this option will cause all manually created containers, groups and users to be irreversibly destroyed, with any data they contained.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.repositories

Remote osctl repositories for container images

Type: attribute set of submodules

Default: { }

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.repositories.<name>.enabled

Enable/disable the repository. Disabled repositories are included in the system, but they are not search for images until reenabled, which may be done manually using osctl.

Type: boolean

Default: true

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.repositories.<name>.url

HTTP URL to the remote repository

Type: string

Example: "https://images.vpsadminos.org"

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.users

osctl users to include

Type: attribute set of submodules

Default: { }

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.users.<name>.gidMap

GID mapping for the user namespace, see man subgid(5).

Type: list of strings

Default: [ ]

Example: [ "0:666000:65536" ]

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.users.<name>.idRange.blockIndex

Block index from the ID range that should be used to create UID/GID mapping.

Type: null or unsigned integer, meaning >=0

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.users.<name>.idRange.name

Name of an ID range from the same pool that should be used to allocate UID/GID IDs.

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.pools.<name>.users.<name>.uidMap

UID mapping for the user namespace, see man subuid(5).

Type: list of strings

Default: [ ]

Example: [ "0:666000:65536" ]

Declared by:

<vpsadminos/os/modules/osctl/pools.nix>
osctl.test-shell.enable

Enable test shell integration.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/osctl/test-shell.nix>
powerManagement.cpuFreqGovernor

CPU frequency scaling governor to use

Type: string

Default: "performance"

Example: "ondemand"

Declared by:

<vpsadminos/os/modules/tasks/cpu-freq.nix>
programs.bash.enableCompletion

Enable Bash completion for all interactive bash shells.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/bash/bash.nix>
programs.bash.enableLsColors

Enable extra colors in directory listings.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/bash/bash.nix>
programs.bash.interactiveShellInit

Shell script code called during interactive bash shell initialisation.

Type: strings concatenated with "\n"

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/bash/bash.nix>
programs.bash.loginShellInit

Shell script code called during login bash shell initialisation.

Type: strings concatenated with "\n"

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/bash/bash.nix>
programs.bash.promptInit

Shell script code used to initialise the bash prompt.

Type: strings concatenated with "\n"

Default:

''
# Provide a nice prompt if the terminal supports it.
if [ "$TERM" != "dumb" -o -n "$INSIDE_EMACS" ]; then
  PROMPT_COLOR="1;31m"
  let $UID && PROMPT_COLOR="1;32m"
  if [ -n "$INSIDE_EMACS" -o "$TERM" == "eterm" -o "$TERM" == "eterm-color" ]; then
    # Emacs term mode doesn't support xterm title escape sequence (\e]0;)
    PS1="\n\[\033[$PROMPT_COLOR\][\u@\h:\w]\\$\[\033[0m\] "
  else
    PS1="\n\[\033[$PROMPT_COLOR\][\[\e]0;\u@\h: \w\a\]\u@\h:\w]\\$\[\033[0m\] "
  fi
  if test "$TERM" = "xterm"; then
    PS1="\[\033]2;\h:\u:\w\007\]$PS1"
  fi
fi
''

Declared by:

<nixpkgs/nixos/modules/programs/bash/bash.nix>
programs.bash.root.historyControl

Controlling how commands are saved on the history list.

Type: list of one of "erasedups", "ignoredups", "ignorespace"s

Default: [ ]

Declared by:

<vpsadminos/os/modules/programs/bash.nix>
programs.bash.root.historyFile

Location of the bash history file.

Type: string

Default: "\$HOME/.bash_history"

Declared by:

<vpsadminos/os/modules/programs/bash.nix>
programs.bash.root.historyFileSize

Number of history lines to keep on file.

Type: signed integer

Default: 100000

Declared by:

<vpsadminos/os/modules/programs/bash.nix>
programs.bash.root.historyIgnore

List of commands that should not be saved to the history list.

Type: list of strings

Default: [ ]

Example: [ "ls" "cd" "exit" ]

Declared by:

<vpsadminos/os/modules/programs/bash.nix>
programs.bash.root.historyPools

Names of ZFS pools where programs.bash.root.historyFile is mirrored. If the root file system is not persistent, shell history is lost between reboots. It's not recommented to set programs.bash.root.historyFile to a location on ZFS pools, because in case of its failure interactive shell sessions would hang while trying to load the history file. It is better to mirror the history file while possible, but its inaccessibility will not prevent bash from working. The history file is restored from the persistent storage during boot.

Type: list of strings

Default: [ ]

Example: [ "tank" ]

Declared by:

<vpsadminos/os/modules/programs/bash.nix>
programs.bash.root.historySize

Number of history lines to keep in memory.

Type: signed integer

Default: 10000

Declared by:

<vpsadminos/os/modules/programs/bash.nix>
programs.bash.root.shellOptions

Shell options to set.

Type: list of strings

Default: [ "histappend" "checkwinsize" "extglob" "globstar" "checkjobs" ]

Declared by:

<vpsadminos/os/modules/programs/bash.nix>
programs.bash.shellAliases

Set of aliases for bash shell, which overrides environment.shellAliases. See environment.shellAliases for an option format description.

Type: attribute set of null or string or paths

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/bash/bash.nix>
programs.bash.shellInit

Shell script code called during bash shell initialisation.

Type: strings concatenated with "\n"

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/bash/bash.nix>
programs.htop.enable

Enable htop

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/programs/htop.nix>
programs.ssh.package

The package used for the openssh client and daemon.

Type: package

Default: "pkgs.openssh"

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.agentPKCS11Whitelist

A pattern-list of acceptable paths for PKCS#11 shared libraries that may be used with the -s option to ssh-add.

Type: null or string

Default: null

Example: "\${pkgs.opensc}/lib/opensc-pkcs11.so"

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.agentTimeout

How long to keep the private keys in memory. Use null to keep them forever.

Type: null or string

Default: null

Example: "1h"

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.askPassword

Program used by SSH to ask for passwords.

Type: string

Default: "\${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.ciphers

Specifies the ciphers allowed and their order of preference.

Type: null or list of strings

Default: null

Example: [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" ]

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.extraConfig

Extra configuration text prepended to ssh_config. Other generated options will be added after a Host * pattern. See ssh_config(5) for help.

Type: strings concatenated with "\n"

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.forwardX11

Whether to request X11 forwarding on outgoing connections by default. This is useful for running graphical programs on the remote machine and have them display to your local X11 server. Historically, this value has depended on the value used by the local sshd daemon, but there really isn't a relation between the two. Note: there are some security risks to forwarding an X11 connection. NixOS's X server is built with the SECURITY extension, which prevents some obvious attacks. To enable or disable forwarding on a per-connection basis, see the -X and -x options to ssh. The -Y option to ssh enables trusted forwarding, which bypasses the SECURITY extension.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.hostKeyAlgorithms

Specifies the host key algorithms that the client wants to use in order of preference.

Type: list of strings

Default: [ ]

Example: [ "ssh-ed25519" "ssh-rsa" ]

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.kexAlgorithms

Specifies the available KEX (Key Exchange) algorithms.

Type: null or list of strings

Default: null

Example: [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.knownHosts

The set of system-wide known SSH hosts.

Type: attribute set of submodules

Default: { }

Example:

{
  myhost = {
    hostNames = [ "myhost" "myhost.mydomain.com" "10.10.1.4" ];
    publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
  };
  myhost2 = {
    hostNames = [ "myhost2" ];
    publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
  };
}

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.knownHosts.<name>.certAuthority

This public key is an SSH certificate authority, rather than an individual host's key.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.knownHosts.<name>.hostNames

A list of host names and/or IP numbers used for accessing the host's ssh service.

Type: list of strings

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.knownHosts.<name>.publicKey

The public key data for the host. You can fetch a public key from a running SSH server with the ssh-keyscan command. The public key should not include any host names, only the key type and the key itself.

Type: null or string

Default: null

Example: "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg=="

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.knownHosts.<name>.publicKeyFile

The path to the public key file for the host. The public key file is read at build time and saved in the Nix store. You can fetch a public key file from a running SSH server with the ssh-keyscan command. The content of the file should follow the same format as described for the publicKey option.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.macs

Specifies the MAC (message authentication code) algorithms in order of preference. The MAC algorithm is used for data integrity protection.

Type: null or list of strings

Default: null

Example: [ "hmac-sha2-512-etm@openssh.com" "hmac-sha1" ]

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.pubkeyAcceptedKeyTypes

Specifies the key types that will be used for public key authentication.

Type: list of strings

Default: [ ]

Example: [ "ssh-ed25519" "ssh-rsa" ]

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.setXAuthLocation

Whether to set the path to xauth for X11-forwarded connections. This causes a dependency on X11 packages.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.startAgent

Whether to start the OpenSSH agent when you log in. The OpenSSH agent remembers private keys for you so that you don't have to type in passphrases every time you make an SSH connection. Use ssh-add to add a key to the agent.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
runit.defaultRunlevel

Name of a runlevel that is entered by default on boot.

Type: string

Default: "default"

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services

System services

Type: attribute set of submodules

Default: { }

Example:

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.check

Called to check service status.

Type: string

Default: ""

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.control.alarm

Override runsv control for alarm If the script exits with 0, runsv refrains from sending the service the corresponding signal. See man runsv(8) for more information.

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.control.continue

Override runsv control for continue If the script exits with 0, runsv refrains from sending the service the corresponding signal. See man runsv(8) for more information.

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.control.down

Override runsv control for down If the script exits with 0, runsv refrains from sending the service the corresponding signal. See man runsv(8) for more information.

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.control.exit

Override runsv control for exit If the script exits with 0, runsv refrains from sending the service the corresponding signal. See man runsv(8) for more information.

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.control.hangup

Override runsv control for hangup If the script exits with 0, runsv refrains from sending the service the corresponding signal. See man runsv(8) for more information.

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.control.intr

Override runsv control for intr If the script exits with 0, runsv refrains from sending the service the corresponding signal. See man runsv(8) for more information.

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.control.kill

Override runsv control for kill If the script exits with 0, runsv refrains from sending the service the corresponding signal. See man runsv(8) for more information.

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.control.pause

Override runsv control for pause If the script exits with 0, runsv refrains from sending the service the corresponding signal. See man runsv(8) for more information.

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.control.quit

Override runsv control for quit If the script exits with 0, runsv refrains from sending the service the corresponding signal. See man runsv(8) for more information.

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.control.terminate

Override runsv control for terminate If the script exits with 0, runsv refrains from sending the service the corresponding signal. See man runsv(8) for more information.

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.control.up

Override runsv control for up If the script exits with 0, runsv refrains from sending the service the corresponding signal. See man runsv(8) for more information.

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.control.usr1

Override runsv control for usr1 If the script exits with 0, runsv refrains from sending the service the corresponding signal. See man runsv(8) for more information.

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.control.usr2

Override runsv control for usr2 If the script exits with 0, runsv refrains from sending the service the corresponding signal. See man runsv(8) for more information.

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.finish

Called after services.runit.<service>.run exits.

Type: string

Default: ""

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.includeHelpers

Include helper functions, see ./helpers.sh.

Type: boolean

Default: true

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.killMode

Specifies how should processes started by this service be killed. If set to control-group, all processes are sent SIGTERM. If set to process, only the main process receives SIGTERM.

Type: one of "control-group", "process"

Default: "control-group"

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.log.enable

Whether to enable Start svlogd for the service..

Type: boolean

Default: false

Example: true

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.log.linePrefix

Tells svlogd to prefix each line to be written to the log directory, to standard error, or through UDP.

Type: string

Default: ""

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.log.logFiles

Sets the number of old log files svlogd should maintain. If svlogd sees more old log files in log after log file rotation, it deletes the oldest one. Default is 10. If set to zero, svlogd doesn’t remove old log files.

Type: unsigned integer, meaning >=0

Default: 10

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.log.logStandardError

Log messages the service writes to stderr.

Type: boolean

Default: true

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.log.maxFileSize

Sets the maximum file size of current when svlogd should rotate the current log file to size bytes. Default is 1000000. If fileSize is zero, svlogd doesn’t rotate log files.

