boot.blacklistedKernelModules
List of names of kernel modules that should not be loaded automatically by the hardware probing code.
Type: list of strings
Default:
[
]
Example:
[
"cirrusfb" "i2c_piix4"
]
Declared by:
<nixpkgs/nixos/modules/system/boot/modprobe.nix>
|
boot.consoleLogLevel
The kernel console loglevel
. All Kernel Messages with a log level smaller
than this setting will be printed to the console.
Type: signed integer
Default:
4
Declared by:
<nixpkgs/nixos/modules/system/boot/kernel.nix>
|
boot.devShmSize
This option has no description.
Type: string
Default:
"50%"
Example:
"256m"
Declared by:
<vpsadminos/os/modules/system/boot/stage-2.nix>
|
boot.devSize
This option has no description.
Type: string
Default:
"5%"
Example:
"32m"
Declared by:
<vpsadminos/os/modules/system/boot/stage-2.nix>
|
boot.extraModprobeConfig
Any additional configuration to be appended to the generated
modprobe.conf
. This is typically used to
specify module options. See
modprobe.d(5) for details.
Type: strings concatenated with "\n"
Default:
""
Example:
'' options parport_pc io=0x378 irq=7 dma=1 ''
Declared by:
<nixpkgs/nixos/modules/system/boot/modprobe.nix>
|
boot.extraModulePackages
A list of additional packages supplying kernel modules.
Type: list of packages
Default:
[
]
Example:
[ config.boot.kernelPackages.nvidia_x11 ]
Declared by:
<nixpkgs/nixos/modules/system/boot/kernel.nix>
|
boot.initrd.enable
Whether to enable the NixOS initial RAM disk (initrd). This may be needed to perform some initialisation tasks (like mounting network/encrypted file systems) before continuing the boot process.
Type: boolean
Default:
"!config.boot.isContainer"
Declared by:
<vpsadminos/os/modules/system/boot/stage-1.nix>
|
boot.initrd.availableKernelModules
The set of kernel modules in the initial ramdisk used during the
boot process. This set must include all modules necessary for
mounting the root device. That is, it should include modules
for the physical device (e.g., SCSI drivers) and for the file
system (e.g., ext3). The set specified here is automatically
closed under the module dependency relation, i.e., all
dependencies of the modules list here are included
automatically. The modules listed here are available in the
initrd, but are only loaded on demand (e.g., the ext3 module is
loaded automatically when an ext3 filesystem is mounted, and
modules for PCI devices are loaded when they match the PCI ID
of a device in your system). To force a module to be loaded,
include it in boot.initrd.kernelModules
.
Type: list of strings
Default:
[
]
Example:
[
"sata_nv" "ext3"
]
Declared by:
<nixpkgs/nixos/modules/system/boot/kernel.nix>
|
boot.initrd.kernelModules
List of modules that are always loaded by the initrd.
Type: list of strings
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/system/boot/kernel.nix>
|
boot.initrd.luks.cryptoModules
A list of cryptographic kernel modules needed to decrypt the root device(s). The default includes all common modules.
Type: list of strings
Default:
[
"aes" "aes_generic" "blowfish" "twofish" "serpent" "cbc" "xts" "lrw" "sha1" "sha256" "sha512" "af_alg" "algif_skcipher"
]
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices
The encrypted disk that should be opened before the root
filesystem is mounted. Both LVM-over-LUKS and LUKS-over-LVM
setups are supported. The unencrypted devices can be accessed as
/dev/mapper/
.
name
Type: attribute set of submodules
Default:
{
}
Example:
{
luksroot =
{
device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08";
}
;
}
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.allowDiscards
Whether to allow TRIM requests to the underlying device. This option has security implications; please read the LUKS documentation before activating it.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.device
Path of the underlying encrypted block device.
Type: string
Example:
"/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.fallbackToPassword
Whether to fallback to interactive passphrase prompt if the keyfile cannot be found. This will prevent unattended boot should the keyfile go missing.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.fido2.credential
The FIDO2 credential ID.
Type: null or string
Default:
null
Example:
"f1d00200d8dc783f7fb1e10ace8da27f8312d72692abfca2f7e4960a73f48e82e1f7571f6ebfcee9fb434f9886ccc8fcc52a6614d8d2"
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.fido2.gracePeriod
Time in seconds to wait for the FIDO2 key.
Type: signed integer
Default:
10
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.fido2.passwordLess
Defines whatever to use an empty string as a default salt. Enable only when your device is PIN protected, such as Trezor.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.gpgCard
The option to use this LUKS device with a GPG encrypted luks password by the GPG Smartcard. If null (the default), GPG-Smartcard will be disabled for this device.
Type: null or submodule
Default:
null
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.gpgCard.encryptedPass
Path to the GPG encrypted passphrase.
Type: path
Default:
""
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.gpgCard.gracePeriod
Time in seconds to wait for the GPG Smartcard.
Type: signed integer
Default:
10
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.gpgCard.publicKey
Path to the Public Key.
Type: path
Default:
""
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.header
The name of the file or block device that should be used as header for the encrypted device.
Type: null or string
Default:
null
Example:
"/root/header.img"
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.keyFile
The name of the file (can be a raw device or a partition) that should be used as the decryption key for the encrypted device. If not specified, you will be prompted for a passphrase instead.
Type: null or string
Default:
null
Example:
"/dev/sdb1"
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.keyFileOffset
The offset of the key file. Use this in combination with
keyFileSize
to use part of a file as key file
(often the case if a raw device or partition is used as a key file).
If not specified, the key begins at the first byte of
keyFile
.
Type: null or signed integer
Default:
null
Example:
4096
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.keyFileSize
The size of the key file. Use this if only the beginning of the
key file should be used as a key (often the case if a raw device
or partition is used as key file). If not specified, the whole
keyFile
will be used decryption, instead of just
the first keyFileSize
bytes.
Type: null or signed integer
Default:
null
Example:
4096
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.postOpenCommands
Commands that should be run right after we have mounted our LUKS device.
Type: strings concatenated with "\n"
Default:
""
Example:
'' umount /tmp/persistent ''
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.preLVM
Whether the luksOpen will be attempted before LVM scan or after it.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.preOpenCommands
Commands that should be run right before we try to mount our LUKS device. This can be useful, if the keys needed to open the drive is on another partion.
Type: strings concatenated with "\n"
Default:
""
Example:
'' mkdir -p /tmp/persistent mount -t zfs rpool/safe/persistent /tmp/persistent ''
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.yubikey
The options to use for this LUKS device in Yubikey-PBA. If null (the default), Yubikey-PBA will be disabled for this device.
Type: null or submodule
Default:
null
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.yubikey.gracePeriod
Time in seconds to wait for the Yubikey.
Type: signed integer
Default:
10
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.yubikey.iterationStep
How much the iteration count for PBKDF2 is increased at each successful authentication.
Type: signed integer
Default:
0
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.yubikey.keyLength
Length of the LUKS slot key derived with PBKDF2 in byte.
Type: signed integer
Default:
64
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.yubikey.saltLength
Length of the new salt in byte (64 is the effective maximum).
Type: signed integer
Default:
16
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.yubikey.slot
Which slot on the Yubikey to challenge.
Type: signed integer
Default:
2
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.yubikey.storage.device
An unencrypted device that will temporarily be mounted in stage-1. Must contain the current salt to create the challenge for this LUKS device.
Type: path
Default:
"/dev/sda1"
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.yubikey.storage.fsType
The filesystem of the unencrypted device.
Type: string
Default:
"vfat"
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.yubikey.storage.path
Absolute path of the salt on the unencrypted device with that device's root directory as "/".
Type: string
Default:
"/crypt-storage/default"
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.devices.<name>.yubikey.twoFactor
Whether to use a passphrase and a Yubikey (true), or only a Yubikey (false).
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.fido2Support
Enables support for authenticating with FIDO2 devices.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.gpgSupport
Enables support for authenticating with a GPG encrypted password.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.mitigateDMAAttacks
Unless enabled, encryption keys can be easily recovered by an attacker with physical access to any machine with PCMCIA, ExpressCard, ThunderBolt or FireWire port. More information is available at http://en.wikipedia.org/wiki/DMA_attack. This option blacklists FireWire drivers, but doesn't remove them. You can manually load the drivers if you need to use a FireWire device, but don't forget to unload them!
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.reusePassphrases
When opening a new LUKS device try reusing last successful passphrase. Useful for mounting a number of devices that use the same passphrase without retyping it several times. Such setup can be useful if you use cryptsetup luksSuspend. Different LUKS devices will still have different master keys even when using the same passphrase.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.luks.yubikeySupport
Enables support for authenticating with a Yubikey on LUKS devices. See the NixOS wiki for information on how to properly setup a LUKS device and a Yubikey to work with this feature.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/system/boot/luksroot.nix>
|
boot.initrd.network.enable
Add network connectivity support to initrd. The network may be
configured using the ip
kernel parameter,
as described in the
kernel documentation. Otherwise, if
networking.useDHCP
is enabled, an IP address
is acquired using DHCP.
You should add the module(s) required for your network card to
boot.initrd.availableKernelModules.
lspci -v | grep -iA8 'network\|ethernet'
will tell you which.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/system/boot/initrd-network.nix>
|
boot.initrd.network.flushBeforeStage2
Whether to clear the configuration of the interfaces that were set up in the initrd right before stage 2 takes over. Stage 2 will do the regular network configuration based on the NixOS networking options.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/system/boot/initrd-network.nix>
|
boot.initrd.network.postCommands
Shell commands to be executed after stage 1 of the boot has initialised the network.
Type: strings concatenated with "\n"
Default:
""
Declared by:
<nixpkgs/nixos/modules/system/boot/initrd-network.nix>
|
boot.initrd.network.ssh.enable
Start SSH service during initrd boot. It can be used to debug failing
boot on a remote server, enter pasphrase for an encrypted partition etc.
Service is killed when stage-1 boot is finished.
The sshd configuration is largely inherited from
services.openssh
.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
|
boot.initrd.network.ssh.authorizedKeys
Authorized keys for the root user on initrd.
Type: list of strings
Default:
"config.users.users.root.openssh.authorizedKeys.keys"
Declared by:
<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
|
boot.initrd.network.ssh.extraConfig
Verbatim contents of sshd_config
.
Type: strings concatenated with "\n"
Default:
""
Declared by:
<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
|
boot.initrd.network.ssh.hostKeys
Specify SSH host keys to import into the initrd. To generate keys, use ssh-keygen(1):
#
ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key#
ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
Unless your bootloader supports initrd secrets, these keys are stored insecurely in the global Nix store. Do NOT use your regular SSH host private keys for this purpose or you'll expose them to regular users!
Additionally, even if your initrd supports secrets, if you're using initrd SSH to unlock an encrypted disk then using your regular host keys exposes the private keys on your unencrypted boot partition.
Type: list of string or paths
Default:
[
]
Example:
[
"/etc/secrets/initrd/ssh_host_rsa_key" "/etc/secrets/initrd/ssh_host_ed25519_key"
]
Declared by:
<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
|
boot.initrd.network.ssh.port
Port on which SSH initrd service should listen.
Type: signed integer
Default:
22
Declared by:
<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
|
boot.initrd.network.ssh.shell
Login shell of the remote user. Can be used to limit actions user can do.
Type: string
Default:
"/bin/ash"
Declared by:
<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
|
boot.initrd.network.udhcpc.extraArgs
Additional command-line arguments passed verbatim to udhcpc if
boot.initrd.network.enable
and networking.useDHCP
are enabled.
Type: list of strings
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/system/boot/initrd-network.nix>
|
boot.initrd.postDeviceCommands
Shell commands to be executed immediately after stage 1 of the
boot has loaded kernel modules and created device nodes in
/dev
.
Type: strings concatenated with "\n"
Default:
""
Declared by:
<vpsadminos/os/modules/system/boot/stage-1.nix>
|
boot.initrd.postMountCommands
Shell commands to be executed immediately after the stage 1 filesystems have been mounted.
Type: strings concatenated with "\n"
Default:
""
Declared by:
<vpsadminos/os/modules/system/boot/stage-1.nix>
|
boot.initrd.preFailCommands
Shell commands to be executed before the failure prompt is shown.
Type: strings concatenated with "\n"
Default:
""
Declared by:
<vpsadminos/os/modules/system/boot/stage-1.nix>
|
boot.initrd.preLVMCommands
Shell commands to be executed immediately before LVM discovery. vpsAdminOS actually does not support LVM, this is just for compatibility with other modules.
Type: strings concatenated with "\n"
Default:
""
Declared by:
<vpsadminos/os/modules/system/boot/stage-1.nix>
|
boot.initrd.supportedFilesystems
Names of supported filesystem types in the initial ramdisk.
Type: list of strings
Default:
[
]
Example:
[
"btrfs"
]
Declared by:
<vpsadminos/os/modules/system/boot/stage-1.nix>
|
boot.initrd.withHwSupport
Include hardware support kernel modules in initrd (so e.g. zfs sees disks)
Type: boolean
Default:
true
Declared by:
<vpsadminos/os/modules/config/kernel.nix>
|
boot.isContainer
This option has no description.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/system/activation/top-level.nix>
|
boot.kernel.randstructSeed
Provides a custom seed for the RANDSTRUCT
security
option of the Linux kernel. Note that RANDSTRUCT
is
only enabled in NixOS hardened kernels. Using a custom seed requires
building the kernel and dependent packages locally, since this
customization happens at build time.
Type: string
Default:
""
Example:
"my secret seed"
Declared by:
<nixpkgs/nixos/modules/system/boot/kernel.nix>
|
boot.kernel.sysctl
Runtime parameters of the Linux kernel, as set by
sysctl(8). Note that sysctl
parameters names must be enclosed in quotes
(e.g. "vm.swappiness"
instead of
vm.swappiness
). The value of each
parameter may be a string, integer, boolean, or null
(signifying the option will not appear at all).
Type: attribute set of sysctl option values
Default:
{
}
Example:
{ "net.ipv4.tcp_syncookies" = false; "vm.swappiness" = 60; }
Declared by:
<nixpkgs/nixos/modules/config/sysctl.nix>
|
boot.kernelModules
The set of kernel modules to be loaded in the second stage of
the boot process. Note that modules that are needed to
mount the root file system should be added to
boot.initrd.availableKernelModules
or
boot.initrd.kernelModules
.
Type: list of strings
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/system/boot/kernel.nix>
|
boot.kernelPackage
base linux kernel package
Type: package
Default:
(build of linux-5.9.2)
Declared by:
<vpsadminos/os/modules/config/kernel.nix>
|
boot.kernelPackages
This option allows you to override the Linux kernel used by
NixOS. Since things like external kernel module packages are
tied to the kernel you're using, it also overrides those.
This option is a function that takes Nixpkgs as an argument
(as a convenience), and returns an attribute set containing at
the very least an attribute kernel
.
Additional attributes may be needed depending on your
configuration. For instance, if you use the NVIDIA X driver,
then it also needs to contain an attribute
nvidia_x11
.
Type: unspecified
Default:
"pkgs.linuxPackages"
Example:
pkgs.linuxPackages_2_6_25
Declared by:
<nixpkgs/nixos/modules/system/boot/kernel.nix>
|
boot.kernelParams
Parameters added to the kernel command line.
Type: list of strings
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/system/boot/kernel.nix>
|
boot.kernelPatches
A list of additional patches to apply to the kernel.