Type: unsigned integer, meaning >=0

Default: 1000000

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.log.minLogFiles

Sets the minimum number of old log files svlogd should maintain. It must be less than logFiles. If it is set, and svlogd cannot write to current because the filesystem is full, and it sees more than minLogFiles old log files, it deletes the oldest one.

Type: unsigned integer, meaning >=0

Default: 0

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.log.run

Called to start log service.

Type: string

Default: ""

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.log.sendOnly

Send messages only via UDP, don't store them in the log directory.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.log.sendTo

Tells svlogd to transmit the first len characters of selected log messages to the IP address a.b.c.d, port number port. If port isn’t set, the default port for syslog is used (514). len can be set through the -l option, see below. If svlogd has trouble sending udp packets, it writes error messages to the log directory. Attention: logging through udp is unreliable, and should be used in private networks only.

Type: string

Default: ""

Example: "a.b.c.d[:port]"

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.log.timeout

Sets the maximum age of the current log file when svlogd should rotate the current log file to timeout seconds. If current is timeout seconds old, and is not empty, svlogd forces log file rotation.

Type: unsigned integer, meaning >=0

Default: 0

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.onChange

The action switch-to-configuration should perform when the service is changed.

Type: one of "restart", "reload", "ignore"

Default: "restart"

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.oneShot

Oneshot services are used to perform one-time tasks, there are no long-running processes monitored by runsv. Oneshot services are not restarted after they successfully exit.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.reloadMethod

Defines how should the service be reloaded. The value is the command given to runit's sv. See man sv(8) for available options.

Type: string

Default: "reload"

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.run

Called to start the service.

Type: string

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.services.<name>.runlevels

Runlevels the service is started in.

Type: list of strings

Default: [ "default" ]

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.stage1

runit runs /etc/runit/1 and waits for it to terminate. The system’s one time tasks are done here. /etc/runit/1 has full control of /dev/console to be able to start an emergency shell if the one time initialization tasks fail. If /etc/runit/1 crashes, or exits 100, runit will skip stage 2 and enter stage 3.

Type: string

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.stage2

runit runs /etc/runit/2, which should not return until system shutdown; if it crashes, or exits 111, it will be restarted. Normally /etc/runit/2 starts runsvdir(8). runit is able to handle the ctrl-alt-del keyboard request in stage 2.

Type: string

Declared by:

<vpsadminos/os/modules/system/boot/runit>
runit.stage3

If runit is told to shutdown the system, or stage 2 returns, it terminates stage 2 if it is running, and runs /etc/runit/3. The systems tasks to shutdown and possibly halt or reboot the system are done here. If stage 3 returns, runit checks if the file /etc/runit/reboot exists and has the execute by owner permission set. If so, the system is rebooted, it’s halted otherwise.

Type: string

Declared by:

<vpsadminos/os/modules/system/boot/runit>
security.apparmor.enable

Enable the AppArmor Mandatory Access Control system.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/apparmor.nix>
security.apparmor.packages

List of packages to be added to apparmor's include path

Type: list of packages

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/apparmor.nix>
security.apparmor.parserConfig

AppArmor parser configuration file content

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/security/apparmor.nix>
security.apparmor.profiles

List of files containing AppArmor profiles.

Type: list of paths

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/apparmor.nix>
security.pam.enableEcryptfs

Whether to enable eCryptfs PAM module (mounting ecryptfs home directory on login).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.enableOTPW

Whether to enable the OTPW (one-time password) PAM module.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.enableSSHAgentAuth

Enable sudo logins if the user's SSH agent provides a key present in ~/.ssh/authorized_keys. This allows machines to exclusively use SSH keys instead of passwords.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.loginLimits

Define resource limits that should apply to users or groups. Each item in the list should be an attribute set with a domain, type, item, and value attribute. The syntax and semantics of these attributes must be that described in the limits.conf(5) man page. Note that these limits do not apply to systemd services, whose limits can be changed via systemd.extraConfig instead.

Type: unspecified

Default: [ ]

Example: [ { domain = "ftp"; item = "nproc"; type = "hard"; value = "0"; } { domain = "@student"; item = "maxlogins"; type = "-"; value = "4"; } ]

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.makeHomeDir.skelDirectory

Path to skeleton directory whose contents are copied to home directories newly created by pam_mkhomedir.

Type: string

Default: "/var/empty"

Example: "/etc/skel"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.mount.enable

This option has no description.

Type: unspecified

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
security.pam.oath.enable

This option has no description.

Type: unspecified

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
security.pam.p11.enable

Enables P11 PAM (pam_p11) module. If set, users can log in with SSH keys and PKCS#11 tokens. More information can be found here.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.p11.control

This option sets pam "control". If you want to have multi factor authentication, use "required". If you want to use the PKCS#11 device instead of the regular password, use "sufficient". Read pam.conf(5) for better understanding of this option.

Type: one of "required", "requisite", "sufficient", "optional"

Default: "sufficient"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services

This option defines the PAM services. A service typically corresponds to a program that uses PAM, e.g. login or passwd. Each attribute of this set defines a PAM service, with the attribute name defining the name of the service.

Type: attribute set of submodules

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.enableAppArmor

Enable support for attaching AppArmor profiles at the user/group level, e.g., as part of a role based access control scheme.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.enableGnomeKeyring

If enabled, pam_gnome_keyring will attempt to automatically unlock the user's default Gnome keyring upon login. If the user login password does not match their keyring password, Gnome Keyring will prompt separately after login.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.enableKwallet

If enabled, pam_wallet will attempt to automatically unlock the user's default KDE wallet upon login. If the user has no wallet named "kdewallet", or the login password does not match their wallet password, KDE will prompt separately after login.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.allowNullPassword

Whether to allow logging into accounts that have no password set (i.e., have an empty password field in /etc/passwd or /etc/group). This does not enable logging into disabled accounts (i.e., that have the password field set to !). Note that regardless of what the pam_unix documentation says, accounts with hashed empty passwords are always allowed to log in.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.duoSecurity.enable

If set, use the Duo Security pam module pam_duo for authentication. Requires configuration of security.duosec options.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.forwardXAuth

Whether X authentication keys should be passed from the calling user to the target user (e.g. for su)

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.fprintAuth

If set, fingerprint reader will be used (if exists and your fingerprints are enrolled).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.googleAuthenticator.enable

If set, users with enabled Google Authenticator (created ~/.google_authenticator) will be required to provide Google Authenticator token to log in.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.googleOsLoginAccountVerification

If set, will use the Google OS Login PAM modules (pam_oslogin_login, pam_oslogin_admin) to verify possible OS Login users and set sudoers configuration accordingly. This only makes sense to enable for the sshd PAM service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.googleOsLoginAuthentication

If set, will use the pam_oslogin_login's user authentication methods to authenticate users using 2FA. This only makes sense to enable for the sshd PAM service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.limits

Attribute set describing resource limits. Defaults to the value of security.pam.loginLimits.

Type: unspecified

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.logFailures

Whether to log authentication failures in /var/log/faillog.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.makeHomeDir

Whether to try to create home directories for users with $HOMEs pointing to nonexistent locations on session login.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.name

Name of the PAM service.

Type: string

Example: "sshd"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.nodelay

Wheather the delay after typing a wrong password should be disabled.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.oathAuth

If set, the OATH Toolkit will be used.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.otpwAuth

If set, the OTPW system will be used (if ~/.otpw exists).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.p11Auth

If set, keys listed in ~/.ssh/authorized_keys and ~/.eid/authorized_certificates can be used to log in with the associated PKCS#11 tokens.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.pamMount

Enable PAM mount (pam_mount) system to mount fileystems on user login.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.requireWheel

Whether to permit root access only to members of group wheel.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.rootOK

If set, root doesn't need to authenticate (e.g. for the useradd service).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.setEnvironment

Whether the service should set the environment variables listed in environment.sessionVariables using pam_env.so.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.setLoginUid

Set the login uid of the process (/proc/self/loginuid) for auditing purposes. The login uid is only set by ‘entry points’ like login and sshd, not by commands like sudo.

Type: boolean

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.showMotd

Whether to show the message of the day.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.sshAgentAuth

If set, the calling user's SSH agent is used to authenticate against the keys in the calling user's ~/.ssh/authorized_keys. This is useful for sudo on password-less remote systems.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.sssdStrictAccess

enforce sssd access control

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.startSession

If set, the service will register a new session with systemd's login manager. For local sessions, this will give the user access to audio devices, CD-ROM drives. In the default PolicyKit configuration, it also allows the user to reboot the system.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.text

Contents of the PAM service file.

Type: null or strings concatenated with "\n"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.u2fAuth

If set, users listed in $XDG_CONFIG_HOME/Yubico/u2f_keys (or $HOME/.config/Yubico/u2f_keys if XDG variable is not set) are able to log in with the associated U2F key. Path can be changed using security.pam.u2f.authFile option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.unixAuth

Whether users can log in with passwords defined in /etc/shadow.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.updateWtmp

Whether to update /var/log/wtmp.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.usbAuth

If set, users listed in /etc/pamusb.conf are able to log in with the associated USB key.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.yubicoAuth

If set, users listed in ~/.yubico/authorized_yubikeys are able to log in with the associated Yubikey tokens.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.u2f.enable

Enables U2F PAM (pam-u2f) module. If set, users listed in $XDG_CONFIG_HOME/Yubico/u2f_keys (or $HOME/.config/Yubico/u2f_keys if XDG variable is not set) are able to log in with the associated U2F key. The path can be changed using security.pam.u2f.authFile option. File format is: username:first_keyHandle,first_public_key: second_keyHandle,second_public_key This file can be generated using pamu2fcfg command. More information can be found here.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.u2f.authFile

By default pam-u2f module reads the keys from $XDG_CONFIG_HOME/Yubico/u2f_keys (or $HOME/.config/Yubico/u2f_keys if XDG variable is not set). If you want to change auth file locations or centralize database (for example use /etc/u2f-mappings) you can set this option. File format is: username:first_keyHandle,first_public_key: second_keyHandle,second_public_key This file can be generated using pamu2fcfg command. More information can be found here.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.u2f.control

This option sets pam "control". If you want to have multi factor authentication, use "required". If you want to use U2F device instead of regular password, use "sufficient". Read pam.conf(5) for better understanding of this option.

Type: one of "required", "requisite", "sufficient", "optional"

Default: "sufficient"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.u2f.cue

By default pam-u2f module does not inform user that he needs to use the u2f device, it just waits without a prompt. If you set this option to true, cue option is added to pam-u2f module and reminder message will be displayed.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.u2f.debug

Debug output to stderr.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.u2f.interactive

Set to prompt a message and wait before testing the presence of a U2F device. Recommended if your device doesn’t have a tactile trigger.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.usb.enable

This option has no description.

Type: unspecified

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
security.pam.yubico.enable

Enables Yubico PAM (yubico-pam) module. If set, users listed in ~/.yubico/authorized_yubikeys are able to log in with the associated Yubikey tokens. The file must have only one line: username:yubikey_token_id1:yubikey_token_id2 More information can be found here.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.yubico.control

This option sets pam "control". If you want to have multi factor authentication, use "required". If you want to use Yubikey instead of regular password, use "sufficient". Read pam.conf(5) for better understanding of this option.

Type: one of "required", "requisite", "sufficient", "optional"

Default: "sufficient"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.yubico.debug

Debug output to stderr.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.yubico.id

client id

Type: string

Example: "42"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.yubico.mode

Mode of operation. Use "client" for online validation with a YubiKey validation service such as the YubiCloud. Use "challenge-response" for offline validation using YubiKeys with HMAC-SHA-1 Challenge-Response configurations. See the man-page ykpamcfg(1) for further details on how to configure offline Challenge-Response validation. More information can be found here.

Type: one of "client", "challenge-response"

Default: "client"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pki.caCertificateBlacklist

A list of blacklisted CA certificate names that won't be imported from the Mozilla Trust Store into /etc/ssl/certs/ca-certificates.crt. Use the names from that file.

Type: list of strings

Default: [ ]

Example: [ "WoSign" "WoSign China" "CA WoSign ECC Root" "Certification Authority of WoSign G2" ]

Declared by:

<nixpkgs/nixos/modules/security/ca.nix>
security.pki.certificateFiles

A list of files containing trusted root certificates in PEM format. These are concatenated to form /etc/ssl/certs/ca-certificates.crt, which is used by many programs that use OpenSSL, such as curl and git.

Type: list of paths

Default: [ ]

Example:

[ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]

Declared by:

<nixpkgs/nixos/modules/security/ca.nix>
security.pki.certificates

A list of trusted root certificates in PEM format.

Type: list of strings

Default: [ ]

Example:

[ ''
    NixOS.org
    =========
    -----BEGIN CERTIFICATE-----
    MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
    TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
    ...
    -----END CERTIFICATE-----
  ''
]

Declared by:

<nixpkgs/nixos/modules/security/ca.nix>
security.sudo.enable

Whether to enable the sudo command, which allows non-root users to execute commands as root.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.sudo.configFile

This string contains the contents of the sudoers file.

Type: strings concatenated with "\n"

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.sudo.extraConfig

Extra configuration text appended to sudoers.

Type: strings concatenated with "\n"

Default: ""

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.sudo.extraRules

Define specific rules to be in the sudoers file. More specific rules should come after more general ones in order to yield the expected behavior. You can use mkBefore/mkAfter to ensure this is the case when configuration options are merged.

Type: list of submodules

Default: [ ]

Example:

[
  # Allow execution of any command by all users in group sudo,
  # requiring a password.
  { groups = [ "sudo" ]; commands = [ "ALL" ]; }

  # Allow execution of "/home/root/secret.sh" by user `backup`, `database`
  # and the group with GID `1006` without a password.
  { users = [ "backup" "database" ]; groups = [ 1006 ];
    commands = [ { command = "/home/root/secret.sh"; options = [ "SETENV" "NOPASSWD" ]; } ]; }

  # Allow all users of group `bar` to run two executables as user `foo`
  # with arguments being pre-set.
  { groups = [ "bar" ]; runAs = "foo";
    commands =
      [ "/home/baz/cmd1.sh hello-sudo"
          { command = ''/home/baz/cmd2.sh ""''; options = [ "SETENV" ]; } ]; }
]

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.sudo.extraRules.*.commands

The commands for which the rule should apply.

Type: list of string or submodules

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.sudo.extraRules.*.groups

The groups / GIDs this rule should apply for.

Type: list of string or signed integers

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.sudo.extraRules.*.host

For what host this rule should apply.

Type: string

Default: "ALL"

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.sudo.extraRules.*.runAs

Under which user/group the specified command is allowed to run. A user can be specified using just the username: "foo". It is also possible to specify a user/group combination using "foo:bar" or to only allow running as a specific group with ":bar".

Type: string

Default: "ALL:ALL"

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.sudo.extraRules.*.users

The usernames / UIDs this rule should apply for.

Type: list of string or signed integers

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.sudo.wheelNeedsPassword

Whether users of the wheel group must provide a password to run commands as super user via sudo.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.virtualisation

This option has no description.

Type: unspecified

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
security.wrappers

This option allows the ownership and permissions on the setuid wrappers for specific programs to be overridden from the default (setuid root, but not setgid root).

Note

The sub-attribute source is mandatory, it must be the absolute path to the program to be wrapped.

The sub-attribute program is optional and can give the wrapper program a new name. The default name is the same as the attribute name itself.

Additionally, this option can set capabilities on a wrapper program that propagates those capabilities down to the wrapped, real program.

NOTE: cap_setpcap, which is required for the wrapper program to be able to raise caps into the Ambient set is NOT raised to the Ambient set so that the real program cannot modify its own capabilities!! This may be too restrictive for cases in which the real program needs cap_setpcap but it at least leans on the side security paranoid vs. too relaxed.

Type: attribute set

Default: { }

Example:

{ sendmail.source = "/nix/store/.../bin/sendmail";
  ping = {
    source  = "${pkgs.iputils.out}/bin/ping";
    owner   = "nobody";
    group   = "nogroup";
    capabilities = "cap_net_raw+ep";
  };
}

Declared by:

<nixpkgs/nixos/modules/security/wrappers/default.nix>
services.apcupsd.enable

Whether to enable the APC UPS daemon. apcupsd monitors your UPS and permits orderly shutdown of your computer in the event of a power failure. User manual: http://www.apcupsd.com/manual/manual.html. Note that apcupsd runs as root (to allow shutdown of computer). You can check the status of your UPS with the "apcaccess" command.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/services/monitoring/apcupsd.nix>
services.apcupsd.configText

Contents of the runtime configuration file, apcupsd.conf. The default settings makes apcupsd autodetect USB UPSes, limit network access to localhost and shutdown the system when the battery level is below 50 percent, or when the UPS has calculated that it has 5 minutes or less of remaining power-on time. See man apcupsd.conf for details.

Type: strings concatenated with "\n"

Default:

''
UPSTYPE usb
NISIP 127.0.0.1
BATTERYLEVEL 50
MINUTES 5
''

Declared by:

<vpsadminos/os/modules/services/monitoring/apcupsd.nix>
services.apcupsd.hooks

Each attribute in this option names an apcupsd event and the string value it contains will be executed in a shell, in response to that event (prior to the default action). See "man apccontrol" for the list of events and what they represent. A hook script can stop apccontrol from doing its default action by exiting with value 99. Do not do this unless you know what you're doing.

Type: attribute set of strings concatenated with "\n"s

Default: { }

Example: { doshutdown = "# shell commands to notify that the computer is shutting down"; }

Declared by:

<vpsadminos/os/modules/services/monitoring/apcupsd.nix>
services.avahi

This option has no description.

Type: unspecified

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
services.cgmanager

This option has no description.

Type: unspecified

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
services.cron.enable

Whether to enable the Vixie cron daemon.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/services/scheduling/cron.nix>
services.cron.cronFiles

A list of extra crontab files that will be read and appended to the main crontab file when the cron service starts.

Type: list of paths

Default: [ ]

Declared by:

<vpsadminos/os/modules/services/scheduling/cron.nix>
services.cron.mailto

Email address to which job output will be mailed.

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/services/scheduling/cron.nix>
services.cron.systemCronJobs

A list of Cron jobs to be appended to the system-wide crontab. See the manual page for crontab for the expected format. If you want to get the results mailed you must setuid sendmail. See security.wrappers If neither /var/cron/cron.deny nor /var/cron/cron.allow exist only root will is allowed to have its own crontab file. The /var/cron/cron.deny file is created automatically for you. So every user can use a crontab. Many nixos modules set systemCronJobs, so if you decide to disable vixie cron and enable another cron daemon, you may want it to get its system crontab based on systemCronJobs.

Type: list of strings

Default: [ ]

Example:

[ "* * * * *  test   ls -l / > /tmp/cronout 2>&1"
  "* * * * *  eelco  echo Hello World > /home/eelco/cronout"
]

Declared by:

<vpsadminos/os/modules/services/scheduling/cron.nix>
services.dhcpd4.enable

Whether to enable the DHCPv4 server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd4.authoritative

Whether the DHCP server shall send DHCPNAK messages to misconfigured clients. If this is not done, clients may be unable to get a correct IP address after changing subnets until their old lease has expired.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd4.configFile

The path of the DHCP server configuration file. If no file is specified, a file is generated using the other options.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd4.extraConfig

Extra text to be appended to the DHCP server configuration file. Currently, you almost certainly need to specify something there, such as the options specifying the subnet mask, DNS servers, etc.

Type: strings concatenated with "\n"

Default: ""

Example:

''
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.5;
option domain-name-servers 130.161.158.4, 130.161.33.17, 130.161.180.1;
option domain-name "example.org";
subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.100 192.168.1.200;
}
''

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd4.extraFlags

Additional command line flags to be passed to the dhcpd daemon.

Type: list of strings

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd4.interfaces

The interfaces on which the DHCP server should listen.

Type: list of strings

Default: [ "eth0" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd4.machines

A list mapping Ethernet addresses to IPv4 addresses for the DHCP server.

Type: list of submodules

Default: [ ]

Example: [ { ethernetAddress = "00:16:76:9a:32:1d"; hostName = "foo"; ipAddress = "192.168.1.10"; } { ethernetAddress = "00:19:d1:1d:c4:9a"; hostName = "bar"; ipAddress = "192.168.1.11"; } ]

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd4.machines.*.ethernetAddress

MAC address of the machine.

Type: string

Example: "00:16:76:9a:32:1d"

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd4.machines.*.hostName

Hostname which is assigned statically to the machine.

Type: string

Example: "foo"

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd4.machines.*.ipAddress

IP address of the machine.

Type: string

Example: "192.168.1.10"

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd4.stateDir

State directory for the DHCP server.

Type: path

Default: "/var/lib/dhcp"

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd6.enable

Whether to enable the DHCPv6 server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd6.authoritative

Whether the DHCP server shall send DHCPNAK messages to misconfigured clients. If this is not done, clients may be unable to get a correct IP address after changing subnets until their old lease has expired.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd6.configFile

The path of the DHCP server configuration file. If no file is specified, a file is generated using the other options.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd6.extraConfig

Extra text to be appended to the DHCP server configuration file. Currently, you almost certainly need to specify something there, such as the options specifying the subnet mask, DNS servers, etc.

Type: strings concatenated with "\n"

Default: ""

Example:

''
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.5;
option domain-name-servers 130.161.158.4, 130.161.33.17, 130.161.180.1;
option domain-name "example.org";
subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.100 192.168.1.200;
}
''

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd6.extraFlags

Additional command line flags to be passed to the dhcpd daemon.

Type: list of strings

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd6.interfaces

The interfaces on which the DHCP server should listen.

Type: list of strings

Default: [ "eth0" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd6.machines

A list mapping Ethernet addresses to IPv6 addresses for the DHCP server.

Type: list of submodules

Default: [ ]

Example: [ { ethernetAddress = "00:16:76:9a:32:1d"; hostName = "foo"; ipAddress = "192.168.1.10"; } { ethernetAddress = "00:19:d1:1d:c4:9a"; hostName = "bar"; ipAddress = "192.168.1.11"; } ]

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd6.machines.*.ethernetAddress

MAC address of the machine.

Type: string

Example: "00:16:76:9a:32:1d"

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd6.machines.*.hostName

Hostname which is assigned statically to the machine.

Type: string

Example: "foo"

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd6.machines.*.ipAddress

IP address of the machine.

Type: string

Example: "192.168.1.10"

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd6.stateDir

State directory for the DHCP server.

Type: path

Default: "/var/lib/dhcp6"

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.fprintd

This option has no description.

Type: unspecified

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
services.geoclue2

This option has no description.

Type: unspecified

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
services.haveged.enable

Whether to enable to haveged entropy daemon, which refills /dev/random when low.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/services/security/haveged.nix>
services.haveged.refill_threshold

The number of bits of available entropy beneath which haveged should refill the entropy pool.

Type: signed integer

Default: 1024

Declared by:

<vpsadminos/os/modules/services/security/haveged.nix>
services.logrotate.enable

Whether to enable Enable log rotation.

Type: boolean

Default: false

Example: true

Declared by:

<vpsadminos/os/modules/services/logging/logrotate.nix>
services.logrotate.extraConfig

Additional text to append to logrotate.conf

Type: string

Default: ""

Example:

''
/var/log/wtmp {
  monthly
  minsize 1M
  create 0664 root utmp
  rotate 1
}
''

Declared by:

<vpsadminos/os/modules/services/logging/logrotate.nix>
services.logrotate.logFiles

This option has no description.