Type: list of attribute sets
Default:
[
]
Example:
[ pkgs.kernelPatches.ubuntu_fan_4_4 ]
Declared by:
<nixpkgs/nixos/modules/system/boot/kernel.nix>
|
boot.loader.efi.canTouchEfiVariables
Whether the installation process is allowed to modify EFI boot variables.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/efi.nix>
|
boot.loader.efi.efiSysMountPoint
Where the EFI System Partition is mounted.
Type: string
Default:
"/boot"
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/efi.nix>
|
boot.loader.generationsDir.enable
Whether to create symlinks to the system generations under
/boot
. When enabled,
/boot/default/kernel
,
/boot/default/initrd
, etc., are updated to
point to the current generation's kernel image, initial RAM
disk, and other bootstrap files.
This optional is not necessary with boot loaders such as GNU GRUB
for which the menu is updated to point to the latest bootstrap
files. However, it is needed for U-Boot on platforms where the
boot command line is stored in flash memory rather than in a
menu file.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/generations-dir/generations-dir.nix>
|
boot.loader.generationsDir.copyKernels
Whether copy the necessary boot files into /boot, so /nix/store is not needed by the boot loader.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/generations-dir/generations-dir.nix>
|
boot.loader.grub.enable
Whether to enable the GNU GRUB boot loader.
Type: boolean
Default:
true
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.enableCryptodisk
Enable support for encrypted partitions. GRUB should automatically unlock the correct encrypted partition and look for filesystems.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.configurationLimit
Maximum of configurations in boot menu. GRUB has problems when there are too many entries.
Type: signed integer
Default:
100
Example:
120
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.configurationName
GRUB entry name instead of default.
Type: string
Default:
""
Example:
"Stable 2.6.21"
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.copyKernels
Whether the GRUB menu builder should copy kernels and initial ramdisks to /boot. This is done automatically if /boot is on a different partition than /.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.default
Index of the default menu item to be booted.
Type: signed integer or string
Default:
"0"
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.device
The device on which the GRUB boot loader will be installed.
The special value nodev
means that a GRUB
boot menu will be generated, but GRUB itself will not
actually be installed. To install GRUB on multiple devices,
use boot.loader.grub.devices
.
Type: string
Default:
""
Example:
"/dev/disk/by-id/wwn-0x500001234567890a"
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.devices
The devices on which the boot loader, GRUB, will be
installed. Can be used instead of device
to
install GRUB onto multiple devices.
Type: list of strings
Default:
[
]
Example:
[
"/dev/disk/by-id/wwn-0x500001234567890a"
]
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.efiInstallAsRemovable
Whether to invoke grub-install
with
--removable
.
Unless you turn this on, GRUB will install itself somewhere in
boot.loader.efi.efiSysMountPoint
(exactly where
depends on other config variables). If you've set
boot.loader.efi.canTouchEfiVariables
*AND* you
are currently booted in UEFI mode, then GRUB will use
efibootmgr
to modify the boot order in the
EFI variables of your firmware to include this location. If you are
*not* booted in UEFI mode at the time GRUB is being installed, the
NVRAM will not be modified, and your system will not find GRUB at
boot time. However, GRUB will still return success so you may miss
the warning that gets printed ("efibootmgr: EFI variables
are not supported on this system.
").
If you turn this feature on, GRUB will install itself in a
special location within efiSysMountPoint
(namely
EFI/boot/boot$arch.efi
) which the firmwares
are hardcoded to try first, regardless of NVRAM EFI variables.
To summarize, turn this on if:
You are installing vpsAdminOS and want it to boot in UEFI mode, but you are currently booted in legacy mode
You want to make a drive that will boot regardless of the NVRAM state of the computer (like a USB "removable" drive)
You simply dislike the idea of depending on NVRAM state to make your drive bootable
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.efiSupport
Whether GRUB should be built with EFI support. EFI support is only available for GRUB v2. This option is ignored for GRUB v1.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.extraConfig
Additional GRUB commands inserted in the configuration file just before the menu entries.
Type: strings concatenated with "\n"
Default:
""
Example:
"serial; terminal_output.serial"
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.extraEntries
Any additional entries you want added to the GRUB boot menu.
Type: strings concatenated with "\n"
Default:
""
Example:
'' # GRUB 1 example (not GRUB 2 compatible) title Windows chainloader (hd0,1)+1 # GRUB 2 example menuentry "Windows 7" { chainloader (hd0,4)+1 } # GRUB 2 with UEFI example, chainloading another distro menuentry "Fedora" { set root=(hd1,1) chainloader /efi/fedora/grubx64.efi } ''
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.extraEntriesBeforeVpsAdminOS
Whether extraEntries are included before the default option.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.extraFiles
A set of files to be copied to /boot
.
Each attribute name denotes the destination file name in
/boot
, while the corresponding
attribute value specifies the source file.
Type: attribute set of paths
Default:
{
}
Example:
{ "memtest.bin" = "${pkgs.memtest86plus}/memtest.bin"; }
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.extraInitrd
The path to a second initramfs to be supplied to the kernel. This ramfs will not be copied to the store, so that it can contain secrets such as LUKS keyfiles or ssh keys. This implies that rolling back to a previous configuration won't rollback the state of this file.
Type: null or path
Default:
null
Example:
"/boot/extra_initramfs.gz"
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.extraPerEntryConfig
Additional GRUB commands inserted in the configuration file at the start of each vpsAdminOS menu entry.
Type: strings concatenated with "\n"
Default:
""
Example:
"root (hd0)"
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.extraPrepareConfig
Additional bash commands to be run at the script that prepares the GRUB menu entries.
Type: strings concatenated with "\n"
Default:
""
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.font
Path to a TrueType, OpenType, or pf2 font to be used by Grub.
Type: null or path
Default:
"\${pkgs.grub2}/share/grub/unicode.pf2"
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.fontSize
Font size for the grub menu. Ignored unless font
is set to a ttf or otf font.
Type: null or signed integer
Default:
null
Example:
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.forceInstall
Whether to try and forcibly install GRUB even if problems are detected. It is not recommended to enable this unless you know what you are doing.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.fsIdentifier
Determines how GRUB will identify devices when generating the configuration file. A value of uuid / label signifies that grub will always resolve the uuid or label of the device before using it in the configuration. A value of provided means that GRUB will use the device name as show in df or mount. Note, zfs zpools / datasets are ignored and will always be mounted using their labels.
Type: one of "uuid", "label", "provided"
Default:
"uuid"
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.gfxmodeBios
The gfxmode to pass to GRUB when loading a graphical boot interface under BIOS.
Type: string
Default:
"1024x768"
Example:
"auto"
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.gfxmodeEfi
The gfxmode to pass to GRUB when loading a graphical boot interface under EFI.
Type: string
Default:
"auto"
Example:
"1024x768"
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.ipxe
Set of iPXE scripts available for booting from the GRUB boot menu.
Type: attribute set of path or strings
Default:
{
}
Example:
{ demo = '' #!ipxe dhcp chain http://boot.vpsadminos.org/script.ipxe ''; }
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/ipxe.nix>
|
boot.loader.grub.mirroredBoots
Mirror the boot configuration to multiple partitions and install grub to the respective devices corresponding to those partitions.
Type: list of submodules
Default:
[
]
Example:
[
{
devices =
[
"/dev/disk/by-id/wwn-0x500001234567890a"
]
; path = "/boot1";
}
{
devices =
[
"/dev/disk/by-id/wwn-0x500009876543210a"
]
; path = "/boot2";
}
]
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.mirroredBoots.*.devices
The path to the devices which will have the GRUB MBR written. Note these are typically device paths and not paths to partitions.
Type: list of strings
Default:
[
]
Example:
[
"/dev/disk/by-id/wwn-0x500001234567890a" "/dev/disk/by-id/wwn-0x500009876543210a"
]
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.mirroredBoots.*.efiBootloaderId
The id of the bootloader to store in efi nvram.
The default is to name it vpsAdminOS and append the path or efiSysMountPoint.
This is only used if boot.loader.efi.canTouchEfiVariables
is true.
Type: null or string
Default:
null
Example:
"vpsAdminOS-fsid"
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.mirroredBoots.*.efiSysMountPoint
The path to the efi system mount point. Usually this is the same partition as the above path and can be left as null.
Type: null or string
Default:
null
Example:
"/boot1/efi"
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.mirroredBoots.*.path
The path to the boot directory where GRUB will be written. Generally this boot path should double as an EFI path.
Type: string
Example:
"/boot1"
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.splashImage
Background image used for GRUB.
Set to null
to run GRUB in text mode.
For grub 1: It must be a 640x480, 14-colour image in XPM format, optionally compressed with gzip or bzip2.
For grub 2: File must be one of .png, .tga, .jpg, or .jpeg. JPEG images must not be progressive. The image will be scaled if necessary to fit the screen.
Type: null or path
Example:
./my-background.png
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.storePath
Path to the Nix store when looking for kernels at boot. Only makes sense when copyKernels is false.
Type: string
Default:
"/nix/store"
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.trustedBoot.enable
Enable trusted boot. GRUB will measure all critical components during the boot process to offer TCG (TPM) support.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.trustedBoot.isHPLaptop
Use a special version of TrustedGRUB that is needed by some HP laptops and works only for the HP laptops.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.trustedBoot.systemHasTPM
Assertion that the target system has an activated TPM. It is a safety check before allowing the activation of 'trustedBoot.enable'. TrustedBoot WILL FAIL TO BOOT YOUR SYSTEM if no TPM is available.
Type: string
Default:
""
Example:
"YES_TPM_is_activated"
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.useOSProber
If set to true, append entries for other OSs detected by os-prober.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.version
The version of GRUB to use: 1
for GRUB
Legacy (versions 0.9x), or 2
(the
default) for GRUB 2.
Type: signed integer
Default:
2
Example:
1
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.grub.zfsSupport
Whether GRUB should be built against libzfs. ZFS support is only available for GRUB v2. This option is ignored for GRUB v1.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/system/boot/loader/grub/grub.nix>
|
boot.loader.timeout
Timeout (in seconds) until loader boots the default menu item. Use null if the loader menu should be displayed indefinitely.
Type: null or signed integer
Default:
5
Declared by:
<nixpkgs/nixos/modules/system/boot/loader/loader.nix>
|
boot.postBootCommands
Shell commands to be executed just before runit is started.
Type: strings concatenated with "\n"
Default:
""
Example:
"rm -f /var/log/messages"
Declared by:
<vpsadminos/os/modules/system/boot/stage-2.nix>
|
boot.predefinedFailAction
Action to take automatically if stage-1 fails. n - create new pool (may also erase disks and run partitioning if configured) i - interactive shell r - reboot * - ignore Useful for unattended installations and testing.
Type: one of "", "n", "i", "r", "*"
Default:
""
Declared by:
<vpsadminos/os/modules/system/activation/top-level.nix>
|
boot.procHidePid
mount proc with hidepid=2
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/system/boot/stage-2.nix>
|
boot.qemu.disks
Disks available within the VM
Type: list of submodules
Default:
[
{
create = true; device = "sda.img"; size = "8G"; type = "file";
}
]
Declared by:
<vpsadminos/os/modules/system/boot/qemu.nix>
|
boot.qemu.disks.*.create
Create the device if it does not exist. Applicable only for file-backed devices.
Type: boolean
Declared by:
<vpsadminos/os/modules/system/boot/qemu.nix>
|
boot.qemu.disks.*.device
Path to the disk device
Type: string
Declared by:
<vpsadminos/os/modules/system/boot/qemu.nix>
|
boot.qemu.disks.*.size
Device size
Type: string
Default:
""
Declared by:
<vpsadminos/os/modules/system/boot/qemu.nix>
|
boot.qemu.disks.*.type
Device type
Type: one of "file", "blockdev"
Declared by:
<vpsadminos/os/modules/system/boot/qemu.nix>
|
boot.runSize
This option has no description.
Type: string
Default:
"25%"
Example:
"256m"
Declared by:
<vpsadminos/os/modules/system/boot/stage-2.nix>
|
boot.specialFileSystems.<name>.device
Location of the device.
Type: null or string (with check: non-empty)
Default:
null
Example:
"/dev/sda"
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
|
boot.specialFileSystems.<name>.fsType
Type of the file system.
Type: string (with check: non-empty)
Default:
"auto"
Example:
"ext3"
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
|
boot.specialFileSystems.<name>.mountPoint
Location of the mounted the file system.
Type: string (with check: non-empty)
Example:
"/mnt/usb"
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
|
boot.specialFileSystems.<name>.options
Options used to mount the file system.
Type: list of string (with check: non-empty)s
Default:
[
"defaults"
]
Example:
[
"data=journal"
]
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
|
boot.supportedFilesystems
Names of supported filesystem types.
Type: list of strings
Default:
[
]
Example:
[
"btrfs"
]
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
|
boot.vesa
(Deprecated) This option, if set, activates the VESA 800x600 video
mode on boot and disables kernel modesetting. It is equivalent to
specifying [ "vga=0x317" "nomodeset" ]
in the
boot.kernelParams
option. This option is
deprecated as of 2020: Xorg now works better with modesetting, and
you might want a different VESA vga setting, anyway.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/system/boot/kernel.nix>
|
boot.zfs.devNodes
Directories used to search disk devices. This should be a path under /dev containing stable names for all devices needed, as import may fail if device nodes are renamed concurrently with a device failing.
Type: list of strings
Default:
[
"/dev/disk/by-id"
]
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
boot.zfs.forceImportRoot
Forcibly import the ZFS root pool(s) during early boot.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
boot.zfs.pools
This option has no description.
Type: attribute set of submodules
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
boot.zfs.pools.<name>.cache
Devices used for secondary read cache (L2ARC).
Type: list of strings
Default:
[
]
Example:
[
"sde2" "sdf2"
]
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
boot.zfs.pools.<name>.datasets
Declaratively create ZFS file systems or volumes and configure properties. Dataset names are relative to the pool and optionally may start with a slash. Configured properties are passed directly to ZFS, see man zfs(8) for more information. No dataset is ever destroyed and properties removed from the configuration are not unset once deployed. To reset a property, set its value to `inherit`.
Type: attribute set of submodules
Default:
{
/ =
{
properties =
{
xattr =
{
_type = "override"; content = "sa"; priority = 1000;
}
;
}
;
}
;
}
Example:
{
/ =
{
properties =
{
sharenfs = "on";
}
;
}
; data =
{
properties =
{
quota = "100G";
}
;
}
; volume =
{
properties =
{
volsize = "50G";
}
; type = "volume";
}
;
}
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
boot.zfs.pools.<name>.datasets.<name>.properties
ZFS properties, see man zfs(8).
Type: attribute set
Default:
{
}
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
boot.zfs.pools.<name>.datasets.<name>.type
Dataset type
Type: one of "filesystem", "volume"
Default:
"filesystem"
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
boot.zfs.pools.<name>.doCreate
Determines whether disks are partitioned and zpool is created when the pool cannot be imported, suggesting it does not exist. Do not enable this in production, existing pools might fail to import for unforeseen reasons and recreating them will result in data loss.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
boot.zfs.pools.<name>.guid
Pool ID used for importing.