Type: list of submodules

Default: [ ]

Declared by:

<vpsadminos/os/modules/services/logging/logrotate.nix>
services.logrotate.logFiles.*.config

logrotate configuration

Type: string

Example:

''
daily
rotate 7
dateext
copytruncate
notifempty
nocompress
''

Declared by:

<vpsadminos/os/modules/services/logging/logrotate.nix>
services.logrotate.logFiles.*.files

Files to rotate

Type: list of strings

Example: [ "/var/log/messages" "/var/log/*.log" ]

Declared by:

<vpsadminos/os/modules/services/logging/logrotate.nix>
services.munin-node.enable

Enable Munin Node agent. Munin node listens on 0.0.0.0 and by default accepts connections only from 127.0.0.1 for security reasons. See http://guide.munin-monitoring.org/en/latest/architecture/index.html.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/services/monitoring/munin.nix>
services.munin-node.disabledPlugins

Munin plugins to disable, even if munin-node-configure --suggest tries to enable them. To disable a wildcard plugin, use an actual wildcard, as in the example. munin_stats is disabled by default as it tries to read /var/log/munin/munin-update.log for timing information, and the NixOS build of Munin does not write this file.

Type: list of strings

Default: [ "munin_stats" ]

Example: [ "diskstats" "zfs_usage_*" ]

Declared by:

<vpsadminos/os/modules/services/monitoring/munin.nix>
services.munin-node.extraAutoPlugins

Additional Munin plugins to autoconfigure, using munin-node-configure --suggest. These should be the actual paths to the plugin files (or directories containing them), not just their names. If you want to manually enable individual plugins instead, use services.munin-node.extraPlugins. Note that only plugins that have the 'autoconfig' capability will do anything if listed here, since plugins that cannot autoconfigure won't be automatically enabled by munin-node-configure. Plugins will be copied into the Nix store, and it will attempt to modify them to run properly by fixing hardcoded references to /bin, /usr/bin, /sbin, and /usr/sbin.

Type: list of paths

Default: [ ]

Example:

[
  /src/munin-contrib/plugins/zfs
  /src/munin-contrib/plugins/ssh
];

Declared by:

<vpsadminos/os/modules/services/monitoring/munin.nix>
services.munin-node.extraConfig

munin-node.conf extra configuration. See http://guide.munin-monitoring.org/en/latest/reference/munin-node.conf.html

Type: strings concatenated with "\n"

Default: ""

Declared by:

<vpsadminos/os/modules/services/monitoring/munin.nix>
services.munin-node.extraPluginConfig

plugin-conf.d extra plugin configuration. See http://guide.munin-monitoring.org/en/latest/plugin/use.html

Type: strings concatenated with "\n"

Default: ""

Example:

''
[fail2ban_*]
user root
''

Declared by:

<vpsadminos/os/modules/services/monitoring/munin.nix>
services.munin-node.extraPlugins

Additional Munin plugins to activate. Keys are the name of the plugin symlink, values are the path to the underlying plugin script. You can use the same plugin script multiple times (e.g. for wildcard plugins). Note that these plugins do not participate in autoconfiguration. If you want to autoconfigure additional plugins, use services.munin-node.extraAutoPlugins. Plugins enabled in this manner take precedence over autoconfigured plugins. Plugins will be copied into the Nix store, and it will attempt to modify them to run properly by fixing hardcoded references to /bin, /usr/bin, /sbin, and /usr/sbin.

Type: attribute set of paths

Default: { }

Example:

{
  zfs_usage_bigpool = /src/munin-contrib/plugins/zfs/zfs_usage_;
  zfs_usage_smallpool = /src/munin-contrib/plugins/zfs/zfs_usage_;
  zfs_list = /src/munin-contrib/plugins/zfs/zfs_list;
};

Declared by:

<vpsadminos/os/modules/services/monitoring/munin.nix>
services.nfs.server.enable

Whether to enable Enable NFS server.

Type: boolean

Default: false

Example: true

Declared by:

<vpsadminos/os/modules/services/network-filesystems/nfs.nix>
services.nfs.server.exports

Contents of the /etc/exports file. See exports(5) for the format.

Type: strings concatenated with "\n"

Default: ""

Declared by:

<vpsadminos/os/modules/services/network-filesystems/nfs.nix>
services.nfs.server.lockdPort

Use a fixed port for the NFS lock manager kernel module (lockd/nlockmgr). This is useful if the NFS server is behind a firewall.

Type: null or signed integer

Default: null

Example: 4001

Declared by:

<vpsadminos/os/modules/services/network-filesystems/nfs.nix>
services.nfs.server.mountdPort

Use fixed port for rpc.mountd, useful if server is behind firewall.

Type: null or signed integer

Default: null

Example: 4002

Declared by:

<vpsadminos/os/modules/services/network-filesystems/nfs.nix>
services.nfs.server.nfsd.allowedVersions

This option can be used to request that rpc.nfsd offer certain versions of NFS. The current version of rpc.nfsd can support major NFS versions 2,3,4 and the minor versions 4.0, 4.1 and 4.2.

Type: list of one of "2", "3", "4", "4.0", "4.1", "4.2"s

Default: [ ]

Declared by:

<vpsadminos/os/modules/services/network-filesystems/nfs.nix>
services.nfs.server.nfsd.disallowedVersions

This option can be used to request that rpc.nfsd does not offer certain versions of NFS. The current version of rpc.nfsd can support major NFS versions 2,3,4 and the minor versions 4.0, 4.1 and 4.2.

Type: list of one of "2", "3", "4", "4.0", "4.1", "4.2"s

Default: [ ]

Declared by:

<vpsadminos/os/modules/services/network-filesystems/nfs.nix>
services.nfs.server.nfsd.nproc

Specify the number of NFS server threads. By default, eight threads are started. However, for optimum performance several threads should be used.

Type: positive integer, meaning >0

Default: 8

Declared by:

<vpsadminos/os/modules/services/network-filesystems/nfs.nix>
services.nfs.server.nfsd.port

Configure port for rpc.nfsd, useful if server is behind firewall.

Type: signed integer

Default: 2049

Declared by:

<vpsadminos/os/modules/services/network-filesystems/nfs.nix>
services.nfs.server.nfsd.syslog

By default, rpc.nfsd logs error messages (and debug messages, if enabled) to stderr. This option makes rpc.nfsd log these messages to syslog instead. Note that errors encountered during option processing will still be logged to stderr regardless of this option.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/services/network-filesystems/nfs.nix>
services.nfs.server.nfsd.tcp

Instruct the kernel nfs server to open and listen on a TCP socket.

Type: boolean

Default: true

Declared by:

<vpsadminos/os/modules/services/network-filesystems/nfs.nix>
services.nfs.server.nfsd.udp

Instruct the kernel nfs server to open and listen on a UDP socket.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/services/network-filesystems/nfs.nix>
services.nfs.server.statdPort

Use a fixed port for rpc.statd. This is useful if the NFS server is behind a firewall.

Type: null or signed integer

Default: null

Example: 4000

Declared by:

<vpsadminos/os/modules/services/network-filesystems/nfs.nix>
services.nscd

This option has no description.

Type: unspecified

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
services.opensmtpd.enable

Whether to enable the OpenSMTPD server.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/services/mail/opensmtpd.nix>
services.opensmtpd.package

The OpenSMTPD package to use.

Type: package

Default: "pkgs.opensmtpd"

Declared by:

<vpsadminos/os/modules/services/mail/opensmtpd.nix>
services.opensmtpd.addSendmailToSystemPath

Whether to add OpenSMTPD's sendmail binary to the system path or not.

Type: boolean

Default: true

Declared by:

<vpsadminos/os/modules/services/mail/opensmtpd.nix>
services.opensmtpd.extraServerArgs

Extra command line arguments provided when the smtpd process is started.

Type: list of strings

Default: [ ]

Example: [ "-v" "-P mta" ]

Declared by:

<vpsadminos/os/modules/services/mail/opensmtpd.nix>
services.opensmtpd.procPackages

Packages to search for filters, tables, queues, and schedulers. Add OpenSMTPD-extras here if you want to use the filters, etc. from that package.

Type: list of packages

Default: [ ]

Declared by:

<vpsadminos/os/modules/services/mail/opensmtpd.nix>
services.opensmtpd.serverConfiguration

The contents of the smtpd.conf configuration file. See the OpenSMTPD documentation for syntax information.

Type: null or strings concatenated with "\n"

Default: null

Example:

''
listen on lo
accept for any deliver to lmtp localhost:24
''

Declared by:

<vpsadminos/os/modules/services/mail/opensmtpd.nix>
services.openssh.enable

Whether to enable the OpenSSH secure shell daemon, which allows secure remote logins.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.allowSFTP

Whether to enable the SFTP subsystem in the SSH daemon. This enables the use of commands such as sftp and sshfs.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.authorizedKeysCommand

Specifies a program to be used to look up the user's public keys. The program must be owned by root, not writable by group or others and specified by an absolute path.

Type: string

Default: "none"

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.authorizedKeysCommandUser

Specifies the user under whose account the AuthorizedKeysCommand is run. It is recommended to use a dedicated user that has no other role on the host than running authorized keys commands.

Type: string

Default: "nobody"

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.authorizedKeysFiles

Files from which authorized keys are read.

Type: list of strings

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.banner

Message to display to the remote user before authentication is allowed.

Type: null or strings concatenated with "\n"

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.challengeResponseAuthentication

Specifies whether challenge/response authentication is allowed.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.ciphers

Allowed ciphers

Defaults to recommended settings from both https://stribika.github.io/2015/01/04/secure-secure-shell.html and https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29

Type: list of strings

Default: [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes128-gcm@openssh.com" "aes256-ctr" "aes192-ctr" "aes128-ctr" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.extraConfig

Verbatim contents of sshd_config.

Type: strings concatenated with "\n"

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.forwardX11

Whether to allow X11 connections to be forwarded.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.gatewayPorts

Specifies whether remote hosts are allowed to connect to ports forwarded for the client. See sshd_config(5).

Type: string

Default: "no"

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.hostKeys

NixOS can automatically generate SSH host keys. This option specifies the path, type and size of each key. See ssh-keygen(1) for supported types and sizes.

Type: list of attribute sets

Default: [ { bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; type = "rsa"; } { path = "/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; } ]

Example: [ { bits = 4096; openSSHFormat = true; path = "/etc/ssh/ssh_host_rsa_key"; rounds = 100; type = "rsa"; } { comment = "key comment"; path = "/etc/ssh/ssh_host_ed25519_key"; rounds = 100; type = "ed25519"; } ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.kexAlgorithms

Allowed key exchange algorithms

Defaults to recommended settings from both https://stribika.github.io/2015/01/04/secure-secure-shell.html and https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29

Type: list of strings

Default: [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.knownHosts

Alias of programs.ssh.knownHosts.

Type: attribute set of submodules

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.knownHosts.<name>.certAuthority

This public key is an SSH certificate authority, rather than an individual host's key.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
services.openssh.knownHosts.<name>.hostNames

A list of host names and/or IP numbers used for accessing the host's ssh service.

Type: list of strings

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
services.openssh.knownHosts.<name>.publicKey

The public key data for the host. You can fetch a public key from a running SSH server with the ssh-keyscan command. The public key should not include any host names, only the key type and the key itself.

Type: null or string

Default: null

Example: "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg=="

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
services.openssh.knownHosts.<name>.publicKeyFile

The path to the public key file for the host. The public key file is read at build time and saved in the Nix store. You can fetch a public key file from a running SSH server with the ssh-keyscan command. The content of the file should follow the same format as described for the publicKey option.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
services.openssh.listenAddresses

List of addresses and ports to listen on (ListenAddress directive in config). If port is not specified for address sshd will listen on all ports specified by ports option. NOTE: this will override default listening on all local addresses and port 22. NOTE: setting this option won't automatically enable given ports in firewall configuration.

Type: list of submodules

Default: [ ]

Example: [ { addr = "192.168.3.1"; port = 22; } { addr = "0.0.0.0"; port = 64022; } ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.listenAddresses.*.addr

Host, IPv4 or IPv6 address to listen to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.listenAddresses.*.port

Port to listen to.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.logLevel

Gives the verbosity level that is used when logging messages from sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is VERBOSE. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. Logging with a DEBUG level violates the privacy of users and is not recommended. LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was used to log in.

Type: one of "QUIET", "FATAL", "ERROR", "INFO", "VERBOSE", "DEBUG", "DEBUG1", "DEBUG2", "DEBUG3"

Default: "VERBOSE"

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.macs

Allowed MACs

Defaults to recommended settings from both https://stribika.github.io/2015/01/04/secure-secure-shell.html and https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29

Type: list of strings

Default: [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" "hmac-sha2-512" "hmac-sha2-256" "umac-128@openssh.com" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.moduliFile

Path to moduli file to install in /etc/ssh/moduli. If this option is unset, then the moduli file shipped with OpenSSH will be used.

Type: path

Example: "/etc/my-local-ssh-moduli;"

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.openFirewall

Whether to automatically open the specified ports in the firewall.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.passwordAuthentication

Specifies whether password authentication is allowed.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.permitRootLogin

Whether the root user can login using ssh.

Type: one of "yes", "without-password", "prohibit-password", "forced-commands-only", "no"

Default: "prohibit-password"

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.ports

Specifies on which ports the SSH daemon listens.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)s

Default: [ 22 ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.sftpFlags

Commandline flags to add to sftp-server.

Type: list of strings

Default: [ ]

Example: [ "-f AUTHPRIV" "-l INFO" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.startWhenNeeded

If set, sshd is socket-activated; that is, instead of having it permanently running as a daemon, systemd will start an instance for each incoming connection.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.useDns

Specifies whether sshd(8) should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. If this option is set to no (the default) then only addresses and not host names may be used in ~/.ssh/authorized_keys from and sshd_config Match Host directives.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.osctl.image-repository

Configure container image repositories

Type: attribute set of submodules

Default: { }

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.osctl.image-repository.<name>.buildDataset

Name of a dataset used to build images

Type: string

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.osctl.image-repository.<name>.buildInterval

Date and time expression for when to build images in a crontab format, i.e. minute, hour, day of month, month and day of month separated by spaces.

Type: null or string

Default: "0 4 * * *"

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.osctl.image-repository.<name>.buildScriptDir

Path to directory with image build scripts for use with osctl-image

Type: string

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.osctl.image-repository.<name>.cacheDir

Path to directory where built images are cached before added to the repository.

Type: string

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.osctl.image-repository.<name>.defaultVendor

Name of the default image vendor

Type: string

Example: "vpsadminos"

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.osctl.image-repository.<name>.garbageCollection

Garbage collection of old images

Type: list of submodules

Default: [ ]

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.osctl.image-repository.<name>.garbageCollection.*.arch

Regular expression to match image arch

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.osctl.image-repository.<name>.garbageCollection.*.distribution

Regular expression to match image distribution

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.osctl.image-repository.<name>.garbageCollection.*.keep

Number of matched images to keep

Type: signed integer

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.osctl.image-repository.<name>.garbageCollection.*.variant

Regular expression to match image variant

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.osctl.image-repository.<name>.garbageCollection.*.vendor

Regular expression to match image vendor

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.osctl.image-repository.<name>.garbageCollection.*.version

Regular expression to match image version

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.osctl.image-repository.<name>.images

Configure container images

Type: attribute set of attribute set of submoduless

Default: { }

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.osctl.image-repository.<name>.images.<name>.<name>.keepFailedTests

Keep containers of failed tests for further analysis

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.osctl.image-repository.<name>.images.<name>.<name>.name

Optional image name

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.osctl.image-repository.<name>.images.<name>.<name>.rebuild

Rebuild the image even if it is found in cacheDir

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.osctl.image-repository.<name>.images.<name>.<name>.tags

Image tags

Type: list of strings

Default: [ ]

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.osctl.image-repository.<name>.keepAllFailedTests

Keep containers of all failed tests for further analysis

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.osctl.image-repository.<name>.logDir

Directory where build logs will be stored.

Type: string

Default: "/tmp"

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.osctl.image-repository.<name>.path

Path to the generated image repository.

Type: string

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.osctl.image-repository.<name>.postBuild

Shell commands run after all images were built, or attempted to be built

Type: strings concatenated with "\n"

Default: ""

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.osctl.image-repository.<name>.rebuildAll

Rebuild all images, even when they're found in cacheDir

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.osctl.image-repository.<name>.vendors

Vendors

Type: attribute set of submodules

Default: { }

Example: { vpsadminos = { defaultVariant = "minimal"; } ; }

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.osctl.image-repository.<name>.vendors.<name>.defaultVariant

Name of the default image variant

Type: string

Example: "minimal"

Declared by:

<vpsadminos/os/modules/services/osctl/image-repository>
services.prometheus.exporters.node.enable

Whether to enable Enable node_exporter service.

Type: boolean

Default: false

Example: true

Declared by:

<vpsadminos/os/modules/services/monitoring/prometheus/node_exporter.nix>
services.prometheus.exporters.node.enabledCollectors

Collectors to enable. The collectors listed here are enabled in addition to the default ones.

Type: list of strings

Default: [ "runit" "nfs" "textfile" ]

Example: ''[ "nfs" ]''

Declared by:

<vpsadminos/os/modules/services/monitoring/prometheus/node_exporter.nix>
services.prometheus.exporters.node.disabledCollectors

Collectors to disable which are enabled by default.

Type: list of strings

Default: [ "systemd" ]

Example: ''[ "timex" ]''

Declared by:

<vpsadminos/os/modules/services/monitoring/prometheus/node_exporter.nix>
services.prometheus.exporters.node.extraFlags

Extra commandline options to pass to node_exporter.

Type: list of strings

Default: [ ]

Declared by:

<vpsadminos/os/modules/services/monitoring/prometheus/node_exporter.nix>
services.prometheus.exporters.node.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<vpsadminos/os/modules/services/monitoring/prometheus/node_exporter.nix>
services.prometheus.exporters.node.port

Port to listen on.

Type: signed integer

Default: 9100

Declared by:

<vpsadminos/os/modules/services/monitoring/prometheus/node_exporter.nix>
services.rpcbind.enable

Whether to enable Enable rpcbind service.

Type: boolean

Default: false

Example: true

Declared by:

<vpsadminos/os/modules/services/networking/rpcbind.nix>
services.rsyslogd.extraConfig

Additional text to append to syslog.conf

Type: string

Default: ""

Example: "news.* -/var/log/news"

Declared by:

<vpsadminos/os/modules/services/logging/rsyslog.nix>
services.rsyslogd.forward

Forward logs over TCP to a set of hosts

Type: list of strings

Default: [ ]

Example: [ "10.0.0.1:11514" ]

Declared by:

<vpsadminos/os/modules/services/logging/rsyslog.nix>
services.rsyslogd.hostName

Optional hostname

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/services/logging/rsyslog.nix>
services.samba

This option has no description.

Type: unspecified

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
services.sshd.enable

Alias of services.openssh.enable.

Type: boolean

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.sssd

This option has no description.

Type: unspecified

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
services.udev.packages

List of packages containing udev rules.

Type: list of paths

Default: [ ]

Declared by:

<vpsadminos/os/modules/services/hardware/eudev.nix>
services.udev.extraRules

Additional udev rules

Type: strings concatenated with "\n"

Default: ""

Example:

''
KERNEL=="eth*", ATTR{address}=="00:1D:60:B9:6D:4F", NAME="my_fast_network_card"
''

Declared by:

<vpsadminos/os/modules/services/hardware/eudev.nix>
services.udev.path

Packages added to the PATH environment variable when executing programs from Udev rules.

Type: list of paths

Default: [ ]

Declared by:

<vpsadminos/os/modules/services/hardware/eudev.nix>
services.xserver

This option has no description.

Type: unspecified

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
services.zfs.autoScrub.enable

Enables periodic scrubbing of ZFS pools.

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
services.zfs.autoScrub.interval

Date and time expression for when to scrub ZFS pools in a crontab format, i.e. minute, hour, day of month, month and day of month separated by spaces.

Type: string

Default: "0 4 */14 * *"

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
services.zfs.autoScrub.pools

List of ZFS pools to periodically scrub. If empty, all pools will be scrubbed.

Type: list of strings

Default: [ ]

Example: [ "tank" ]

Declared by:

<vpsadminos/os/modules/tasks/filesystems/zfs>
services.znapzend.enable

Whether to enable ZnapZend ZFS backup daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.autoCreation

Automatically create the destination dataset if it does not exists.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.features.compressed

Whether to enable compressed feature which adds the options -Lce to the zfs send command. When this is enabled, make sure that both the sending and receiving pool have the same relevant features enabled. Using -c will skip unneccessary decompress-compress stages, -L is for large block support and -e is for embedded data support. see znapzend(1) and zfs(8) for more info. .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.features.lowmemRecurse

Whether to enable use lowmemRecurse on systems where you have too many datasets, so a recursive listing of attributes to find backup plans exhausts the memory available to znapzend: instead, go the slower way to first list all impacted dataset names, and then query their configs one by one. .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.features.oracleMode

Whether to enable Destroy snapshots one by one instead of using one long argument list. If source and destination are out of sync for a long time, you may have so many snapshots to destroy that the argument gets is too long and the command fails. .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.features.recvu

Whether to enable recvu feature which uses -u on the receiving end to keep the destination filesystem unmounted. .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.features.sendRaw

Whether to enable sendRaw feature which adds the options -w to the zfs send command. For encrypted source datasets this instructs zfs not to decrypt before sending which results in a remote backup that can't be read without the encryption key/passphrase, useful when the remote isn't fully trusted or not physically secure. This option must be used consistently, raw incrementals cannot be based on non-raw snapshots and vice versa. .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.features.skipIntermediates

Whether to enable Enable the skipIntermediates feature to send a single increment between latest common snapshot and the newly made one. It may skip several source snaps if the destination was offline for some time, and it should skip snapshots not managed by znapzend. Normally for online destinations, the new snapshot is sent as soon as it is created on the source, so there are no automatic increments to skip. .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.features.zfsGetType

Whether to enable use zfsGetType if your zfs get supports a -t argument for filtering by dataset type at all AND lists properties for snapshots by default when recursing, so that there is too much data to process while searching for backup plans. If these two conditions apply to your system, the time needed for a --recursive search for backup plans can literally differ by hundreds of times (depending on the amount of snapshots in that dataset tree... and a decent backup plan will ensure you have a lot of those), so you would benefit from requesting this feature. .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.logLevel

The log level when logging to file. Any of debug, info, warning, err, alert. Default in daemonized form is debug.

Type: one of "debug", "info", "warning", "err", "alert"

Default: "debug"

Example: "warning"

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.logTo

Where to log to (syslog::<facility> or <filepath>).

Type: string

Default: "syslog::daemon"

Example: "/var/log/znapzend.log"

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.noDestroy

Does all changes to the filesystem except destroy.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.pure

Do not persist any stateful znapzend setups. If this option is enabled, your previously set znapzend setups will be cleared and only the ones defined with this module will be applied.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup

Znapzend configuration.

Type: attribute set of submodules

Default: { }

Example:

{
  "tank/home" = {
    # Make snapshots of tank/home every hour, keep those for 1 day,
    # keep every days snapshot for 1 month, etc.
    plan = "1d=>1h,1m=>1d,1y=>1m";
    recursive = true;
    # Send all those snapshots to john@example.com:rtank/john as well
    destinations.remote = {
      host = "john@example.com";
      dataset = "rtank/john";
    };
  };
};

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.enable

Whether to enable this source.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.dataset

The dataset to use for this source.

Type: string

Example: "tank/home"

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.destinations

Additional destinations.

Type: attribute set of submodules

Default: { }

Example:

{
  local = {
    dataset = "btank/backup";
    presend = "zpool import -N btank";
    postsend = "zpool export btank";
  };
  remote = {
    host = "john@example.com";
    dataset = "tank/john";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.destinations.<name>.dataset

Dataset name to send snapshots to.

Type: string

Example: "tank/main"

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.destinations.<name>.host

Host to use for the destination dataset. Can be prefixed with user@ to specify the ssh user.