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
boot.zfs.pools.<name>.install
Import the pool into osctld to be used for containers.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
boot.zfs.pools.<name>.layout
Pool layout to pass to zpool create. The pool can be created either
manually using script do-create-pool-<pool>
or automatically when boot.zfs.pools.<pool>.doCreate
is set and the pool cannot be imported.
Type: list of submodules
Default:
[
]
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
boot.zfs.pools.<name>.layout.*.devices
List of device names.
Type: list of strings
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
boot.zfs.pools.<name>.layout.*.type
Virtual device type, see man zpool(8) for more information.
Type: one of "stripe", "mirror", "raidz", "raidz1", "raidz2", "raidz3"
Default:
"stripe"
Example:
"mirror"
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
boot.zfs.pools.<name>.log
Devices used for ZFS Intent Log (ZIL).
Type: list of submodules
Default:
[
]
Example:
{
devices =
[
"sde1" "sdf1"
]
; mirror = true;
}
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
boot.zfs.pools.<name>.log.*.devices
List of device names.
Type: list of strings
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
boot.zfs.pools.<name>.log.*.mirror
Determines whether the log devices will be mirrored or not.
Type: boolean
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
boot.zfs.pools.<name>.partition
Partition disks This creates a sfdisk input for simple partitioning, X in 'pX' means partition number. If sizeGB is not specified the rest of the dist will be used for this partition.
Type: attribute set of attribute set of submoduless
Default:
{
}
Example:
{
sde =
{
p1 =
{
sizeGB = 20;
}
; p2 =
{
sizeGB = 10; type = "fd";
}
; p3 =
{
}
;
}
;
}
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
boot.zfs.pools.<name>.partition.<name>.<name>.sizeGB
Partition size in gigabytes
Type: null or positive integer, meaning >0
Default:
null
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
boot.zfs.pools.<name>.partition.<name>.<name>.type
Partition type (list with `sfdisk -T`)
Type: one of "fd"
Default:
"fd"
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
boot.zfs.pools.<name>.properties
zpool properties, see man zpool(8) for more information.
Type: attribute set
Default:
{
}
Example:
{
readonly = "on";
}
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
boot.zfs.pools.<name>.scrub.enable
Enables periodic scrubbing
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
boot.zfs.pools.<name>.scrub.interval
Date and time expression for when to scrub the pool in a crontab format, i.e. minute, hour, day of month, month and day of month separated by spaces.
Type: string
Default:
"0 4 */14 * *"
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
boot.zfs.pools.<name>.share
Determines whether ZFS filesystems with sharenfs set should be
exported.
When set to always
, zfs share
is run every time the service is started. When set to
once
, filesystems are exported only once for this
pool, e.g. when the service is restarted on upgrade, filesystems are
not reexported. off
disables automated exporting
completely.
Type: one of "always", "once", "off"
Default:
"always"
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
boot.zfs.pools.<name>.spare
List of devices to be used as hot spares.
Type: list of strings
Default:
[
]
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
boot.zfs.pools.<name>.wipe
Wipe disks prior to disk partitioning and pool creation (dangerous!). Uses dd to erase first and last 1024 sectors of the device.
Type: list of strings
Default:
[
]
Example:
[
"sda" "sdb"
]
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
environment.enableDebugInfo
Some NixOS packages provide debug symbols. However, these are
not included in the system closure by default to save disk
space. Enabling this option causes the debug symbols to appear
in /run/current-system/sw/lib/debug/.build-id
,
where tools such as gdb can find them.
If you need debug symbols for a package that doesn't
provide them by default, you can enable them as follows:
nixpkgs.config.packageOverrides = pkgs: { hello = pkgs.hello.overrideAttrs (oldAttrs: { separateDebugInfo = true; }); };
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/config/debug-info.nix>
|
environment.etc
Set of files that have to be linked in /etc
.
Type: attribute set of submodules
Default:
{
}
Example:
{ example-configuration-file = { source = "/nix/store/.../etc/dir/file.conf.example"; mode = "0440"; }; "default/useradd".text = "GROUP=100 ..."; }
Declared by:
<nixpkgs/nixos/modules/system/etc/etc.nix>
|
environment.etc.<name>.enable
Whether this /etc file should be generated. This option allows specific /etc files to be disabled.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/system/etc/etc.nix>
|
environment.etc.<name>.gid
GID of created file. Only takes effect when the file is copied (that is, the mode is not 'symlink').
Type: signed integer
Default:
0
Declared by:
<nixpkgs/nixos/modules/system/etc/etc.nix>
|
environment.etc.<name>.group
Group name of created file.
Only takes effect when the file is copied (that is, the mode is not 'symlink').
Changing this option takes precedence over gid
.
Type: string
Default:
"+0"
Declared by:
<nixpkgs/nixos/modules/system/etc/etc.nix>
|
environment.etc.<name>.mode
If set to something else than symlink
,
the file is copied instead of symlinked, with the given
file mode.
Type: string
Default:
"symlink"
Example:
"0600"
Declared by:
<nixpkgs/nixos/modules/system/etc/etc.nix>
|
environment.etc.<name>.source
Path of the source file.
Type: path
Declared by:
<nixpkgs/nixos/modules/system/etc/etc.nix>
|
environment.etc.<name>.target
Name of symlink (relative to
/etc
). Defaults to the attribute
name.
Type: string
Declared by:
<nixpkgs/nixos/modules/system/etc/etc.nix>
|
environment.etc.<name>.text
Text of the file.
Type: null or strings concatenated with "\n"
Default:
null
Declared by:
<nixpkgs/nixos/modules/system/etc/etc.nix>
|
environment.etc.<name>.uid
UID of created file. Only takes effect when the file is copied (that is, the mode is not 'symlink').
Type: signed integer
Default:
0
Declared by:
<nixpkgs/nixos/modules/system/etc/etc.nix>
|
environment.etc.<name>.user
User name of created file.
Only takes effect when the file is copied (that is, the mode is not 'symlink').
Changing this option takes precedence over uid
.
Type: string
Default:
"+0"
Declared by:
<nixpkgs/nixos/modules/system/etc/etc.nix>
|
environment.extraInit
Shell script code called during global environment initialisation after all variables and profileVariables have been set. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.
Type: strings concatenated with "\n"
Default:
""
Declared by:
<nixpkgs/nixos/modules/config/shells-environment.nix>
|
environment.extraOutputsToInstall
List of additional package outputs to be symlinked into /run/current-system/sw
.
Type: list of strings
Default:
[
]
Example:
[
"doc" "info" "docdev"
]
Declared by:
<vpsadminos/os/modules/config/system-path.nix>
|
environment.homeBinInPath
Include ~/bin/ in $PATH.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/config/shells-environment.nix>
|
environment.interactiveShellInit
Shell script code called during interactive shell initialisation. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.
Type: strings concatenated with "\n"
Default:
""
Declared by:
<nixpkgs/nixos/modules/config/shells-environment.nix>
|
environment.loginShellInit
Shell script code called during login shell initialisation. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.
Type: strings concatenated with "\n"
Default:
""
Declared by:
<nixpkgs/nixos/modules/config/shells-environment.nix>
|
environment.pathsToLink
List of directories to be symlinked in /run/current-system/sw
.
Type: list of strings
Default:
[
]
Example:
[
"/"
]
Declared by:
<vpsadminos/os/modules/config/system-path.nix>
|
environment.profileRelativeEnvVars
Attribute set of environment variable. Each attribute maps to a list
of relative paths. Each relative path is appended to the each profile
of environment.profiles
to form the content of the
corresponding environment variable.
Type: attribute set of list of stringss
Example:
{
MANPATH =
[
"/man" "/share/man"
]
; PATH =
[
"/bin"
]
;
}
Declared by:
<nixpkgs/nixos/modules/config/shells-environment.nix>
|
environment.profileRelativeSessionVariables
Attribute set of environment variable used in the global
environment. These variables will be set by PAM early in the
login process.
Variable substitution is available as described in
pam_env.conf(5).
Each attribute maps to a list of relative paths. Each relative
path is appended to the each profile of
environment.profiles
to form the content of
the corresponding environment variable.
Also, these variables are merged into
environment.profileRelativeEnvVars
and it is
therefore not possible to use PAM style variables such as
@{HOME}
.
Type: attribute set of list of stringss
Example:
{
MANPATH =
[
"/man" "/share/man"
]
; PATH =
[
"/bin"
]
;
}
Declared by:
<nixpkgs/nixos/modules/config/system-environment.nix>
|
environment.profiles
A list of profiles used to setup the global environment.
Type: list of strings
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/config/shells-environment.nix>
|
environment.sessionVariables
A set of environment variables used in the global environment.
These variables will be set by PAM early in the login process.
The value of each session variable can be either a string or a
list of strings. The latter is concatenated, interspersed with
colon characters.
Note, due to limitations in the PAM format values may not
contain the "
character.
Also, these variables are merged into
environment.variables
and it is
therefore not possible to use PAM style variables such as
@{HOME}
.
Type: attribute set of string or list of stringss
Default:
{
}
Declared by:
<nixpkgs/nixos/modules/config/system-environment.nix>
|
environment.shellAliases
An attribute set that maps aliases (the top level attribute names in
this option) to command strings or directly to build outputs. The
aliases are added to all users' shells.
Aliases mapped to null
are ignored.
Type: attribute set of null or string or paths
Example:
{
l = null; ll = "ls -l";
}
Declared by:
<nixpkgs/nixos/modules/config/shells-environment.nix>
|
environment.shellInit
Shell script code called during shell initialisation. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.
Type: strings concatenated with "\n"
Default:
""
Declared by:
<nixpkgs/nixos/modules/config/shells-environment.nix>
|
environment.shells
A list of permissible login shells for user accounts.
No need to mention /bin/sh
here, it is placed into this list implicitly.
Type: list of package or paths
Default:
[
]
Example:
[ pkgs.bashInteractive pkgs.zsh ]
Declared by:
<nixpkgs/nixos/modules/config/shells-environment.nix>
|
environment.systemPackages
This option has no description.
Type: list of packages
Default:
[
]
Example:
[ pkgs.firefox pkgs.thunderbird ]
Declared by:
<vpsadminos/os/modules/config/system-path.nix>
|
environment.variables
A set of environment variables used in the global environment. These variables will be set on shell initialisation (e.g. in /etc/profile). The value of each variable can be either a string or a list of strings. The latter is concatenated, interspersed with colon characters.
Type: attribute set of string or list of stringss
Default:
{
}
Example:
{
EDITOR = "nvim"; VISUAL = "nvim";
}
Declared by:
<nixpkgs/nixos/modules/config/shells-environment.nix>
|
fileSystems
The file systems to be mounted. It must include an entry for
the root directory (mountPoint = "/"
). Each
entry in the list is an attribute set with the following fields:
mountPoint
, device
,
fsType
(a file system type recognised by
mount; defaults to
"auto"
), and options
(the mount options passed to mount using the
-o
flag; defaults to [ "defaults" ]
).
Instead of specifying device
, you can also
specify a volume label (label
) for file
systems that support it, such as ext2/ext3 (see mke2fs
-L).
Type: attribute set of submodules
Default:
{
}
Example:
{ "/".device = "/dev/hda1"; "/data" = { device = "/dev/hda2"; fsType = "ext3"; options = [ "data=journal" ]; }; "/bigdisk".label = "bigdisk"; }
Declared by:
<vpsadminos/os/modules/system/boot/stage-1.nix>
|
<nixpkgs/nixos/modules/tasks/filesystems.nix>
|
fileSystems.<name>.autoFormat
If the device does not currently contain a filesystem (as
determined by blkid, then automatically
format it with the filesystem type specified in
fsType
. Use with caution.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
|
fileSystems.<name>.autoResize
If set, the filesystem is grown to its maximum size before being mounted. (This is typically the size of the containing partition.) This is currently only supported for ext2/3/4 filesystems that are mounted during early boot.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
|
fileSystems.<name>.device
Location of the device.
Type: null or string (with check: non-empty)
Default:
null
Example:
"/dev/sda"
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
|
fileSystems.<name>.formatOptions
If autoFormat
option is set specifies
extra options passed to mkfs.
Type: string
Default:
""
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
|
fileSystems.<name>.fsType
Type of the file system.
Type: string (with check: non-empty)
Default:
"auto"
Example:
"ext3"
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
|
fileSystems.<name>.label
Label of the device (if any).
Type: null or string (with check: non-empty)
Default:
null
Example:
"root-partition"
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
|
fileSystems.<name>.mountPoint
Location of the mounted the file system.
Type: string (with check: non-empty)
Example:
"/mnt/usb"
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
|
fileSystems.<name>.neededForBoot
If set, this file system will be mounted in the initial
ramdisk. By default, this applies to the root file system
and to the file system containing
/nix/store
.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/system/boot/stage-1.nix>
|
fileSystems.<name>.noCheck
Disable running fsck on this filesystem.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
|
fileSystems.<name>.options
Options used to mount the file system.
Type: list of string (with check: non-empty)s
Default:
[
"defaults"
]
Example:
[
"data=journal"
]
Declared by:
<nixpkgs/nixos/modules/tasks/filesystems.nix>
|
hardware.enableAllFirmware
Turn on this option if you want to enable all the firmware.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/hardware/all-firmware.nix>
|
hardware.enableRedistributableFirmware
Turn on this option if you want to enable all the firmware with a license allowing redistribution.
(i.e. free firmware and firmware-linux-nonfree
)
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/hardware/all-firmware.nix>
|
hardware.firmware
This option has no description.
Type: list of packages
Default:
[
]
Declared by:
<vpsadminos/os/modules/services/hardware/eudev.nix>
|
i18n.defaultLocale
The default locale. It determines the language for program messages, the format for dates and times, sort order, and so on. It also determines the character set, such as UTF-8.
Type: string
Default:
"en_US.UTF-8"
Example:
"nl_NL.UTF-8"
Declared by:
<nixpkgs/nixos/modules/config/i18n.nix>
|
i18n.extraLocaleSettings
A set of additional system-wide locale settings other than
LANG
which can be configured with
i18n.defaultLocale
.
Type: attribute set of strings
Default:
{
}
Example:
{
LC_MESSAGES = "en_US.UTF-8"; LC_TIME = "de_DE.UTF-8";
}
Declared by:
<nixpkgs/nixos/modules/config/i18n.nix>
|
i18n.glibcLocales
Customized pkg.glibcLocales package. Changing this option can disable handling of i18n.defaultLocale and supportedLocale.
Type: path
Default:
(build of glibc-locales-2.31)
Example:
pkgs.glibcLocales
Declared by:
<nixpkgs/nixos/modules/config/i18n.nix>
|
i18n.supportedLocales
List of locales that the system should support. The value
"all"
means that all locales supported by
Glibc will be installed. A full list of supported locales
can be found at https://sourceware.org/git/?p=glibc.git;a=blob;f=localedata/SUPPORTED.
Type: list of strings
Default:
[
"all"
]
Example:
[
"en_US.UTF-8/UTF-8" "nl_NL.UTF-8/UTF-8" "nl_NL/ISO-8859-1"
]
Declared by:
<nixpkgs/nixos/modules/config/i18n.nix>
|
krb5
This option has no description.
Type: unspecified
Declared by:
<vpsadminos/os/modules/nixos-compat.nix>
|
lib
This option allows modules to define helper functions, constants, etc.
Type: attribute set of attribute sets
Default:
{
}
Declared by:
<nixpkgs/nixos/modules/misc/lib.nix>
|
location.latitude
Your current latitude, between
-90.0
and 90.0
. Must be provided
along with longitude.
Type: floating point number
Declared by:
<nixpkgs/nixos/modules/config/locale.nix>
|
location.longitude
Your current longitude, between
between -180.0
and 180.0
. Must be
provided along with latitude.
Type: floating point number
Declared by:
<nixpkgs/nixos/modules/config/locale.nix>
|
location.provider
The location provider to use for determining your location. If set to
manual
you must also provide latitude/longitude.
Type: one of "manual", "geoclue2"
Default:
"manual"
Declared by:
<nixpkgs/nixos/modules/config/locale.nix>
|
manual.html.enable
Whether to install the HTML manual.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/misc/manual.nix>
|
manual.json.enable
Whether to install a JSON formatted list of all vpsAdminOS
options. This can be located at
<profile directory>/share/doc/vpsadminos/options.json
,
and may be used for navigating definitions, auto-completing,
and other miscellaneous tasks.
Type: boolean
Default:
false
Example:
true
Declared by:
<vpsadminos/os/modules/misc/manual.nix>
|
manual.manpages.enable
Whether to install the configuration manual page. The manual can be reached by man vpsadminos-configuration.nix.
Type: boolean
Default:
true
Example:
false
Declared by:
<vpsadminos/os/modules/misc/manual.nix>
|
meta.maintainers
This option has no description.
Type: unspecified
Declared by:
<vpsadminos/os/modules/nixos-compat.nix>
|
networking.enableIPv6
This option has no description.
Type: unspecified
Default:
true
Declared by:
<vpsadminos/os/modules/nixos-compat.nix>
|
networking.bird.enable
Whether to enable BIRD Internet Routing Daemon.
Type: boolean
Default:
false
Example:
true
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird.extraConfig
BIRD Internet Routing Daemon configuration file. http://bird.network.cz/
Type: strings concatenated with "\n"
Default:
""
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird.logFile
This option has no description.
Type: string
Default:
"/var/log/bird.log"
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird.logVerbosity
This option has no description.
Type: string
Default:
"all"
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird.protocol.bfd.enable
Enable BFD
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird.protocol.bfd.interfaces
BFD interfaces
Type: attribute set of submodules
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird.protocol.bfd.interfaces.<name>.idleTX
desired TX interval if neighbor not available or not running BFD (milliseconds)
Type: positive integer, meaning >0
Default:
1000
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird.protocol.bfd.interfaces.<name>.minRX
minimum RX interval (milliseconds)
Type: positive integer, meaning >0
Default:
10
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird.protocol.bfd.interfaces.<name>.minTX
desired TX interval (milliseconds)
Type: positive integer, meaning >0
Default:
100
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird.protocol.bgp
BGP instances
Type: attribute set of submodules
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird.protocol.bgp.<name>.as
BGP autonomous system ID
Type: positive integer, meaning >0
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird.protocol.bgp.<name>.extraConfig
This option has no description.
Type: strings concatenated with "\n"
Default:
""
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird.protocol.bgp.<name>.neighbor
Our neighbors
Type: attribute set of positive integer, meaning >0s
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird.protocol.bgp.<name>.nextHopSelf
Always advertise our own local address as a next hop
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird.protocol.device.extraConfig
Extra config for device protocol
Type: strings concatenated with "\n"
Default:
""
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird.protocol.device.scanTime
Time in seconds between two scans of the network interface list.
Type: positive integer, meaning >0
Default:
1
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird.protocol.direct.interface
Restrict devices used by direct protocol
Type: string
Default:
"*"
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird.protocol.kernel.extraConfig
Extra config for kernel protocol
Type: strings concatenated with "\n"
Default:
""
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird.protocol.kernel.learn
Whether to enable Enable learning of routes added to the kernel routing tables by other routing daemons or by the system administrator..
Type: boolean
Default:
false
Example:
true
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird.protocol.kernel.persist
Whether to enable Tell BIRD to leave all its routes in the routing tables when it exits (instead of cleaning them up)..
Type: boolean
Default:
false
Example:
true
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird.protocol.kernel.scanTime
Time in seconds between two consecutive scans of the kernel routing table.
Type: positive integer, meaning >0
Default:
10
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird.routerId
Set BIRD's router ID based on an IP address of an interface specified by an interface pattern.
Type: string
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird6.enable
Whether to enable BIRD Internet Routing Daemon.
Type: boolean
Default:
false
Example:
true
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird6.extraConfig
BIRD Internet Routing Daemon configuration file. http://bird.network.cz/
Type: strings concatenated with "\n"
Default:
""
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird6.logFile
This option has no description.
Type: string
Default:
"/var/log/bird6.log"
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird6.logVerbosity
This option has no description.
Type: string
Default:
"all"
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird6.protocol.bfd.enable
Enable BFD
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird6.protocol.bfd.interfaces
BFD interfaces
Type: attribute set of submodules
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird6.protocol.bfd.interfaces.<name>.idleTX
desired TX interval if neighbor not available or not running BFD (milliseconds)
Type: positive integer, meaning >0
Default:
1000
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird6.protocol.bfd.interfaces.<name>.minRX
minimum RX interval (milliseconds)
Type: positive integer, meaning >0
Default:
10
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird6.protocol.bfd.interfaces.<name>.minTX
desired TX interval (milliseconds)
Type: positive integer, meaning >0
Default:
100
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird6.protocol.bgp
BGP instances
Type: attribute set of submodules
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird6.protocol.bgp.<name>.as
BGP autonomous system ID
Type: positive integer, meaning >0
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird6.protocol.bgp.<name>.extraConfig
This option has no description.
Type: strings concatenated with "\n"
Default:
""
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird6.protocol.bgp.<name>.neighbor
Our neighbors
Type: attribute set of positive integer, meaning >0s
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird6.protocol.bgp.<name>.nextHopSelf
Always advertise our own local address as a next hop
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird6.protocol.device.extraConfig
Extra config for device protocol
Type: strings concatenated with "\n"
Default:
""
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird6.protocol.device.scanTime
Time in seconds between two scans of the network interface list.
Type: positive integer, meaning >0
Default:
1
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird6.protocol.direct.interface
Restrict devices used by direct protocol
Type: string
Default:
"*"
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird6.protocol.kernel.extraConfig
Extra config for kernel protocol
Type: strings concatenated with "\n"
Default:
""
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird6.protocol.kernel.learn
Whether to enable Enable learning of routes added to the kernel routing tables by other routing daemons or by the system administrator..
Type: boolean
Default:
false
Example:
true
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird6.protocol.kernel.persist
Whether to enable Tell BIRD to leave all its routes in the routing tables when it exits (instead of cleaning them up)..
Type: boolean
Default:
false
Example:
true
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird6.protocol.kernel.scanTime
Time in seconds between two consecutive scans of the kernel routing table.
Type: positive integer, meaning >0
Default:
10
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.bird6.routerId
Set BIRD's router ID based on an IP address of an interface specified by an interface pattern.
Type: string
Declared by:
<vpsadminos/os/modules/services/networking/bird.nix>
|
networking.chronyd
use Chrony daemon for network time synchronization
Type: boolean
Default:
true
Declared by:
<vpsadminos/os/modules/services/networking/chronyd.nix>
|
networking.custom
Custom set of commands used to set-up networking
Type: strings concatenated with "\n"
Default:
""
Example:
'' ip addr add 10.0.0.1 dev ix0 ip link set ix0 up ''
Declared by:
<vpsadminos/os/modules/tasks/network-interfaces.nix>
|
networking.dhcp
use DHCP to obtain IP
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/tasks/network-interfaces.nix>
|
networking.dhcpd
Whether to enable Enable dhcpd for lxc containers.
Type: boolean
Default:
false
Example:
true
Declared by:
<vpsadminos/os/modules/services/networking/dhcpd.nix>
|
networking.domain
The domain. It can be left empty if it is auto-detected through DHCP.
Type: null or string
Default:
null
Example:
"home"
Declared by:
<vpsadminos/os/modules/tasks/network-interfaces.nix>
|
networking.extraHosts
Additional verbatim entries to be appended to /etc/hosts
.
Type: strings concatenated with "\n"
Default:
""
Example:
"192.168.0.1 lanlocalhost"
Declared by:
<vpsadminos/os/modules/tasks/network-interfaces.nix>
|
networking.firewall.enable
Whether to enable the firewall. This is a simple stateful firewall that blocks connection attempts to unauthorised TCP or UDP ports on this machine. It does not affect packet forwarding.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.firewall.package
The iptables package to use for running the firewall service."
Type: package
Default:
"pkgs.iptables"
Example:
pkgs.iptables-nftables-compat
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.firewall.allowPing
Whether to respond to incoming ICMPv4 echo requests ("pings"). ICMPv6 pings are always allowed because the larger address space of IPv6 makes network scanning much less effective.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.firewall.allowedTCPPortRanges
A range of TCP ports on which incoming connections are accepted.
Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)ss
Default:
[
]
Example:
[
{
from = 8999; to = 9003;
}
]
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.firewall.allowedTCPPorts
List of TCP ports on which incoming connections are accepted.
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)s
Default:
[
]
Example:
[
22 80
]
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.firewall.allowedUDPPortRanges
Range of open UDP ports.
Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)ss
Default:
[
]
Example:
[
{
from = 60000; to = 61000;
}
]
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.firewall.allowedUDPPorts
List of open UDP ports.
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)s
Default:
[
]
Example:
[
53
]
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.firewall.autoLoadConntrackHelpers
Whether to auto-load connection-tracking helpers. See the description at networking.firewall.connectionTrackingModules (needs kernel 3.5+)
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.firewall.checkReversePath
Performs a reverse path filter test on a packet. If a reply to the packet would not be sent via the same interface that the packet arrived on, it is refused. If using asymmetric routing or other complicated routing, set this option to loose mode or disable it and setup your own counter-measures. This option can be either true (or "strict"), "loose" (only drop the packet if the source address is not reachable via any interface) or false. Defaults to the value of kernelHasRPFilter. (needs kernel 3.3+)
Type: boolean or one of "strict", "loose"
Default:
true
Example:
"loose"
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.firewall.connectionTrackingModules
List of connection-tracking helpers that are auto-loaded. The complete list of possible values is given in the example. As helpers can pose as a security risk, it is advised to set this to an empty list and disable the setting networking.firewall.autoLoadConntrackHelpers unless you know what you are doing. Connection tracking is disabled by default. Loading of helpers is recommended to be done through the CT target. More info: https://home.regit.org/netfilter-en/secure-use-of-helpers/
Type: list of strings
Default:
[
]
Example:
[
"ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp"
]
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.firewall.extraCommands
Additional shell commands executed as part of the firewall initialisation script. These are executed just before the final "reject" firewall rule is added, so they can be used to allow packets that would otherwise be refused.
Type: strings concatenated with "\n"
Default:
""
Example:
"iptables -A INPUT -p icmp -j ACCEPT"
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.firewall.extraPackages
Additional packages to be included in the environment of the system as well as the path of networking.firewall.extraCommands.
Type: list of packages
Default:
[
]
Example:
[ pkgs.ipset ]
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.firewall.extraStopCommands
Additional shell commands executed as part of the firewall shutdown script. These are executed just after the removal of the NixOS input rule, or if the service enters a failed state.
Type: strings concatenated with "\n"
Default:
""
Example:
"iptables -P INPUT ACCEPT"
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.firewall.interfaces
Interface-specific open ports.
Type: attribute set of submodules
Default:
{
}
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.firewall.interfaces.<name>.allowedTCPPortRanges
A range of TCP ports on which incoming connections are accepted.
Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)ss
Default:
[
]
Example:
[
{
from = 8999; to = 9003;
}
]
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.firewall.interfaces.<name>.allowedTCPPorts
List of TCP ports on which incoming connections are accepted.
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)s
Default:
[
]
Example:
[
22 80
]
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.firewall.interfaces.<name>.allowedUDPPortRanges
Range of open UDP ports.
Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)ss
Default:
[
]
Example:
[
{
from = 60000; to = 61000;
}
]
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.firewall.interfaces.<name>.allowedUDPPorts
List of open UDP ports.
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)s
Default:
[
]
Example:
[
53
]
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.firewall.logRefusedConnections
Whether to log rejected or dropped incoming connections.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.firewall.logRefusedPackets
Whether to log all rejected or dropped incoming packets. This tends to give a lot of log messages, so it's mostly useful for debugging.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.firewall.logRefusedUnicastsOnly
If networking.firewall.logRefusedPackets
and this option are enabled, then only log packets
specifically directed at this machine, i.e., not broadcasts
or multicasts.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.firewall.logReversePathDrops
Logs dropped packets failing the reverse path filter test if the option networking.firewall.checkReversePath is enabled.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.firewall.pingLimit
If pings are allowed, this allows setting rate limits on them. If non-null, this option should be in the form of flags like "--limit 1/minute --limit-burst 5"
Type: null or strings concatenated with " "
Default:
null
Example:
"--limit 1/minute --limit-burst 5"
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.firewall.rejectPackets
If set, refused packets are rejected rather than dropped (ignored). This means that an ICMP "port unreachable" error message is sent back to the client (or a TCP RST packet in case of an existing connection). Rejecting packets makes port scanning somewhat easier.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.firewall.trustedInterfaces
Traffic coming in from these interfaces will be accepted unconditionally. Traffic from the loopback (lo) interface will always be accepted.
Type: list of strings
Default:
[
]
Example:
[
"enp0s2"
]
Declared by:
<nixpkgs/nixos/modules/services/networking/firewall.nix>
|
networking.hostName
machine hostname
Type: string
Default:
"default"
Declared by:
<vpsadminos/os/modules/tasks/network-interfaces.nix>
|
networking.hosts
Locally defined maps of hostnames to IP addresses.
Type: attribute set of list of stringss
Default:
{
}
Example:
{ "127.0.0.1" = [ "foo.bar.baz" ]; "192.168.0.2" = [ "fileserver.local" "nameserver.local" ]; };
Declared by:
<vpsadminos/os/modules/tasks/network-interfaces.nix>
|
networking.lxcbr
create lxc bridge interface
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/tasks/network-interfaces.nix>
|
networking.nameservers
The list of nameservers. It can be left empty if it is auto-detected through DHCP.
Type: list of strings
Default:
[
]
Example:
[
"208.67.222.222" "208.67.220.220"
]
Declared by:
<vpsadminos/os/modules/tasks/network-interfaces.nix>
|
networking.nat
enable NAT for containers
Type: boolean
Default:
true
Declared by:
<vpsadminos/os/modules/tasks/network-interfaces.nix>
|
networking.preConfig
Set of commands run prior to any other network configuration
Type: strings concatenated with "\n"
Default:
""
Declared by:
<vpsadminos/os/modules/tasks/network-interfaces.nix>
|
networking.search
The list of search paths used when resolving domain names.