Type: null or string

Default: null

Example: "john@example.com"

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.destinations.<name>.label

Label for this destination. Defaults to the attribute name.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.destinations.<name>.plan

The znapzend backup plan to use for the source. The plan specifies how often to backup and for how long to keep the backups. It consists of a series of retention periodes to interval associations: retA=>intA,retB=>intB,... Both intervals and retention periods are expressed in standard units of time or multiples of them. You can use both the full name or a shortcut according to the following listing: second|sec|s, minute|min, hour|h, day|d, week|w, month|mon|m, year|y See znapzendzetup(1) for more info.

Type: string

Example: "1h=>10min,1d=>1h,1w=>1d,1m=>1w,1y=>1m"

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.destinations.<name>.postsend

Command to run after sending the snapshot to the destination. Intended to run a remote script via ssh on the destination, e.g. to bring up a backup disk or server or to put a zpool online/offline. See also presend.

Type: null or string

Default: null

Example: "ssh root@bserv zpool export tank"

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.destinations.<name>.presend

Command to run before sending the snapshot to the destination. Intended to run a remote script via ssh on the destination, e.g. to bring up a backup disk or server or to put a zpool online/offline. See also postsend.

Type: null or string

Default: null

Example: "ssh root@bserv zpool import -Nf tank"

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.mbuffer.enable

Whether to use mbuffer.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.mbuffer.port

Port to use for mbuffer. If this is null, it will run mbuffer through ssh. If this is not null, it will run mbuffer directly through TCP, which is not encrypted but faster. In that case the given port needs to be open on the destination host.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.mbuffer.size

The size for mbuffer. Supports the units b, k, M, G.

Type: string of the form number{b|k|M|G}

Default: "1G"

Example: "128M"

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.plan

The znapzend backup plan to use for the source. The plan specifies how often to backup and for how long to keep the backups. It consists of a series of retention periodes to interval associations: retA=>intA,retB=>intB,... Both intervals and retention periods are expressed in standard units of time or multiples of them. You can use both the full name or a shortcut according to the following listing: second|sec|s, minute|min, hour|h, day|d, week|w, month|mon|m, year|y See znapzendzetup(1) for more info.

Type: string

Example: "1h=>10min,1d=>1h,1w=>1d,1m=>1w,1y=>1m"

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.postsnap

Command to run after snapshots are taken on the source dataset, e.g. for database unlocking. See also presnap.

Type: null or string

Default: null

Example:

${pkgs.coreutils}/bin/kill `${pkgs.coreutils}/bin/cat /tmp/mariadblock.pid`;${pkgs.coreutils}/bin/rm /tmp/mariadblock.pid

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.presnap

Command to run before snapshots are taken on the source dataset, e.g. for database locking/flushing. See also postsnap.

Type: null or string

Default: null

Example:

${pkgs.mariadb}/bin/mysql -e "set autocommit=0;flush tables with read lock;\\! ${pkgs.coreutils}/bin/sleep 600" &  ${pkgs.coreutils}/bin/echo $! > /tmp/mariadblock.pid ; sleep 10

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.recursive

Whether to do recursive snapshots.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.sendDelay

Specify delay (in seconds) before sending snaps to the destination. May be useful if you want to control sending time.

Type: signed integer

Default: 0

Example: 60

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.timestampFormat

The timestamp format to use for constructing snapshot names. The syntax is strftime-like. The string must consist of the mandatory %Y %m %d %H %M %S. Optionally - _ . : characters as well as any alphanumeric character are allowed. If suffixed by a Z, times will be in UTC.

Type: string containing all of the characters %Y, %m, %d, %H, %M, %S

Default: "%Y-%m-%d-%H%M%S"

Example: "znapzend-%m.%d.%Y-%H%M%SZ"

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
swapDevices

The swap devices and swap files. These must have been initialised using mkswap. Each element should be an attribute set specifying either the path of the swap device or file (device) or the label of the swap device (label, see mkswap -L). Using a label is recommended.

Type: list of submodules

Default: [ ]

Example: [ { device = "/dev/hda7"; } { device = "/var/swapfile"; } { label = "bigswap"; } ]

Declared by:

<nixpkgs/nixos/modules/config/swap.nix>
swapDevices.*.device

Path of the device or swap file.

Type: string

Example: "/dev/sda3"

Declared by:

<nixpkgs/nixos/modules/config/swap.nix>
swapDevices.*.label

Label of the device. Can be used instead of device.

Type: string

Example: "swap"

Declared by:

<nixpkgs/nixos/modules/config/swap.nix>
swapDevices.*.priority

Specify the priority of the swap device. Priority is a value between 0 and 32767. Higher numbers indicate higher priority. null lets the kernel choose a priority, which will show up as a negative value.

Type: null or signed integer

Default: null

Example: 2048

Declared by:

<nixpkgs/nixos/modules/config/swap.nix>
swapDevices.*.randomEncryption

Encrypt swap device with a random key. This way you won't have a persistent swap device. HINT: run "cryptsetup benchmark" to test cipher performance on your machine. WARNING: Don't try to hibernate when you have at least one swap partition with this option enabled! We have no way to set the partition into which hibernation image is saved, so if your image ends up on an encrypted one you would lose it! WARNING #2: Do not use /dev/disk/by-uuid/… or /dev/disk/by-label/… as your swap device when using randomEncryption as the UUIDs and labels will get erased on every boot when the partition is encrypted. Best to use /dev/disk/by-partuuid/…

Type: submodule or boolean convertible to it

Default: false

Example: { cipher = "serpent-xts-plain64"; enable = true; source = "/dev/random"; }

Declared by:

<nixpkgs/nixos/modules/config/swap.nix>
swapDevices.*.randomEncryption.enable

Encrypt swap device with a random key. This way you won't have a persistent swap device. WARNING: Don't try to hibernate when you have at least one swap partition with this option enabled! We have no way to set the partition into which hibernation image is saved, so if your image ends up on an encrypted one you would lose it! WARNING #2: Do not use /dev/disk/by-uuid/… or /dev/disk/by-label/… as your swap device when using randomEncryption as the UUIDs and labels will get erased on every boot when the partition is encrypted. Best to use /dev/disk/by-partuuid/…

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/swap.nix>
swapDevices.*.randomEncryption.cipher

Use specified cipher for randomEncryption. Hint: Run "cryptsetup benchmark" to see which one is fastest on your machine.

Type: string

Default: "aes-xts-plain64"

Example: "serpent-xts-plain64"

Declared by:

<nixpkgs/nixos/modules/config/swap.nix>
swapDevices.*.randomEncryption.source

Define the source of randomness to obtain a random key for encryption.

Type: string

Default: "/dev/urandom"

Example: "/dev/random"

Declared by:

<nixpkgs/nixos/modules/config/swap.nix>
swapDevices.*.size

If this option is set, ‘device’ is interpreted as the path of a swapfile that will be created automatically with the indicated size (in megabytes).

Type: null or signed integer

Default: null

Example: 2048

Declared by:

<nixpkgs/nixos/modules/config/swap.nix>
system.activationScripts

A set of shell script fragments that are executed when a NixOS system configuration is activated. Examples are updating /etc, creating accounts, and so on. Since these are executed every time you boot the system or run nixos-rebuild, it's important that they are idempotent and fast.

Type: attribute set of string or submodules

Default: { }

Example:

{ stdio.text =
  ''
    # Needed by some programs.
    ln -sfn /proc/self/fd /dev/fd
    ln -sfn /proc/self/fd/0 /dev/stdin
    ln -sfn /proc/self/fd/1 /dev/stdout
    ln -sfn /proc/self/fd/2 /dev/stderr
  '';
}

Declared by:

<nixpkgs/nixos/modules/system/activation/activation-script.nix>
system.boot.restrict-proc-sysfs.enable

Restrict access to proc, sysfs and any other filesystem contents

Type: boolean

Default: true

Declared by:

<vpsadminos/os/modules/system/boot/restrict-proc-sysfs>
system.boot.restrict-proc-sysfs.config

Config passed to ./restrict-dirs.rb Each line represents a rule for a path. The first word is a command, the second word is the path. The command can be one of: restrict, skip and grant. Empty lines and lines beginning with a hash are ignored. restrict is used to deny access from containers to the path, skip does not change the access mode and grant will give read-write access to containers and all their users, even unprivileged ones. The path can contain patterns, which are expanded. Rules are evaluated from the top. There can be more than one rule for one path, the last rule will be used. This makes it possible to e.g. use wildcards with exceptions: restrict /sys/class/* skip /sys/class/net The rules above will restrict access to the contents of /sys/class, except for directory /sys/class/net.

Type: strings concatenated with "\n"

Default:

''
restrict   /proc/bus
restrict   /proc/sched_debug
restrict   /sys/block
restrict   /sys/bus/*
skip       /sys/bus/pci
restrict   /sys/class/*
skip       /sys/class/mem
skip       /sys/class/misc
skip       /sys/class/net
skip       /sys/class/pci_bus
skip       /sys/class/tty
skip       /sys/dev/block
restrict   /sys/devices/*
skip       /sys/devices/pci*
skip       /sys/devices/system
restrict   /sys/devices/system/*
skip       /sys/devices/system/cpu
skip       /sys/devices/system/node
skip       /sys/devices/virtual
restrict   /sys/devices/virtual/*
skip       /sys/devices/virtual/mem
skip       /sys/devices/virtual/misc
skip       /sys/devices/virtual/net
skip       /sys/devices/virtual/tty
restrict   /sys/firmware
restrict   /sys/module/*/sections
grant      /sys/module/nf_conntrack/parameters/*
restrict   /sys/power
''

Declared by:

<vpsadminos/os/modules/system/boot/restrict-proc-sysfs>
system.extraDependencies

A list of packages that should be included in the system closure but not otherwise made available to users. This is primarily used by the installation tests.

Type: list of packages

Default: [ ]

Declared by:

<vpsadminos/os/modules/system/activation/top-level.nix>
system.nssDatabases.group

List of group entries to configure in /etc/nsswitch.conf. Note that "files" is always prepended while "systemd" is appended if nscd is enabled. This option only takes effect if nscd is enabled.

Type: list of strings

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/nsswitch.nix>
system.nssDatabases.hosts

List of hosts entries to configure in /etc/nsswitch.conf. Note that "files" is always prepended, and "dns" and "myhostname" are always appended. This option only takes effect if nscd is enabled.

Type: list of strings

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/nsswitch.nix>
system.nssDatabases.passwd

List of passwd entries to configure in /etc/nsswitch.conf. Note that "files" is always prepended while "systemd" is appended if nscd is enabled. This option only takes effect if nscd is enabled.

Type: list of strings

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/nsswitch.nix>
system.nssDatabases.services

List of services entries to configure in /etc/nsswitch.conf. Note that "files" is always prepended. This option only takes effect if nscd is enabled.

Type: list of strings

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/nsswitch.nix>
system.nssDatabases.shadow

List of shadow entries to configure in /etc/nsswitch.conf. Note that "files" is always prepended. This option only takes effect if nscd is enabled.

Type: list of strings

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/nsswitch.nix>
system.osCodeName

The vpsAdminOS release code name (e.g. Emu).

Type: string (read only)

Declared by:

<vpsadminos/os/modules/misc/version.nix>
system.osLabel

Label to be used in the names of generated outputs and boot labels.

Type: string

Declared by:

<vpsadminos/os/modules/misc/version.nix>
system.osRelease

The vpsAdminOS release (e.g. 16.03).

Type: string (read only)

Default: "20.09.0"

Declared by:

<vpsadminos/os/modules/misc/version.nix>
system.secretsDir

Path to a directory containing secret keys and other files that should not be stored in the Nix store. The directory's base name has to be secrets. If the sandbox is enabled (nix.useSandbox = true;) on the build machine, you need to add your directory with secrets to nix.sandboxPaths and then set this option to the path within the sandbox. For example, if your secrets on the build machine are stored in /home/vpsadminos/secrets, you could set nix.sandboxPaths = [ "/secrets=/home/vpsadminos/secrets" ]; on the build machine and system.secretsDir = "/secrets"; in vpsAdminOS config.