Type: list of strings
Default:
[
]
Example:
[
"example.com" "local.domain"
]
Declared by:
<vpsadminos/os/modules/tasks/network-interfaces.nix>
|
networking.static.enable
use static networking configuration
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/tasks/network-interfaces.nix>
|
networking.static.gw
gateway IP address for static networking configuration
Type: string
Default:
"10.0.2.2"
Declared by:
<vpsadminos/os/modules/tasks/network-interfaces.nix>
|
networking.static.interface
interface for static networking configuration
Type: string
Default:
"eth0"
Declared by:
<vpsadminos/os/modules/tasks/network-interfaces.nix>
|
networking.static.ip
IP address for static networking configuration
Type: string
Default:
"10.0.2.15"
Declared by:
<vpsadminos/os/modules/tasks/network-interfaces.nix>
|
networking.static.route
route
Type: string
Default:
"10.0.2.0/24"
Declared by:
<vpsadminos/os/modules/tasks/network-interfaces.nix>
|
networking.timeServers
The set of NTP servers from which to synchronise.
Type: unspecified
Default:
[
"0.nixos.pool.ntp.org" "1.nixos.pool.ntp.org" "2.nixos.pool.ntp.org" "3.nixos.pool.ntp.org"
]
Declared by:
<vpsadminos/os/modules/services/networking/chronyd.nix>
|
networking.useDHCP
Alias of networking.dhcp
.
Type: boolean
Declared by:
<vpsadminos/os/modules/rename.nix>
|
nix.package
This option specifies the Nix package instance to use throughout the system.
Type: package
Default:
"pkgs.nix"
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.allowedUsers
A list of names of users (separated by whitespace) that are
allowed to connect to the Nix daemon. As with
nix.trustedUsers
, you can specify groups by
prefixing them with @
. Also, you can
allow all users by specifying *
. The
default is *
. Note that trusted users are
always allowed to connect.
Type: list of strings
Default:
[
"*"
]
Example:
[
"@wheel" "@builders" "alice" "bob"
]
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.autoOptimiseStore
If set to true, Nix automatically detects files in the store that have identical contents, and replaces them with hard links to a single copy. This saves disk space. If set to false (the default), you can still run nix-store --optimise to get rid of duplicate files.
Type: boolean
Default:
false
Example:
true
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.binaryCachePublicKeys
List of public keys used to sign binary caches. If
nix.requireSignedBinaryCaches
is enabled,
then Nix will use a binary from a binary cache if and only
if it is signed by any of the keys
listed here. By default, only the key for
cache.nixos.org
is included.
Type: list of strings
Example:
[
"hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs="
]
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.binaryCaches
List of binary cache URLs used to obtain pre-built binaries
of Nix packages.
By default https://cache.nixos.org/ is added,
to override it use lib.mkForce []
.
Type: list of strings
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.buildCores
This option defines the maximum number of concurrent tasks during one build. It affects, e.g., -j option for make. The special value 0 means that the builder should use all available CPU cores in the system. Some builds may become non-deterministic with this option; use with care! Packages will only be affected if enableParallelBuilding is set for them.
Type: signed integer
Default:
0
Example:
64
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.buildMachines
This option lists the machines to be used if distributed builds are
enabled (see nix.distributedBuilds
).
Nix will perform derivations on those machines via SSH by copying the
inputs to the Nix store on the remote machine, starting the build,
then copying the output back to the local Nix store.
Type: list of submodules
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.buildMachines.*.hostName
The hostname of the build machine.
Type: string
Example:
"nixbuilder.example.org"
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.buildMachines.*.mandatoryFeatures
A list of features mandatory for this builder. The builder will
be ignored for derivations that don't require all features in
this list. All mandatory features are automatically included in
supportedFeatures
.
Type: list of strings
Default:
[
]
Example:
[
"big-parallel"
]
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.buildMachines.*.maxJobs
The number of concurrent jobs the build machine supports. The build machine will enforce its own limits, but this allows hydra to schedule better since there is no work-stealing between build machines.
Type: signed integer
Default:
1
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.buildMachines.*.speedFactor
The relative speed of this builder. This is an arbitrary integer that indicates the speed of this builder, relative to other builders. Higher is faster.
Type: signed integer
Default:
1
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.buildMachines.*.sshKey
The path to the SSH private key with which to authenticate on the build machine. The private key must not have a passphrase. If null, the building user (root on NixOS machines) must have an appropriate ssh configuration to log in non-interactively. Note that for security reasons, this path must point to a file in the local filesystem, *not* to the nix store.
Type: null or string
Default:
null
Example:
"/root/.ssh/id_buildhost_builduser"
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.buildMachines.*.sshUser
The username to log in as on the remote host. This user must be
able to log in and run nix commands non-interactively. It must
also be privileged to build derivations, so must be included in
nix.trustedUsers
.
Type: null or string
Default:
null
Example:
"builder"
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.buildMachines.*.supportedFeatures
A list of features supported by this builder. The builder will be ignored for derivations that require features not in this list.
Type: list of strings
Default:
[
]
Example:
[
"kvm" "big-parallel"
]
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.buildMachines.*.system
The system type the build machine can execute derivations on.
Either this attribute or systems
must be
present, where system
takes precedence if
both are set.
Type: null or string
Default:
null
Example:
"x86_64-linux"
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.buildMachines.*.systems
The system types the build machine can execute derivations on.
Either this attribute or system
must be
present, where system
takes precedence if
both are set.
Type: list of strings
Default:
[
]
Example:
[
"x86_64-linux" "aarch64-linux"
]
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.checkConfig
If enabled (the default), checks that Nix can parse the generated nix.conf.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.daemon.enable
Whether to enable Enable nix daemon.
Type: boolean
Default:
false
Example:
true
Declared by:
<vpsadminos/os/modules/services/misc/nix-daemon.nix>
|
nix.daemonIONiceLevel
Nix daemon process I/O priority. This priority propagates to build processes. 0 is the default Unix process I/O priority, 7 is the lowest.
Type: signed integer
Default:
0
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.daemonNiceLevel
Nix daemon process priority. This priority propagates to build processes. 0 is the default Unix process priority, 19 is the lowest.
Type: signed integer
Default:
0
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.distributedBuilds
Whether to distribute builds to the machines listed in
nix.buildMachines
.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.extraOptions
Additional text appended to nix.conf
.
Type: strings concatenated with "\n"
Default:
""
Example:
'' keep-outputs = true keep-derivations = true ''
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.maxJobs
This option defines the maximum number of jobs that Nix will try to build in parallel. The default is auto, which means it will use all available logical cores. It is recommend to set it to the total number of logical cores in your system (e.g., 16 for two CPUs with 4 cores each and hyper-threading).
Type: signed integer or one of "auto"
Default:
"auto"
Example:
64
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.nixPath
The default Nix expression search path, used by the Nix
evaluator to look up paths enclosed in angle brackets
(e.g. <nixpkgs>
).
Type: list of strings
Default:
[
"nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos" "nixos-config=/etc/nixos/configuration.nix" "/nix/var/nix/profiles/per-user/root/channels"
]
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.nrBuildUsers
Number of nixbld
user accounts created to
perform secure concurrent builds. If you receive an error
message saying that “all build users are currently in use”,
you should increase this value.
Type: signed integer
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.readOnlyStore
If set, NixOS will enforce the immutability of the Nix store
by making /nix/store
a read-only bind
mount. Nix will automatically make the store writable when
needed.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.registry
A system-wide flake registry.
Type: attribute set of submodules
Default:
{
}
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.registry.<name>.exact
Whether the from
reference needs to match exactly. If set,
a from
reference like nixpkgs
does not
match with a reference like nixpkgs/nixos-20.03
.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.registry.<name>.flake
The flake input to which from>
is to be rewritten.
Type: unspecified
Default:
null
Example:
nixpkgs
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.registry.<name>.from
The flake reference to be rewritten.
Type: attribute set of string or signed integer or boolean or packages
Example:
{
id = "nixpkgs"; type = "indirect";
}
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.registry.<name>.to
The flake reference to which from>
is to be rewritten.
Type: attribute set of string or signed integer or boolean or packages
Example:
{
owner = "my-org"; repo = "my-nixpkgs"; type = "github";
}
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.requireSignedBinaryCaches
If enabled (the default), Nix will only download binaries from binary caches if
they are cryptographically signed with any of the keys listed in
nix.binaryCachePublicKeys
. If disabled, signatures are neither
required nor checked, so it's strongly recommended that you use only
trustworthy caches and https to prevent man-in-the-middle attacks.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.sandboxPaths
Directories from the host filesystem to be included in the sandbox.
Type: list of strings
Default:
[
]
Example:
[
"/dev" "/proc"
]
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.systemFeatures
The supported features of a machine
Type: list of strings
Example:
[
"kvm" "big-parallel" "gccarch-skylake"
]
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.trustedBinaryCaches
List of binary cache URLs that non-root users can use (in
addition to those specified using
nix.binaryCaches
) by passing
--option binary-caches
to Nix commands.
Type: list of strings
Default:
[
]
Example:
[
"https://hydra.nixos.org/"
]
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.trustedUsers
A list of names of users that have additional rights when
connecting to the Nix daemon, such as the ability to specify
additional binary caches, or to import unsigned NARs. You
can also specify groups by prefixing them with
@
; for instance,
@wheel
means all users in the wheel
group.
Type: list of strings
Default:
[
"root"
]
Example:
[
"root" "alice" "@wheel"
]
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nix.useSandbox
If set, Nix will perform builds in a sandboxed environment that it will set up automatically for each build. This prevents impurities in builds by disallowing access to dependencies outside of the Nix store by using network and mount namespaces in a chroot environment. This is enabled by default even though it has a possible performance impact due to the initial setup time of a sandbox for each build. It doesn't affect derivation hashes, so changing this option will not trigger a rebuild of packages.
Type: boolean or one of "relaxed"
Default:
true
Declared by:
<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
|
nixpkgs.config
The configuration of the Nix Packages collection. (For
details, see the Nixpkgs documentation.) It allows you to set
package configuration options.
Ignored when nixpkgs.pkgs
is set.
Type: nixpkgs config
Default:
{
}
Example:
{ allowBroken = true; allowUnfree = true; }
Declared by:
<nixpkgs/nixos/modules/misc/nixpkgs.nix>
|
nixpkgs.crossSystem
Specifies the platform for which NixOS should be
built. Specify this only if it is different from
nixpkgs.localSystem
, the platform
on which NixOS should be built. In other
words, specify this to cross-compile NixOS. Otherwise it
should be set as null, the default. See its description in the
Nixpkgs manual for more details.
Ignored when nixpkgs.pkgs
is set.
Type: null or attribute set
Default:
null
Example:
{
config = "aarch64-unknown-linux-gnu"; system = "aarch64-linux";
}
Declared by:
<nixpkgs/nixos/modules/misc/nixpkgs.nix>
|
nixpkgs.localSystem
Specifies the platform on which NixOS should be built. When
nixpkgs.crossSystem
is unset, it also specifies
the platform for which NixOS should be
built. If this option is unset, it defaults to the platform
type of the machine where evaluation happens. Specifying this
option is useful when doing distributed multi-platform
deployment, or when building virtual machines. See its
description in the Nixpkgs manual for more details.
Ignored when nixpkgs.pkgs
is set.
Type: attribute set
Default:
(import "${nixos}/../lib").lib.systems.examples.aarch64-multiplatform
Example:
{
config = "aarch64-unknown-linux-gnu"; system = "aarch64-linux";
}
Declared by:
<nixpkgs/nixos/modules/misc/nixpkgs.nix>
|
nixpkgs.overlays
List of overlays to use with the Nix Packages collection.
(For details, see the Nixpkgs documentation.) It allows
you to override packages globally. Each function in the list
takes as an argument the original Nixpkgs.
The first argument should be used for finding dependencies, and
the second should be used for overriding recipes.
If nixpkgs.pkgs
is set, overlays specified here
will be applied after the overlays that were already present
in nixpkgs.pkgs
.
Type: list of nixpkgs overlays
Default:
[
]
Example:
[ (self: super: { openssh = super.openssh.override { hpnSupport = true; kerberos = self.libkrb5; }; }) ]
Declared by:
<nixpkgs/nixos/modules/misc/nixpkgs.nix>
|
nixpkgs.pkgs
If set, the pkgs argument to all NixOS modules is the value of
this option, extended with nixpkgs.overlays
, if
that is also set. Either nixpkgs.crossSystem
or
nixpkgs.localSystem
will be used in an assertion
to check that the NixOS and Nixpkgs architectures match. Any
other options in nixpkgs.*
, notably config
,
will be ignored.
If unset, the pkgs argument to all NixOS modules is determined
as shown in the default value for this option.
The default value imports the Nixpkgs source files
relative to the location of this NixOS module, because
NixOS and Nixpkgs are distributed together for consistency,
so the nixos
in the default value is in fact a
relative path. The config
, overlays
,
localSystem
, and crossSystem
come
from this option's siblings.
This option can be used by applications like NixOps to increase
the performance of evaluation, or to create packages that depend
on a container that should be built with the exact same evaluation
of Nixpkgs, for example. Applications like this should set
their default value using lib.mkDefault
, so
user-provided configuration can override it without using
lib
.
Note that using a distinct version of Nixpkgs with NixOS may
be an unexpected source of problems. Use this option with care.
Type: An evaluation of Nixpkgs; the top level attribute set of packages
Default:
import "${nixos}/.." {
inherit (cfg) config overlays localSystem crossSystem;
}
Example:
import <nixpkgs> {}
Declared by:
<nixpkgs/nixos/modules/misc/nixpkgs.nix>
|
nixpkgs.system
Specifies the Nix platform type on which NixOS should be built.
It is better to specify nixpkgs.localSystem
instead.
{ nixpkgs.system = ..; }
is the same as
{ nixpkgs.localSystem.system = ..; }
See nixpkgs.localSystem
for more information.
Ignored when nixpkgs.localSystem
is set.
Ignored when nixpkgs.pkgs
is set.
Type: string
Example:
"i686-linux"
Declared by:
<nixpkgs/nixos/modules/misc/nixpkgs.nix>
|
os.channel-registration.enable
This option has no description.
Type: boolean
Default:
true
Declared by:
<vpsadminos/os/modules/installer/cd-dvd/channel.nix>
|
osctl.exporter.enable
Enable osctl-exporter.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/osctl/osctl-exporter.nix>
|
osctl.exporter.listenAddress
Address to listen on.
Type: string
Default:
"0.0.0.0"
Declared by:
<vpsadminos/os/modules/osctl/osctl-exporter.nix>
|
osctl.exporter.port
Port to listen on.
Type: signed integer
Default:
9101
Declared by:
<vpsadminos/os/modules/osctl/osctl-exporter.nix>
|
osctl.exportfs.enable
Enable osctl-exportfs integration.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/osctl/osctl-exportfs.nix>
|
osctl.pools
osctl pools to configure
Type: attribute set of submodules
Default:
{
}
Example:
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers
osctl containers to include
Type: attribute set of submodules
Default:
{
}
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.arch
Architecture of the distribution to install, must be compatible with the host's architecture.
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.autostart
Autostart options See also https://vpsadminos.org/containers/auto-starting/
Type: null or submodule
Default:
null
Example:
{
delay = 5; enable = true; priority = 10;
}
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.autostart.enable
Whether to enable Enable container autostart.
Type: boolean
Default:
false
Example:
true
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.autostart.delay
Autostart delay
Type: positive integer, meaning >0
Default:
5
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.autostart.priority
Autostart priority
Type: positive integer, meaning >0
Default:
10
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.cgparams
CGroup parameters See also https://vpsadminos.org/containers/resources/
Type: list of submodules
Default:
[
]
Example:
[
{
name = "memory.limit_in_bytes"; subsystem = "memory"; value = "10G";
}
]
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.cgparams.*.name
CGroup parameter name
Type: string
Example:
"memory.limit_in_bytes"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.cgparams.*.subsystem
CGroup subsystem name. If left empty, it is deduced from cgroup parameter name.
Type: string
Default:
""
Example:
"memory"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.cgparams.*.value
CGroup parameter value
Type: string
Example:
"10G"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.config
A specification of the desired configuration of this container, as a NixOS module.
Type: Toplevel NixOS config
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.devices
Devices allowed in this group See also https://vpsadminos.org/containers/devices/
Type: list of submodules
Default:
[
]
Example:
[
{
major = 10; minor = 229; mode = "rw"; name = "/dev/fuse";
}
]
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.devices.*.major
Device major ID
Type: string
Example:
"229"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.devices.*.minor
Device minor ID
Type: string
Example:
"10"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.devices.*.mode
Device access mode.
r
for read, w
for write
and m
for mknod.
Type: one of "r", "rw", "w", "m", "wm", "rm", "rwm"
Example:
"rwm"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.devices.*.name
Device name
Type: string
Default:
""
Example:
"/dev/fuse"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.devices.*.provide
Determines whether the device should be provided to descendant groups, i.e. whether they should inherit it.
Type: boolean
Default:
true
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.devices.*.type
Device type
Type: one of "char", "block"
Example:
"char"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.distribution
Name of the distribution to install.
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.group
Name of an osctl group declared by osctl.groups
that
the container belongs to.
Type: string
Default:
"/default"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.hooks.on-create
on-create
hook is run in the host's namespace
after the container was created and configured, but before it is
started. The script hook's exit status is not evaluated.
Type: null or path
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.hooks.on-start
on-start
is run in the host's namespace, after
the container has been mounted and right before its init process is
executed. If on-start
exits with a non-zero
status, the container's start is aborted.
Type: null or path
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.hooks.on-stop
on-stop
is run in the host's namespace when the
container enters state stopping
. The hook's exit
status is not evaluated.
Type: null or path
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.hooks.post-create
post-create
hook is run in the host's namespace
after the container was created, configured and started. The script
hook's exit status is not evaluated.
Type: null or path
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.hooks.post-mount
post-mount
is run in the container's mount
namespace, after its rootfs and all LXC mount entries are mounted.
The path to the container's runtime rootfs is in environment variable
OSCTL_CT_ROOTFS_MOUNT
. If
post-mount
exits with a non-zero status, the
container's start is aborted.
Type: null or path
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.hooks.post-start
post-start
is run in the host's namespace after
the container entered state running
. The
container's init PID is passed in environment varible
OSCTL_CT_INIT_PID
. The script hook's exit status
is not evaluated.
Type: null or path
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.hooks.post-stop
post-stop
is run in the host's namespace when
the container enters state stopped
. The hook's
exit status is not evaluated.
Type: null or path
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.hooks.pre-create
pre-create
hook is run in the host's namespace
before the container is created. If pre-create
exits with status `1`, the creation attempt will be aborted
and retried repeatedly, as the container's runit service restarts
until the hook script exits with `0`. If
pre-create
exits with status `2`, the container
will not be created and the runit service will not be automatically
restarted.
Type: null or path
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.hooks.pre-mount
pre-mount
is run in the container's mount
namespace, before its rootfs is mounted. The path to the container's
runtime rootfs is in environment variable
OSCTL_CT_ROOTFS_MOUNT
. If
pre-mount
exits with a non-zero status, the
container's start is aborted.
Type: null or path
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.hooks.pre-start
pre-start
hook is run in the host's namespace
before the container is mounted. The container's cgroups have
already been configured and distribution-support code has been run.
If pre-start
exits with a non-zero status, the
container's start is aborted.
Type: null or path
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.hooks.pre-stop
pre-stop
hook is run in the host's namespace when
the container is being stopped using ct stop
. If
pre-stop
exits with a non-zero exit status,
the container will not be stopped. This hook is not called when the
container is shutdown from the inside.
Type: null or path
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.hooks.veth-down
veth-down
hook is run in the host's namespace
when the veth pair is removed. Names of the removed veth interfaces
are available in environment variables
OSCTL_HOST_VETH
and
OSCTL_CT_VETH
. The hook's exit status is not
evaluated.
Type: null or path
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.hooks.veth-up
veth-up
hook is run in the host's namespace when
the veth pair is created. Names of created veth interfaces are
available in environment variables OSCTL_HOST_VETH
and OSCTL_CT_VETH
. If veth-up
exits with a non-zero status, the container's start is aborted.
Type: null or path
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.image.path
Path to container image.
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.image.repository
Name of the remote repository the container image is searched in.
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.interfaces
Network interface configuration See also https://vpsadminos.org/user-guide/networking/
Type: list of submodules
Default:
[
]
Example:
[
{
ipv4 =
{
addresses =
[
{
address = "10.0.0.1"; prefixLength = 16;
}
]
;
}
; link = "lxcbr0"; name = "eth0"; type = "bridge";
}
{
ipv4 =
{
addresses =
[
{
address = "172.17.66.66"; prefixLength = 32;
}
]
;
}
; ipv6 =
{
addresses =
[
{
address = "2a03:3b40:7:667::1"; prefixLength = 64;
}
]
;
}
; name = "eth1"; type = "routed";
}
]
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.interfaces.*.dhcp
Determines whether the interface is configured using DHCP client within the container, (type = "bridge" only)
Type: null or boolean
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.interfaces.*.hwaddr
Network interface hardware address
Type: string
Default:
""
Example:
"52:54:00:2d:09:26"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.interfaces.*.ipv4.addresses
List of IPv4 addresses that will be statically assigned to the interface.
Type: list of submodules
Default:
[
]
Example:
[
{
address = "10.0.0.1"; prefixLength = 16;
}
{
address = "192.168.1.1"; prefixLength = 24;
}
]
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.interfaces.*.ipv4.addresses.*.address
IPv4 address.
Type: string
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.interfaces.*.ipv4.addresses.*.prefixLength
Subnet mask of the address, specified as the number of
bits in the prefix (24
).
Type: signed integer
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.interfaces.*.ipv4.gateway
IPv4 gateway for statically configured bridged interfaces.
Set to auto
to use the primary address from
the linked interface, none
to do not set any
gateway or an IPv4 address.
(type = "bridge" only)
Type: string
Default:
"auto"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.interfaces.*.ipv4.routes
List of IPv4 addresses that will be routed to the interface.
Type: list of submodules
Default:
[
]
Example:
[
{
address = "10.0.0.0"; prefixLength = 16;
}
{
address = "192.168.1.0"; prefixLength = 24;
}
]
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.interfaces.*.ipv4.routes.*.address
IPv4 address.
Type: string
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.interfaces.*.ipv4.routes.*.prefixLength
Subnet mask of the address, specified as the number of
bits in the prefix (24
).
Type: signed integer
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.interfaces.*.ipv6.addresses
List of IPv6 addresses that will be statically assigned to the interface.
Type: list of submodules
Default:
[
]
Example:
[
{
address = "2a03:3b40:7:666::"; prefixLength = 64;
}
]
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.interfaces.*.ipv6.addresses.*.address
IPv6 address.
Type: string
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.interfaces.*.ipv6.addresses.*.prefixLength
Subnet mask of the address, specified as the number of
bits in the prefix (64
).
Type: signed integer
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.interfaces.*.ipv6.gateway
IPv6 gateway for statically configured bridged interfaces.
Set to auto
to use the primary address from
the linked interface, none
to do not set any
gateway or an IPv6 address.
(type = "bridge" only)
Type: string
Default:
"auto"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.interfaces.*.ipv6.routes
List of IPv6 addresses that will be routed to the interface.
Type: list of submodules
Default:
[
]
Example:
[
{
address = "2a03:3b40:7:666::"; prefixLength = 64;
}
]
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.interfaces.*.ipv6.routes.*.address
IPv4 address.
Type: string
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.interfaces.*.ipv6.routes.*.prefixLength
Subnet mask of the address, specified as the number of
bits in the prefix (24
).
Type: signed integer
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.interfaces.*.link
Link this network interface to bridge (type = "bridge" only)
Type: string
Default:
""
Example:
"lxcbr0"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.interfaces.*.name
Network interface name
Type: string
Example:
"eth0"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.interfaces.*.type
Network interface type
Type: one of "bridge", "routed"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.mounts
Container mounts See also https://vpsadminos.org/user-guide/mounts/
Type: list of submodules
Default:
[
]
Example:
[
{
fs = "/var/shared"; mountpoint = "/mnt";
}
]
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.mounts.*.automount
Mount automatically
Type: boolean
Default:
true
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.mounts.*.dataset
Relative path to containers dataset
Type: null or string
Default:
null
Example:
"subdataset"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.mounts.*.fs
Filesystem mountpoint (host side)
Type: string
Default:
""
Example:
"/var/shared"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.mounts.*.mountpoint
Filesystem mountpoint (container side)
Type: string
Example:
"/mnt"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.mounts.*.opts
Mount options
Type: string
Default:
"bind,create=dir,rw"
Example:
"bind,create=dir,rw"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.mounts.*.type
Mount type
Type: one of "bind"
Default:
"bind"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.nesting
Whether to enable Enable container nesting.
Type: boolean
Default:
false
Example:
true
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.path
As an alternative to specifying
config
, you can specify the path to
the evaluated NixOS system configuration, typically a
symlink to a system profile.
Type: path
Example:
"/nix/var/nix/profiles/containers/webserver"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.as
Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits
Type: null or submodule
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.as.hard
Hard limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.as.soft
Soft limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.core
Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits
Type: null or submodule
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.core.hard
Hard limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.core.soft
Soft limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.cpu
Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits
Type: null or submodule
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.cpu.hard
Hard limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.cpu.soft
Soft limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.data
Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits
Type: null or submodule
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.data.hard
Hard limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.data.soft
Soft limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.fsize
Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits
Type: null or submodule
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.fsize.hard
Hard limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.fsize.soft
Soft limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.memlock
Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits
Type: null or submodule
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.memlock.hard
Hard limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.memlock.soft
Soft limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.msgqueue
Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits
Type: null or submodule
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.msgqueue.hard
Hard limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.msgqueue.soft
Soft limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.nice
Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits
Type: null or submodule
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.nice.hard
Hard limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.nice.soft
Soft limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.nofile
Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits
Type: null or submodule
Default:
{
hard = 1048576; soft = 1024;
}
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.nofile.hard
Hard limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.nofile.soft
Soft limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.nproc
Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits
Type: null or submodule
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.nproc.hard
Hard limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.nproc.soft
Soft limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.rss
Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits
Type: null or submodule
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.rss.hard
Hard limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.rss.soft
Soft limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.rtprio
Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits
Type: null or submodule
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.rtprio.hard
Hard limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.rtprio.soft
Soft limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.rttime
Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits
Type: null or submodule
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.rttime.hard
Hard limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.rttime.soft
Soft limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.sigpending
Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits
Type: null or submodule
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.sigpending.hard
Hard limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.sigpending.soft
Soft limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.stack
Process resource limit, see man prlimit(2) and https://vpsadminos.org/containers/resources/#process-resource-limits
Type: null or submodule
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.stack.hard
Hard limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.prlimits.stack.soft
Soft limit
Type: positive integer, meaning >0 or one of "unlimited"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.resolvers
List of nameservers
Type: list of strings
Default:
[
]
Example:
[
"1.1.1.1" "10.0.0.1"
]
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.seccomp
Path to seccomp profile
Type: string
Default:
""
Example:
"/run/osctl/configs/lxc/common.seccomp"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.user
Name of an osctl user declared by osctl.users
that
the container belongs to. If not provided, a new user is created with
its name matching the container ID. If such user already exists, it
is used instead.
Type: null or string
Default:
null
Example:
"myuser01"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.variant
Template variant for use with osctl remote repositories.
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.vendor
Template vendor for use with osctl remote repositories.
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.containers.<name>.version
Version of the distribution to install.
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.destroyMethod
If set to manual
, the garbage collector has to be
run manually for every pool by the user by calling script
gc-sweep-‹pool
. When set to auto
,
the garbage collector is run in the background by runit service
gc-<pool>
. Options
osctl.pools.<pool>.pure
and
osctl.pools.<pool>.destroyUndeclared
are honored
in the automated mode. Destructive operations using the manual
invocation have to be enabled using command-line options.
Type: one of "manual", "auto"
Default:
"manual"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.destroyUndeclared
Determines whether declarative users, groups and containers removed from Nix configuration should be deleted from the system or not. When turned off, undeclared containers are stopped, but not destroyed. When enabled, undeclared containers, groups and users are destroyed. WARNING: enabling this option is dangerous, as it will irreversibly destroy containers that are not defined by the current system. For example, if you temporarily roll back the system for whatever reason, containers that were not declared in the older version will be destroyed.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.groups
osctl groups to include.
In addition to groups defined by this options, there are always two
groups present: /
and /default
.
Type: attribute set of submodules
Default:
{
}
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.groups.<name>.cgparams
CGroup parameters See also https://vpsadminos.org/containers/resources/
Type: list of submodules
Default:
[
]
Example:
[
{
name = "memory.limit_in_bytes"; subsystem = "memory"; value = "10G";
}
]
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.groups.<name>.cgparams.*.name
CGroup parameter name
Type: string
Example:
"memory.limit_in_bytes"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.groups.<name>.cgparams.*.subsystem
CGroup subsystem name. If left empty, it is deduced from cgroup parameter name.
Type: string
Default:
""
Example:
"memory"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.groups.<name>.cgparams.*.value
CGroup parameter value
Type: string
Example:
"10G"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.groups.<name>.devices
Devices allowed in this group See also https://vpsadminos.org/containers/devices/
Type: list of submodules
Default:
[
]
Example:
[
{
major = 10; minor = 229; mode = "rw"; name = "/dev/fuse";
}
]
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.groups.<name>.devices.*.major
Device major ID
Type: string
Example:
"229"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.groups.<name>.devices.*.minor
Device minor ID
Type: string
Example:
"10"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.groups.<name>.devices.*.mode
Device access mode.
r
for read, w
for write
and m
for mknod.
Type: one of "r", "rw", "w", "m", "wm", "rm", "rwm"
Example:
"rwm"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.groups.<name>.devices.*.name
Device name
Type: string
Default:
""
Example:
"/dev/fuse"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.groups.<name>.devices.*.provide
Determines whether the device should be provided to descendant groups, i.e. whether they should inherit it.
Type: boolean
Default:
true
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.groups.<name>.devices.*.type
Device type
Type: one of "char", "block"
Example:
"char"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.idRanges
ID ranges are used to track user/group ID allocations into user namespace maps. There is one default ID range on each pool, with the possibility of creating custom ID ranges. User namespace maps allocated from one ID range are guaranteed to be unique, i.e. no two containers can share the same user/group IDs, making them isolated. Created ID ranges cannot be declaratively modified. Delete them manually or using the garbage collector, then recreate them if changes are needed.
Type: attribute set of submodules
Default:
{
}
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.idRanges.<name>.blockCount
How many blocks from
osctl.pools.<pool>.idRanges.<range>.startId
should the range include. Defines the maximum number of user namespace
maps that can be allocated from this range.