Type: null or string

Default: null

Declared by:

<vpsadminos/os/modules/system/activation/secrets.nix>
system.stateVersion

Every once in a while, a new vpsAdminOS release may change configuration defaults in a way incompatible with stateful data. For instance, if the default version of PostgreSQL changes, the new version will probably be unable to read your existing databases. To prevent such breakage, you can set the value of this option to the vpsAdminOS release with which you want to be compatible. The effect is that vpsAdminOS will option defaults corresponding to the specified release (such as using an older version of PostgreSQL).

Type: string

Default: "20.09.0"

Declared by:

<vpsadminos/os/modules/misc/version.nix>
system.storeOverlaySize

Size of the tmpfs filesystems used as an overlay for /nix/store. See option size in man tmpfs(5) for possible values.

Type: string

Default: "2G"

Declared by:

<vpsadminos/os/modules/system/activation/top-level.nix>
system.userActivationScripts

A set of shell script fragments that are executed by a systemd user service when a NixOS system configuration is activated. Examples are rebuilding the .desktop file cache for showing applications in the menu. Since these are executed every time you run nixos-rebuild, it's important that they are idempotent and fast.

Type: attribute set of string or submodules

Default: { }

Example:

{ plasmaSetup = {
    text = ''
      ${pkgs.libsForQt5.kservice}/bin/kbuildsycoca5"
    '';
    deps = [];
  };
}

Declared by:

<nixpkgs/nixos/modules/system/activation/activation-script.nix>
systemd.packages

This option has no description.

Type: unspecified

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
systemd.globalEnvironment

This option has no description.

Type: unspecified

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
systemd.services

This option has no description.

Type: attribute set of unspecifieds

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
systemd.sockets

This option has no description.

Type: unspecified

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
systemd.targets

This option has no description.

Type: unspecified

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
systemd.tmpfiles

This option has no description.

Type: unspecified

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
systemd.user

This option has no description.

Type: unspecified

Declared by:

<vpsadminos/os/modules/nixos-compat.nix>
time.hardwareClockInLocalTime

If set, keep the hardware clock in local time instead of UTC.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/locale.nix>
time.timeZone

The time zone used when displaying times and dates. See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for a comprehensive list of possible values for this setting. If null, the timezone will default to UTC and can be set imperatively using timedatectl.

Type: null or string without spaces

Default: null

Example: "America/New_York"

Declared by:

<nixpkgs/nixos/modules/config/locale.nix>
tty.autologin.enable

Whether to enable Enable autologin on ttys.

Type: boolean

Default: false

Example: true

Declared by:

<vpsadminos/os/modules/services/ttys/agetty.nix>
tty.autologin.user

Autologin user

Type: string

Default: "root"

Declared by:

<vpsadminos/os/modules/services/ttys/agetty.nix>
tty.spawnSerial

Number of serial TTYs (STTYs) spawned (for /dev/ttyS0)

Type: integer between 0 and 10 (both inclusive)

Default: 1

Declared by:

<vpsadminos/os/modules/services/ttys/agetty.nix>
tty.spawnStandard

Number of TTYs spawned, set to 0 to disable

Type: integer between 0 and 10 (both inclusive)

Default: 4

Declared by:

<vpsadminos/os/modules/services/ttys/agetty.nix>
users.defaultUserShell

This option defines the default shell assigned to user accounts. This can be either a full system path or a shell package. This must not be a store path, since the path is used outside the store (in particular in /etc/passwd).

Type: path or package

Example:

pkgs.zsh

Declared by:

<nixpkgs/nixos/modules/programs/shadow.nix>
users.enforceIdUniqueness

Whether to require that no two users/groups share the same uid/gid.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraGroups

Alias of users.groups.

Type: attribute set of submodules

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraGroups.<name>.gid

The group GID. If the GID is null, a free GID is picked on activation.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraGroups.<name>.members

The user names of the group members, added to the /etc/group file.

Type: list of strings

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraGroups.<name>.name

The name of the group. If undefined, the name of the attribute set will be used.

Type: string

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers

Alias of users.users.

Type: attribute set of submodules

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.packages

The set of packages that should be made available to the user. This is in contrast to environment.systemPackages, which adds packages to all users.

Type: list of packages

Default: [ ]

Example:

[ pkgs.firefox pkgs.thunderbird ]

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.createHome

If true, the home directory will be created automatically. If this option is true and the home directory already exists but is not owned by the user, directory owner and group will be changed to match the user.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.cryptHomeLuks

Path to encrypted luks device that contains the user's home directory.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.description

A short description of the user account, typically the user's full name. This is actually the “GECOS” or “comment” field in /etc/passwd.

Type: string

Default: ""

Example: "Alice Q. User"

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.extraGroups

The user's auxiliary groups.

Type: list of strings

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.group

The user's primary group.

Type: string

Default: "nogroup"

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.hashedPassword

Specifies the hashed password for the user. The options hashedPassword, password and passwordFile controls what password is set for the user. hashedPassword overrides both password and passwordFile. password overrides passwordFile. If none of these three options are set, no password is assigned to the user, and the user will not be able to do password logins. If the option users.mutableUsers is true, the password defined in one of the three options will only be set when the user is created for the first time. After that, you are free to change the password with the ordinary user management commands. If users.mutableUsers is false, you cannot change user passwords, they will always be set according to the password options. To generate a hashed password install the mkpasswd package and run mkpasswd -m sha-512. If set to an empty string (""), this user will be able to log in without being asked for a password (but not via remote services such as SSH, or indirectly via su or sudo). This should only be used for e.g. bootable live systems. Note: this is different from setting an empty password, which ca be achieved using users.users.<name?>.password. If set to null (default) this user will not be able to log in using a password (i.e. via login command).

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.home

The user's home directory.

Type: path

Default: "/var/empty"

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.initialHashedPassword

Specifies the initial hashed password for the user, i.e. the hashed password assigned if the user does not already exist. If users.mutableUsers is true, the password can be changed subsequently using the passwd command. Otherwise, it's equivalent to setting the hashedPassword option. To generate a hashed password install the mkpasswd package and run mkpasswd -m sha-512. If set to an empty string (""), this user will be able to log in without being asked for a password (but not via remote services such as SSH, or indirectly via su or sudo). This should only be used for e.g. bootable live systems. Note: this is different from setting an empty password, which ca be achieved using users.users.<name?>.password. If set to null (default) this user will not be able to log in using a password (i.e. via login command).

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.initialPassword

Specifies the initial password for the user, i.e. the password assigned if the user does not already exist. If users.mutableUsers is true, the password can be changed subsequently using the passwd command. Otherwise, it's equivalent to setting the password option. The same caveat applies: the password specified here is world-readable in the Nix store, so it should only be used for guest accounts or passwords that will be changed promptly.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.isNormalUser

Indicates whether this is an account for a “real” user. This automatically sets group to users, createHome to true, home to /home/username, useDefaultShell to true, and isSystemUser to false.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.isSystemUser

Indicates if the user is a system user or not. This option only has an effect if uid is null, in which case it determines whether the user's UID is allocated in the range for system users (below 500) or in the range for normal users (starting at 1000).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.name

The name of the user account. If undefined, the name of the attribute set will be used.

Type: string

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.openssh.authorizedKeys.keyFiles

A list of files each containing one OpenSSH public key that should be added to the user's authorized keys. The contents of the files are read at build time and added to a file that the SSH daemon reads in addition to the the user's authorized_keys file. You can combine the keyFiles and keys options.

Type: list of paths

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
users.extraUsers.<name>.openssh.authorizedKeys.keys

A list of verbatim OpenSSH public keys that should be added to the user's authorized keys. The keys are added to a file that the SSH daemon reads in addition to the the user's authorized_keys file. You can combine the keys and keyFiles options. Warning: If you are using NixOps then don't use this option since it will replace the key required for deployment via ssh.

Type: list of strings

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
users.extraUsers.<name>.password

Specifies the (clear text) password for the user. Warning: do not set confidential information here because it is world-readable in the Nix store. This option should only be used for public accounts. The options hashedPassword, password and passwordFile controls what password is set for the user. hashedPassword overrides both password and passwordFile. password overrides passwordFile. If none of these three options are set, no password is assigned to the user, and the user will not be able to do password logins. If the option users.mutableUsers is true, the password defined in one of the three options will only be set when the user is created for the first time. After that, you are free to change the password with the ordinary user management commands. If users.mutableUsers is false, you cannot change user passwords, they will always be set according to the password options.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.passwordFile

The full path to a file that contains the user's password. The password file is read on each system activation. The file should contain exactly one line, which should be the password in an encrypted form that is suitable for the chpasswd -e command. The options hashedPassword, password and passwordFile controls what password is set for the user. hashedPassword overrides both password and passwordFile. password overrides passwordFile. If none of these three options are set, no password is assigned to the user, and the user will not be able to do password logins. If the option users.mutableUsers is true, the password defined in one of the three options will only be set when the user is created for the first time. After that, you are free to change the password with the ordinary user management commands. If users.mutableUsers is false, you cannot change user passwords, they will always be set according to the password options.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.shell

The path to the user's shell. Can use shell derivations, like pkgs.bashInteractive. Don’t forget to enable your shell in programs if necessary, like programs.zsh.enable = true;.

Type: package or path

Default: "pkgs.shadow"

Example:

pkgs.bashInteractive

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.subGidRanges

Subordinate group ids that user is allowed to use. They are set into /etc/subgid and are used by newgidmap for user namespaces.

Type: list of submodules

Default: [ ]

Example: [ { count = 1; startGid = 100; } { count = 999; startGid = 1001; } ]

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.subGidRanges.*.count

Count of subordinate group ids

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.subGidRanges.*.startGid

Start of the range of subordinate group ids that user is allowed to use.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.subUidRanges

Subordinate user ids that user is allowed to use. They are set into /etc/subuid and are used by newuidmap for user namespaces.

Type: list of submodules

Default: [ ]

Example: [ { count = 1; startUid = 1000; } { count = 65534; startUid = 100001; } ]

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.subUidRanges.*.count

Count of subordinate user ids

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.subUidRanges.*.startUid

Start of the range of subordinate user ids that user is allowed to use.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.uid

The account UID. If the UID is null, a free UID is picked on activation.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.useDefaultShell

If true, the user's shell will be set to users.defaultUserShell.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.groups

Additional groups to be created automatically by the system.

Type: attribute set of submodules

Default: { }

Example: { hackers = { } ; students = { gid = 1001; } ; }

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.groups.<name>.gid

The group GID. If the GID is null, a free GID is picked on activation.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.groups.<name>.members

The user names of the group members, added to the /etc/group file.

Type: list of strings

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.groups.<name>.name

The name of the group. If undefined, the name of the attribute set will be used.

Type: string

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.ldap.enable

Whether to enable authentication against an LDAP server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.base

The distinguished name of the search base.

Type: unspecified

Example: "dc=example,dc=org"

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.bind.distinguishedName

The distinguished name to bind to the LDAP server with. If this is not specified, an anonymous bind will be done.

Type: string

Default: ""

Example: "cn=admin,dc=example,dc=com"

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.bind.passwordFile

The path to a file containing the credentials to use when binding to the LDAP server (if not binding anonymously).

Type: string

Default: "/etc/ldap/bind.password"

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.bind.policy

Specifies the policy to use for reconnecting to an unavailable LDAP server. The default is hard_open, which reconnects if opening the connection to the directory server failed. By contrast, hard_init reconnects if initializing the connection failed. Initializing may not actually contact the directory server, and it is possible that a malformed configuration file will trigger reconnection. If soft is specified, then nss_ldap will return immediately on server failure. All hard reconnect policies block with exponential backoff before retrying.

Type: one of "hard_open", "hard_init", "soft"

Default: "hard_open"

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.bind.timeLimit

Specifies the time limit (in seconds) to use when connecting to the directory server. This is distinct from the time limit specified in users.ldap.timeLimit and affects the initial server connection only.