Type: unsigned integer, meaning >=0
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.idRanges.<name>.blockSize
Number of user/group IDs that make up the minimum allocation unit
Type: unsigned integer, meaning >=0
Default:
65536
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.idRanges.<name>.startId
The first user/group ID
Type: unsigned integer, meaning >=0
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.idRanges.<name>.table
Allocate blocks from the range. Allocated blocks removed from configuration will not be automatically freed.
Type: list of submodules
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.idRanges.<name>.table.*.count
Number of blocks to allocate
Type: unsigned integer, meaning >=0
Default:
1
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.idRanges.<name>.table.*.index
Index of the starting block
Type: unsigned integer, meaning >=0
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.idRanges.<name>.table.*.owner
Optional allocation owner
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.parallelStart
Number of containers to start in parallel during pool import.
Type: positive integer, meaning >0
Default:
2
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.parallelStop
Number of containers to stop in parallel during pool export.
Type: positive integer, meaning >0
Default:
4
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.pure
Determines whether the pool contains only users, groups and containers declared by Nix configuration. Users, groups and containers that are not declared are deleted when found. WARNING: enabling this option will cause all manually created containers, groups and users to be irreversibly destroyed, with any data they contained.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.repositories
Remote osctl repositories for container images
Type: attribute set of submodules
Default:
{
}
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.repositories.<name>.enabled
Enable/disable the repository.
Disabled repositories are included in the system, but they are not
search for images until reenabled, which may be done manually
using osctl
.
Type: boolean
Default:
true
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.repositories.<name>.url
HTTP URL to the remote repository
Type: string
Example:
"https://images.vpsadminos.org"
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.users
osctl users to include
Type: attribute set of submodules
Default:
{
}
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.users.<name>.gidMap
GID mapping for the user namespace, see man subgid(5).
Type: list of strings
Default:
[
]
Example:
[
"0:666000:65536"
]
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.users.<name>.idRange.blockIndex
Block index from the ID range that should be used to create UID/GID mapping.
Type: null or unsigned integer, meaning >=0
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.users.<name>.idRange.name
Name of an ID range from the same pool that should be used to allocate UID/GID IDs.
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.pools.<name>.users.<name>.uidMap
UID mapping for the user namespace, see man subuid(5).
Type: list of strings
Default:
[
]
Example:
[
"0:666000:65536"
]
Declared by:
<vpsadminos/os/modules/osctl/pools.nix>
|
osctl.test-shell.enable
Enable test shell integration.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/osctl/test-shell.nix>
|
powerManagement.cpuFreqGovernor
CPU frequency scaling governor to use
Type: string
Default:
"performance"
Example:
"ondemand"
Declared by:
<vpsadminos/os/modules/tasks/cpu-freq.nix>
|
programs.bash.enableCompletion
Enable Bash completion for all interactive bash shells.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/programs/bash/bash.nix>
|
programs.bash.enableLsColors
Enable extra colors in directory listings.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/programs/bash/bash.nix>
|
programs.bash.interactiveShellInit
Shell script code called during interactive bash shell initialisation.
Type: strings concatenated with "\n"
Default:
""
Declared by:
<nixpkgs/nixos/modules/programs/bash/bash.nix>
|
programs.bash.loginShellInit
Shell script code called during login bash shell initialisation.
Type: strings concatenated with "\n"
Default:
""
Declared by:
<nixpkgs/nixos/modules/programs/bash/bash.nix>
|
programs.bash.promptInit
Shell script code used to initialise the bash prompt.
Type: strings concatenated with "\n"
Default:
'' # Provide a nice prompt if the terminal supports it. if [ "$TERM" != "dumb" -o -n "$INSIDE_EMACS" ]; then PROMPT_COLOR="1;31m" let $UID && PROMPT_COLOR="1;32m" if [ -n "$INSIDE_EMACS" -o "$TERM" == "eterm" -o "$TERM" == "eterm-color" ]; then # Emacs term mode doesn't support xterm title escape sequence (\e]0;) PS1="\n\[\033[$PROMPT_COLOR\][\u@\h:\w]\\$\[\033[0m\] " else PS1="\n\[\033[$PROMPT_COLOR\][\[\e]0;\u@\h: \w\a\]\u@\h:\w]\\$\[\033[0m\] " fi if test "$TERM" = "xterm"; then PS1="\[\033]2;\h:\u:\w\007\]$PS1" fi fi ''
Declared by:
<nixpkgs/nixos/modules/programs/bash/bash.nix>
|
programs.bash.root.historyControl
Controlling how commands are saved on the history list.
Type: list of one of "erasedups", "ignoredups", "ignorespace"s
Default:
[
]
Declared by:
<vpsadminos/os/modules/programs/bash.nix>
|
programs.bash.root.historyFile
Location of the bash history file.
Type: string
Default:
"\$HOME/.bash_history"
Declared by:
<vpsadminos/os/modules/programs/bash.nix>
|
programs.bash.root.historyFileSize
Number of history lines to keep on file.
Type: signed integer
Default:
100000
Declared by:
<vpsadminos/os/modules/programs/bash.nix>
|
programs.bash.root.historyIgnore
List of commands that should not be saved to the history list.
Type: list of strings
Default:
[
]
Example:
[
"ls" "cd" "exit"
]
Declared by:
<vpsadminos/os/modules/programs/bash.nix>
|
programs.bash.root.historyPools
Names of ZFS pools where programs.bash.root.historyFile
is mirrored.
If the root file system is not persistent, shell history is lost
between reboots. It's not recommented to set
programs.bash.root.historyFile
to a location on
ZFS pools, because in case of its failure interactive shell sessions
would hang while trying to load the history file.
It is better to mirror the history file while possible, but its
inaccessibility will not prevent bash from working. The history file
is restored from the persistent storage during boot.
Type: list of strings
Default:
[
]
Example:
[
"tank"
]
Declared by:
<vpsadminos/os/modules/programs/bash.nix>
|
programs.bash.root.historySize
Number of history lines to keep in memory.
Type: signed integer
Default:
10000
Declared by:
<vpsadminos/os/modules/programs/bash.nix>
|
programs.bash.root.shellOptions
Shell options to set.
Type: list of strings
Default:
[
"histappend" "checkwinsize" "extglob" "globstar" "checkjobs"
]
Declared by:
<vpsadminos/os/modules/programs/bash.nix>
|
programs.bash.shellAliases
Set of aliases for bash shell, which overrides environment.shellAliases
.
See environment.shellAliases
for an option format description.
Type: attribute set of null or string or paths
Default:
{
}
Declared by:
<nixpkgs/nixos/modules/programs/bash/bash.nix>
|
programs.bash.shellInit
Shell script code called during bash shell initialisation.
Type: strings concatenated with "\n"
Default:
""
Declared by:
<nixpkgs/nixos/modules/programs/bash/bash.nix>
|
programs.htop.enable
Enable htop
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/programs/htop.nix>
|
programs.ssh.package
The package used for the openssh client and daemon.
Type: package
Default:
"pkgs.openssh"
Declared by:
<vpsadminos/os/modules/nixos-compat.nix>
|
<nixpkgs/nixos/modules/programs/ssh.nix>
|
programs.ssh.agentPKCS11Whitelist
A pattern-list of acceptable paths for PKCS#11 shared libraries that may be used with the -s option to ssh-add.
Type: null or string
Default:
null
Example:
"\${pkgs.opensc}/lib/opensc-pkcs11.so"
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
|
programs.ssh.agentTimeout
How long to keep the private keys in memory. Use null to keep them forever.
Type: null or string
Default:
null
Example:
"1h"
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
|
programs.ssh.askPassword
Program used by SSH to ask for passwords.
Type: string
Default:
"\${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
|
programs.ssh.ciphers
Specifies the ciphers allowed and their order of preference.
Type: null or list of strings
Default:
null
Example:
[
"chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com"
]
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
|
programs.ssh.extraConfig
Extra configuration text prepended to ssh_config
. Other generated
options will be added after a Host *
pattern.
See ssh_config(5)
for help.
Type: strings concatenated with "\n"
Default:
""
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
|
programs.ssh.forwardX11
Whether to request X11 forwarding on outgoing connections by default. This is useful for running graphical programs on the remote machine and have them display to your local X11 server. Historically, this value has depended on the value used by the local sshd daemon, but there really isn't a relation between the two. Note: there are some security risks to forwarding an X11 connection. NixOS's X server is built with the SECURITY extension, which prevents some obvious attacks. To enable or disable forwarding on a per-connection basis, see the -X and -x options to ssh. The -Y option to ssh enables trusted forwarding, which bypasses the SECURITY extension.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
|
programs.ssh.hostKeyAlgorithms
Specifies the host key algorithms that the client wants to use in order of preference.
Type: list of strings
Default:
[
]
Example:
[
"ssh-ed25519" "ssh-rsa"
]
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
|
programs.ssh.kexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Type: null or list of strings
Default:
null
Example:
[
"curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256"
]
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
|
programs.ssh.knownHosts
The set of system-wide known SSH hosts.
Type: attribute set of submodules
Default:
{
}
Example:
{ myhost = { hostNames = [ "myhost" "myhost.mydomain.com" "10.10.1.4" ]; publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub; }; myhost2 = { hostNames = [ "myhost2" ]; publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub; }; }
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
|
programs.ssh.knownHosts.<name>.certAuthority
This public key is an SSH certificate authority, rather than an individual host's key.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
|
programs.ssh.knownHosts.<name>.hostNames
A list of host names and/or IP numbers used for accessing the host's ssh service.
Type: list of strings
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
|
programs.ssh.knownHosts.<name>.publicKey
The public key data for the host. You can fetch a public key from a running SSH server with the ssh-keyscan command. The public key should not include any host names, only the key type and the key itself.
Type: null or string
Default:
null
Example:
"ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg=="
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
|
programs.ssh.knownHosts.<name>.publicKeyFile
The path to the public key file for the host. The public
key file is read at build time and saved in the Nix store.
You can fetch a public key file from a running SSH server
with the ssh-keyscan command. The content
of the file should follow the same format as described for
the publicKey
option.
Type: null or path
Default:
null
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
|
programs.ssh.macs
Specifies the MAC (message authentication code) algorithms in order of preference. The MAC algorithm is used for data integrity protection.
Type: null or list of strings
Default:
null
Example:
[
"hmac-sha2-512-etm@openssh.com" "hmac-sha1"
]
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
|
programs.ssh.pubkeyAcceptedKeyTypes
Specifies the key types that will be used for public key authentication.
Type: list of strings
Default:
[
]
Example:
[
"ssh-ed25519" "ssh-rsa"
]
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
|
programs.ssh.setXAuthLocation
Whether to set the path to xauth for X11-forwarded connections. This causes a dependency on X11 packages.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/nixos-compat.nix>
|
<nixpkgs/nixos/modules/programs/ssh.nix>
|
programs.ssh.startAgent
Whether to start the OpenSSH agent when you log in. The OpenSSH agent remembers private keys for you so that you don't have to type in passphrases every time you make an SSH connection. Use ssh-add to add a key to the agent.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
|
runit.defaultRunlevel
Name of a runlevel that is entered by default on boot.
Type: string
Default:
"default"
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services
System services
Type: attribute set of submodules
Default:
{
}
Example:
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.check
Called to check service status.
Type: string
Default:
""
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.control.alarm
Override runsv control for alarm
If the script exits with 0
, runsv refrains from sending
the service the corresponding signal. See man runsv(8) for more information.
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.control.continue
Override runsv control for continue
If the script exits with 0
, runsv refrains from sending
the service the corresponding signal. See man runsv(8) for more information.
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.control.down
Override runsv control for down
If the script exits with 0
, runsv refrains from sending
the service the corresponding signal. See man runsv(8) for more information.
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.control.exit
Override runsv control for exit
If the script exits with 0
, runsv refrains from sending
the service the corresponding signal. See man runsv(8) for more information.
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.control.hangup
Override runsv control for hangup
If the script exits with 0
, runsv refrains from sending
the service the corresponding signal. See man runsv(8) for more information.
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.control.intr
Override runsv control for intr
If the script exits with 0
, runsv refrains from sending
the service the corresponding signal. See man runsv(8) for more information.
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.control.kill
Override runsv control for kill
If the script exits with 0
, runsv refrains from sending
the service the corresponding signal. See man runsv(8) for more information.
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.control.pause
Override runsv control for pause
If the script exits with 0
, runsv refrains from sending
the service the corresponding signal. See man runsv(8) for more information.
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.control.quit
Override runsv control for quit
If the script exits with 0
, runsv refrains from sending
the service the corresponding signal. See man runsv(8) for more information.
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.control.terminate
Override runsv control for terminate
If the script exits with 0
, runsv refrains from sending
the service the corresponding signal. See man runsv(8) for more information.
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.control.up
Override runsv control for up
If the script exits with 0
, runsv refrains from sending
the service the corresponding signal. See man runsv(8) for more information.
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.control.usr1
Override runsv control for usr1
If the script exits with 0
, runsv refrains from sending
the service the corresponding signal. See man runsv(8) for more information.
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.control.usr2
Override runsv control for usr2
If the script exits with 0
, runsv refrains from sending
the service the corresponding signal. See man runsv(8) for more information.
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.finish
Called after services.runit.<service>.run
exits.
Type: string
Default:
""
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.includeHelpers
Include helper functions, see ./helpers.sh
.
Type: boolean
Default:
true
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.killMode
Specifies how should processes started by this service be killed.
If set to control-group
, all processes are sent
SIGTERM
. If set to process
,
only the main process receives SIGTERM
.
Type: one of "control-group", "process"
Default:
"control-group"
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.log.enable
Whether to enable Start svlogd for the service..
Type: boolean
Default:
false
Example:
true
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.log.linePrefix
Tells svlogd to prefix each line to be written to the log directory, to standard error, or through UDP.
Type: string
Default:
""
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.log.logFiles
Sets the number of old log files svlogd should maintain. If svlogd sees more old log files in log after log file rotation, it deletes the oldest one. Default is 10. If set to zero, svlogd doesn’t remove old log files.
Type: unsigned integer, meaning >=0
Default:
10
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.log.logStandardError
Log messages the service writes to stderr.
Type: boolean
Default:
true
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.log.maxFileSize
Sets the maximum file size of current when svlogd should rotate the current log file to size bytes. Default is 1000000. If fileSize is zero, svlogd doesn’t rotate log files.
Type: unsigned integer, meaning >=0
Default:
1000000
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.log.minLogFiles
Sets the minimum number of old log files svlogd should maintain. It must be less than logFiles. If it is set, and svlogd cannot write to current because the filesystem is full, and it sees more than minLogFiles old log files, it deletes the oldest one.
Type: unsigned integer, meaning >=0
Default:
0
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.log.run
Called to start log service.
Type: string
Default:
""
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.log.sendOnly
Send messages only via UDP, don't store them in the log directory.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.log.sendTo
Tells svlogd to transmit the first len characters of selected log messages to the IP address a.b.c.d, port number port. If port isn’t set, the default port for syslog is used (514). len can be set through the -l option, see below. If svlogd has trouble sending udp packets, it writes error messages to the log directory. Attention: logging through udp is unreliable, and should be used in private networks only.
Type: string
Default:
""
Example:
"a.b.c.d[:port]"
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.log.timeout
Sets the maximum age of the current log file when svlogd should rotate the current log file to timeout seconds. If current is timeout seconds old, and is not empty, svlogd forces log file rotation.