Type: signed integer

Default: 30

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.daemon.enable

Whether to let the nslcd daemon (nss-pam-ldapd) handle the LDAP lookups for NSS and PAM. This can improve performance, and if you need to bind to the LDAP server with a password, it increases security, since only the nslcd user needs to have access to the bindpw file, not everyone that uses NSS and/or PAM. If this option is enabled, a local nscd user is created automatically, and the nslcd service is started automatically when the network get up.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.daemon.extraConfig

Extra configuration options that will be added verbatim at the end of the nslcd configuration file (nslcd.conf).

Type: strings concatenated with "\n"

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.daemon.rootpwmoddn

The distinguished name to use to bind to the LDAP server when the root user tries to modify a user's password.

Type: string

Default: ""

Example: "cn=admin,dc=example,dc=com"

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.daemon.rootpwmodpwFile

The path to a file containing the credentials with which to bind to the LDAP server if the root user tries to change a user's password.

Type: string

Default: ""

Example: "/run/keys/nslcd.rootpwmodpw"

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.extraConfig

Extra configuration options that will be added verbatim at the end of the ldap configuration file (ldap.conf). If users.ldap.daemon is enabled, this configuration will not be used. In that case, use users.ldap.daemon.extraConfig instead.

Type: strings concatenated with "\n"

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.loginPam

Whether to include authentication against LDAP in login PAM

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.nsswitch

Whether to include lookup against LDAP in NSS

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.server

The URL of the LDAP server.

Type: unspecified

Example: "ldap://ldap.example.org/"

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.timeLimit

Specifies the time limit (in seconds) to use when performing searches. A value of zero (0), which is the default, is to wait indefinitely for searches to be completed.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.useTLS

If enabled, use TLS (encryption) over an LDAP (port 389) connection. The alternative is to specify an LDAPS server (port 636) in users.ldap.server or to forego security.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.motd

Message of the day shown to users when they log in.

Type: null or strings concatenated with "\n"

Default: null

Example: "Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3178."

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
users.mutableUsers

If set to true, you are free to add new users and groups to the system with the ordinary useradd and groupadd commands. On system activation, the existing contents of the /etc/passwd and /etc/group files will be merged with the contents generated from the users.users and users.groups options. The initial password for a user will be set according to users.users, but existing passwords will not be changed.

Warning

If set to false, the contents of the user and group files will simply be replaced on system activation. This also holds for the user passwords; all changed passwords will be reset according to the users.users configuration on activation.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users

Additional user accounts to be created automatically by the system. This can also be used to set options for root.

Type: attribute set of submodules

Default: { }

Example: { alice = { createHome = true; description = "Alice Q. User"; extraGroups = [ "wheel" ] ; group = "users"; home = "/home/alice"; shell = "/bin/sh"; uid = 1234; } ; }

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
users.users.<name>.packages

The set of packages that should be made available to the user. This is in contrast to environment.systemPackages, which adds packages to all users.

Type: list of packages

Default: [ ]

Example:

[ pkgs.firefox pkgs.thunderbird ]

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.createHome

If true, the home directory will be created automatically. If this option is true and the home directory already exists but is not owned by the user, directory owner and group will be changed to match the user.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.cryptHomeLuks

Path to encrypted luks device that contains the user's home directory.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.description

A short description of the user account, typically the user's full name. This is actually the “GECOS” or “comment” field in /etc/passwd.

Type: string

Default: ""

Example: "Alice Q. User"

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.extraGroups

The user's auxiliary groups.

Type: list of strings

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.group

The user's primary group.

Type: string

Default: "nogroup"

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.hashedPassword

Specifies the hashed password for the user. The options hashedPassword, password and passwordFile controls what password is set for the user. hashedPassword overrides both password and passwordFile. password overrides passwordFile. If none of these three options are set, no password is assigned to the user, and the user will not be able to do password logins. If the option users.mutableUsers is true, the password defined in one of the three options will only be set when the user is created for the first time. After that, you are free to change the password with the ordinary user management commands. If users.mutableUsers is false, you cannot change user passwords, they will always be set according to the password options. To generate a hashed password install the mkpasswd package and run mkpasswd -m sha-512. If set to an empty string (""), this user will be able to log in without being asked for a password (but not via remote services such as SSH, or indirectly via su or sudo). This should only be used for e.g. bootable live systems. Note: this is different from setting an empty password, which ca be achieved using users.users.<name?>.password. If set to null (default) this user will not be able to log in using a password (i.e. via login command).

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.home

The user's home directory.

Type: path

Default: "/var/empty"

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.initialHashedPassword

Specifies the initial hashed password for the user, i.e. the hashed password assigned if the user does not already exist. If users.mutableUsers is true, the password can be changed subsequently using the passwd command. Otherwise, it's equivalent to setting the hashedPassword option. To generate a hashed password install the mkpasswd package and run mkpasswd -m sha-512. If set to an empty string (""), this user will be able to log in without being asked for a password (but not via remote services such as SSH, or indirectly via su or sudo). This should only be used for e.g. bootable live systems. Note: this is different from setting an empty password, which ca be achieved using users.users.<name?>.password. If set to null (default) this user will not be able to log in using a password (i.e. via login command).

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.initialPassword

Specifies the initial password for the user, i.e. the password assigned if the user does not already exist. If users.mutableUsers is true, the password can be changed subsequently using the passwd command. Otherwise, it's equivalent to setting the password option. The same caveat applies: the password specified here is world-readable in the Nix store, so it should only be used for guest accounts or passwords that will be changed promptly.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.isNormalUser

Indicates whether this is an account for a “real” user. This automatically sets group to users, createHome to true, home to /home/username, useDefaultShell to true, and isSystemUser to false.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.isSystemUser

Indicates if the user is a system user or not. This option only has an effect if uid is null, in which case it determines whether the user's UID is allocated in the range for system users (below 500) or in the range for normal users (starting at 1000).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.name

The name of the user account. If undefined, the name of the attribute set will be used.

Type: string

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.openssh.authorizedKeys.keyFiles

A list of files each containing one OpenSSH public key that should be added to the user's authorized keys. The contents of the files are read at build time and added to a file that the SSH daemon reads in addition to the the user's authorized_keys file. You can combine the keyFiles and keys options.

Type: list of paths

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
users.users.<name>.openssh.authorizedKeys.keys

A list of verbatim OpenSSH public keys that should be added to the user's authorized keys. The keys are added to a file that the SSH daemon reads in addition to the the user's authorized_keys file. You can combine the keys and keyFiles options. Warning: If you are using NixOps then don't use this option since it will replace the key required for deployment via ssh.

Type: list of strings

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
users.users.<name>.password

Specifies the (clear text) password for the user. Warning: do not set confidential information here because it is world-readable in the Nix store. This option should only be used for public accounts. The options hashedPassword, password and passwordFile controls what password is set for the user. hashedPassword overrides both password and passwordFile. password overrides passwordFile. If none of these three options are set, no password is assigned to the user, and the user will not be able to do password logins. If the option users.mutableUsers is true, the password defined in one of the three options will only be set when the user is created for the first time. After that, you are free to change the password with the ordinary user management commands. If users.mutableUsers is false, you cannot change user passwords, they will always be set according to the password options.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.passwordFile

The full path to a file that contains the user's password. The password file is read on each system activation. The file should contain exactly one line, which should be the password in an encrypted form that is suitable for the chpasswd -e command. The options hashedPassword, password and passwordFile controls what password is set for the user. hashedPassword overrides both password and passwordFile. password overrides passwordFile. If none of these three options are set, no password is assigned to the user, and the user will not be able to do password logins. If the option users.mutableUsers is true, the password defined in one of the three options will only be set when the user is created for the first time. After that, you are free to change the password with the ordinary user management commands. If users.mutableUsers is false, you cannot change user passwords, they will always be set according to the password options.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.shell

The path to the user's shell. Can use shell derivations, like pkgs.bashInteractive. Don’t forget to enable your shell in programs if necessary, like programs.zsh.enable = true;.

Type: package or path

Default: "pkgs.shadow"

Example:

pkgs.bashInteractive

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.subGidRanges

Subordinate group ids that user is allowed to use. They are set into /etc/subgid and are used by newgidmap for user namespaces.

Type: list of submodules

Default: [ ]

Example: [ { count = 1; startGid = 100; } { count = 999; startGid = 1001; } ]

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.subGidRanges.*.count

Count of subordinate group ids

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.subGidRanges.*.startGid

Start of the range of subordinate group ids that user is allowed to use.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.subUidRanges

Subordinate user ids that user is allowed to use. They are set into /etc/subuid and are used by newuidmap for user namespaces.

Type: list of submodules

Default: [ ]

Example: [ { count = 1; startUid = 1000; } { count = 65534; startUid = 100001; } ]

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.subUidRanges.*.count

Count of subordinate user ids

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.subUidRanges.*.startUid

Start of the range of subordinate user ids that user is allowed to use.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.uid

The account UID. If the UID is null, a free UID is picked on activation.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.useDefaultShell

If true, the user's shell will be set to users.defaultUserShell.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
virtualisation.lxc.enable

This enables Linux Containers (LXC), which provides tools for creating and managing system or application containers on Linux.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/lxc.nix>
virtualisation.lxc.defaultConfig

Default config (default.conf) for new containers, i.e. for network config. See lxc.container.conf (5).

Type: strings concatenated with "\n"

Default: ""

Declared by:

<nixpkgs/nixos/modules/virtualisation/lxc.nix>
virtualisation.lxc.lxcfs.enable

This enables LXCFS, a FUSE filesystem for LXC. To use lxcfs in include the following configuration in your container configuration: virtualisation.lxc.defaultConfig = "lxc.include = ${pkgs.lxcfs}/share/lxc/config/common.conf.d/00-lxcfs.conf";

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/lxcfs.nix>
virtualisation.lxc.systemConfig

This is the system-wide LXC config. See lxc.system.conf(5).

Type: strings concatenated with "\n"

Default: ""

Declared by:

<nixpkgs/nixos/modules/virtualisation/lxc.nix>
virtualisation.lxc.usernetConfig

This is the config file for managing unprivileged user network administration access in LXC. See lxc-usernet(5).

Type: strings concatenated with "\n"

Default: ""

Declared by:

<nixpkgs/nixos/modules/virtualisation/lxc.nix>
vpsadmin.enable

Enable vpsAdmin integration, i.e. include nodectld and nodectl

Type: boolean

Default: false

Declared by:

<vpsadminos/os/modules/vpsadmin/nodectld.nix>
vpsadmin.consoleHost

Address for console server to listen on

Type: string

Declared by:

<vpsadminos/os/modules/vpsadmin/nodectld.nix>
vpsadmin.db

Database credentials. Don't use this for production deployments, as the credentials would be world readable in the Nix store. Pass the database credentials through deployment.keys.nodectld-config in NixOps.

Type: submodule

Default: { host = ""; name = ""; password = ""; user = ""; }

Declared by:

<vpsadminos/os/modules/vpsadmin/nodectld.nix>
vpsadmin.db.host

Database hostname

Type: string

Declared by:

<vpsadminos/os/modules/vpsadmin/nodectld.nix>
vpsadmin.db.name

Database name

Type: string

Declared by:

<vpsadminos/os/modules/vpsadmin/nodectld.nix>
vpsadmin.db.password

Database password

Type: string

Declared by:

<vpsadminos/os/modules/vpsadmin/nodectld.nix>
vpsadmin.db.user

Database user

Type: string

Declared by:

<vpsadminos/os/modules/vpsadmin/nodectld.nix>
vpsadmin.netInterfaces

Network interfaces

Type: list of strings

Declared by:

<vpsadminos/os/modules/vpsadmin/nodectld.nix>
vpsadmin.nodeId

Node ID

Type: signed integer

Declared by:

<vpsadminos/os/modules/vpsadmin/nodectld.nix>
vpsadmin.transactionPublicKeyFile

Path to file with public key used to verify transactions

Type: path

Default: "/etc/vpsadmin/transaction.key"

Declared by:

<vpsadminos/os/modules/vpsadmin/nodectld.nix>
vpsadminos.nix

enable nix-daemon and a writeable store

Type: boolean

Default: true

Declared by:

<vpsadminos/os/modules/system/activation/top-level.nix>