Type: unsigned integer, meaning >=0
Default:
0
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.onChange
The action switch-to-configuration should perform when the service is changed.
Type: one of "restart", "reload", "ignore"
Default:
"restart"
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.oneShot
Oneshot services are used to perform one-time tasks, there are no long-running processes monitored by runsv. Oneshot services are not restarted after they successfully exit.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.reloadMethod
Defines how should the service be reloaded. The value is the command given to runit's sv. See man sv(8) for available options.
Type: string
Default:
"reload"
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.run
Called to start the service.
Type: string
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.services.<name>.runlevels
Runlevels the service is started in.
Type: list of strings
Default:
[
"default"
]
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.stage1
runit runs /etc/runit/1 and waits for it to terminate. The system’s one time tasks are done here. /etc/runit/1 has full control of /dev/console to be able to start an emergency shell if the one time initialization tasks fail. If /etc/runit/1 crashes, or exits 100, runit will skip stage 2 and enter stage 3.
Type: string
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.stage2
runit runs /etc/runit/2, which should not return until system shutdown; if it crashes, or exits 111, it will be restarted. Normally /etc/runit/2 starts runsvdir(8). runit is able to handle the ctrl-alt-del keyboard request in stage 2.
Type: string
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
runit.stage3
If runit is told to shutdown the system, or stage 2 returns, it terminates stage 2 if it is running, and runs /etc/runit/3. The systems tasks to shutdown and possibly halt or reboot the system are done here. If stage 3 returns, runit checks if the file /etc/runit/reboot exists and has the execute by owner permission set. If so, the system is rebooted, it’s halted otherwise.
Type: string
Declared by:
<vpsadminos/os/modules/system/boot/runit>
|
security.apparmor.enable
Enable the AppArmor Mandatory Access Control system.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/apparmor.nix>
|
security.apparmor.packages
List of packages to be added to apparmor's include path
Type: list of packages
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/security/apparmor.nix>
|
security.apparmor.parserConfig
AppArmor parser configuration file content
Type: string
Default:
""
Declared by:
<nixpkgs/nixos/modules/security/apparmor.nix>
|
security.apparmor.profiles
List of files containing AppArmor profiles.
Type: list of paths
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/security/apparmor.nix>
|
security.pam.enableEcryptfs
Whether to enable eCryptfs PAM module (mounting ecryptfs home directory on login).
Type: boolean
Default:
false
Example:
true
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.enableOTPW
Whether to enable the OTPW (one-time password) PAM module.
Type: boolean
Default:
false
Example:
true
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.enableSSHAgentAuth
Enable sudo logins if the user's SSH agent provides a key
present in ~/.ssh/authorized_keys
.
This allows machines to exclusively use SSH keys instead of
passwords.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.loginLimits
Define resource limits that should apply to users or groups.
Each item in the list should be an attribute set with a
domain
, type
,
item
, and value
attribute. The syntax and semantics of these attributes
must be that described in the limits.conf(5) man page.
Note that these limits do not apply to systemd services,
whose limits can be changed via systemd.extraConfig
instead.
Type: unspecified
Default:
[
]
Example:
[
{
domain = "ftp"; item = "nproc"; type = "hard"; value = "0";
}
{
domain = "@student"; item = "maxlogins"; type = "-"; value = "4";
}
]
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.makeHomeDir.skelDirectory
Path to skeleton directory whose contents are copied to home
directories newly created by pam_mkhomedir
.
Type: string
Default:
"/var/empty"
Example:
"/etc/skel"
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.mount.enable
This option has no description.
Type: unspecified
Declared by:
<vpsadminos/os/modules/nixos-compat.nix>
|
security.pam.oath.enable
This option has no description.
Type: unspecified
Declared by:
<vpsadminos/os/modules/nixos-compat.nix>
|
security.pam.p11.enable
Enables P11 PAM (pam_p11
) module.
If set, users can log in with SSH keys and PKCS#11 tokens.
More information can be found here.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.p11.control
This option sets pam "control". If you want to have multi factor authentication, use "required". If you want to use the PKCS#11 device instead of the regular password, use "sufficient". Read pam.conf(5) for better understanding of this option.
Type: one of "required", "requisite", "sufficient", "optional"
Default:
"sufficient"
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services
This option defines the PAM services. A service typically corresponds to a program that uses PAM, e.g. login or passwd. Each attribute of this set defines a PAM service, with the attribute name defining the name of the service.
Type: attribute set of submodules
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.enableAppArmor
Enable support for attaching AppArmor profiles at the user/group level, e.g., as part of a role based access control scheme.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.enableGnomeKeyring
If enabled, pam_gnome_keyring will attempt to automatically unlock the user's default Gnome keyring upon login. If the user login password does not match their keyring password, Gnome Keyring will prompt separately after login.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.enableKwallet
If enabled, pam_wallet will attempt to automatically unlock the user's default KDE wallet upon login. If the user has no wallet named "kdewallet", or the login password does not match their wallet password, KDE will prompt separately after login.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.allowNullPassword
Whether to allow logging into accounts that have no password
set (i.e., have an empty password field in
/etc/passwd
or
/etc/group
). This does not enable
logging into disabled accounts (i.e., that have the password
field set to !
). Note that regardless of
what the pam_unix documentation says, accounts with hashed
empty passwords are always allowed to log in.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.duoSecurity.enable
If set, use the Duo Security pam module
pam_duo
for authentication. Requires
configuration of security.duosec
options.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.forwardXAuth
Whether X authentication keys should be passed from the calling user to the target user (e.g. for su)
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.fprintAuth
If set, fingerprint reader will be used (if exists and your fingerprints are enrolled).
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.googleAuthenticator.enable
If set, users with enabled Google Authenticator (created
~/.google_authenticator
) will be required
to provide Google Authenticator token to log in.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.googleOsLoginAccountVerification
If set, will use the Google OS Login PAM modules
(pam_oslogin_login
,
pam_oslogin_admin
) to verify possible OS Login
users and set sudoers configuration accordingly.
This only makes sense to enable for the sshd
PAM
service.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.googleOsLoginAuthentication
If set, will use the pam_oslogin_login
's user
authentication methods to authenticate users using 2FA.
This only makes sense to enable for the sshd
PAM
service.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.limits
Attribute set describing resource limits. Defaults to the
value of security.pam.loginLimits
.
Type: unspecified
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.logFailures
Whether to log authentication failures in /var/log/faillog
.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.makeHomeDir
Whether to try to create home directories for users
with $HOME
s pointing to nonexistent
locations on session login.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.name
Name of the PAM service.
Type: string
Example:
"sshd"
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.nodelay
Wheather the delay after typing a wrong password should be disabled.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.oathAuth
If set, the OATH Toolkit will be used.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.otpwAuth
If set, the OTPW system will be used (if
~/.otpw
exists).
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.p11Auth
If set, keys listed in
~/.ssh/authorized_keys
and
~/.eid/authorized_certificates
can be used to log in with the associated PKCS#11 tokens.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.pamMount
Enable PAM mount (pam_mount) system to mount fileystems on user login.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.requireWheel
Whether to permit root access only to members of group wheel.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.rootOK
If set, root doesn't need to authenticate (e.g. for the useradd service).
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.setEnvironment
Whether the service should set the environment variables
listed in environment.sessionVariables
using pam_env.so
.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.setLoginUid
Set the login uid of the process
(/proc/self/loginuid
) for auditing
purposes. The login uid is only set by ‘entry points’ like
login and sshd, not by
commands like sudo.
Type: boolean
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.showMotd
Whether to show the message of the day.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.sshAgentAuth
If set, the calling user's SSH agent is used to authenticate
against the keys in the calling user's
~/.ssh/authorized_keys
. This is useful
for sudo on password-less remote systems.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.sssdStrictAccess
enforce sssd access control
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.startSession
If set, the service will register a new session with systemd's login manager. For local sessions, this will give the user access to audio devices, CD-ROM drives. In the default PolicyKit configuration, it also allows the user to reboot the system.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.text
Contents of the PAM service file.
Type: null or strings concatenated with "\n"
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.u2fAuth
If set, users listed in
$XDG_CONFIG_HOME/Yubico/u2f_keys
(or
$HOME/.config/Yubico/u2f_keys
if XDG variable is
not set) are able to log in with the associated U2F key. Path can be
changed using security.pam.u2f.authFile
option.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.unixAuth
Whether users can log in with passwords defined in
/etc/shadow
.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.updateWtmp
Whether to update /var/log/wtmp
.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.usbAuth
If set, users listed in
/etc/pamusb.conf
are able to log in
with the associated USB key.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.services.<name>.yubicoAuth
If set, users listed in
~/.yubico/authorized_yubikeys
are able to log in with the associated Yubikey tokens.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.u2f.enable
Enables U2F PAM (pam-u2f
) module.
If set, users listed in
$XDG_CONFIG_HOME/Yubico/u2f_keys
(or
$HOME/.config/Yubico/u2f_keys
if XDG variable is
not set) are able to log in with the associated U2F key. The path can
be changed using security.pam.u2f.authFile
option.
File format is:
username:first_keyHandle,first_public_key: second_keyHandle,second_public_key
This file can be generated using pamu2fcfg command.
More information can be found here.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.u2f.authFile
By default pam-u2f
module reads the keys from
$XDG_CONFIG_HOME/Yubico/u2f_keys
(or
$HOME/.config/Yubico/u2f_keys
if XDG variable is
not set).
If you want to change auth file locations or centralize database (for
example use /etc/u2f-mappings
) you can set this
option.
File format is:
username:first_keyHandle,first_public_key: second_keyHandle,second_public_key
This file can be generated using pamu2fcfg command.
More information can be found here.
Type: null or path
Default:
null
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.u2f.control
This option sets pam "control". If you want to have multi factor authentication, use "required". If you want to use U2F device instead of regular password, use "sufficient". Read pam.conf(5) for better understanding of this option.
Type: one of "required", "requisite", "sufficient", "optional"
Default:
"sufficient"
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.u2f.cue
By default pam-u2f
module does not inform user
that he needs to use the u2f device, it just waits without a prompt.
If you set this option to true
,
cue
option is added to pam-u2f
module and reminder message will be displayed.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.u2f.debug
Debug output to stderr.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.u2f.interactive
Set to prompt a message and wait before testing the presence of a U2F device. Recommended if your device doesn’t have a tactile trigger.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.usb.enable
This option has no description.
Type: unspecified
Declared by:
<vpsadminos/os/modules/nixos-compat.nix>
|
security.pam.yubico.enable
Enables Yubico PAM (yubico-pam
) module.
If set, users listed in
~/.yubico/authorized_yubikeys
are able to log in with the associated Yubikey tokens.
The file must have only one line:
username:yubikey_token_id1:yubikey_token_id2
More information can be found here.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.yubico.control
This option sets pam "control". If you want to have multi factor authentication, use "required". If you want to use Yubikey instead of regular password, use "sufficient". Read pam.conf(5) for better understanding of this option.
Type: one of "required", "requisite", "sufficient", "optional"
Default:
"sufficient"
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.yubico.debug
Debug output to stderr.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.yubico.id
client id
Type: string
Example:
"42"
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pam.yubico.mode
Mode of operation. Use "client" for online validation with a YubiKey validation service such as the YubiCloud. Use "challenge-response" for offline validation using YubiKeys with HMAC-SHA-1 Challenge-Response configurations. See the man-page ykpamcfg(1) for further details on how to configure offline Challenge-Response validation. More information can be found here.
Type: one of "client", "challenge-response"
Default:
"client"
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
security.pki.caCertificateBlacklist
A list of blacklisted CA certificate names that won't be imported from
the Mozilla Trust Store into
/etc/ssl/certs/ca-certificates.crt
. Use the
names from that file.
Type: list of strings
Default:
[
]
Example:
[
"WoSign" "WoSign China" "CA WoSign ECC Root" "Certification Authority of WoSign G2"
]
Declared by:
<nixpkgs/nixos/modules/security/ca.nix>
|
security.pki.certificateFiles
A list of files containing trusted root certificates in PEM
format. These are concatenated to form
/etc/ssl/certs/ca-certificates.crt
, which is
used by many programs that use OpenSSL, such as
curl and git.
Type: list of paths
Default:
[
]
Example:
[ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]
Declared by:
<nixpkgs/nixos/modules/security/ca.nix>
|
security.pki.certificates
A list of trusted root certificates in PEM format.
Type: list of strings
Default:
[
]
Example:
[ '' NixOS.org ========= -----BEGIN CERTIFICATE----- MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0 ... -----END CERTIFICATE----- '' ]
Declared by:
<nixpkgs/nixos/modules/security/ca.nix>
|
security.sudo.enable
Whether to enable the sudo command, which allows non-root users to execute commands as root.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/security/sudo.nix>
|
security.sudo.configFile
This string contains the contents of the
sudoers
file.
Type: strings concatenated with "\n"
Declared by:
<nixpkgs/nixos/modules/security/sudo.nix>
|
security.sudo.extraConfig
Extra configuration text appended to sudoers
.
Type: strings concatenated with "\n"
Default:
""
Declared by:
<nixpkgs/nixos/modules/security/sudo.nix>
|
security.sudo.extraRules
Define specific rules to be in the sudoers
file.
More specific rules should come after more general ones in order to
yield the expected behavior. You can use mkBefore/mkAfter to ensure
this is the case when configuration options are merged.
Type: list of submodules
Default:
[
]
Example:
[ # Allow execution of any command by all users in group sudo, # requiring a password. { groups = [ "sudo" ]; commands = [ "ALL" ]; } # Allow execution of "/home/root/secret.sh" by user `backup`, `database` # and the group with GID `1006` without a password. { users = [ "backup" "database" ]; groups = [ 1006 ]; commands = [ { command = "/home/root/secret.sh"; options = [ "SETENV" "NOPASSWD" ]; } ]; } # Allow all users of group `bar` to run two executables as user `foo` # with arguments being pre-set. { groups = [ "bar" ]; runAs = "foo"; commands = [ "/home/baz/cmd1.sh hello-sudo" { command = ''/home/baz/cmd2.sh ""''; options = [ "SETENV" ]; } ]; } ]
Declared by:
<nixpkgs/nixos/modules/security/sudo.nix>
|
security.sudo.extraRules.*.commands
The commands for which the rule should apply.
Type: list of string or submodules
Declared by:
<nixpkgs/nixos/modules/security/sudo.nix>
|
security.sudo.extraRules.*.groups
The groups / GIDs this rule should apply for.
Type: list of string or signed integers
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/security/sudo.nix>
|
security.sudo.extraRules.*.host
For what host this rule should apply.
Type: string
Default:
"ALL"
Declared by:
<nixpkgs/nixos/modules/security/sudo.nix>
|
security.sudo.extraRules.*.runAs
Under which user/group the specified command is allowed to run.
A user can be specified using just the username: "foo"
.
It is also possible to specify a user/group combination using "foo:bar"
or to only allow running as a specific group with ":bar"
.
Type: string
Default:
"ALL:ALL"
Declared by:
<nixpkgs/nixos/modules/security/sudo.nix>
|
security.sudo.extraRules.*.users
The usernames / UIDs this rule should apply for.
Type: list of string or signed integers
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/security/sudo.nix>
|
security.sudo.wheelNeedsPassword
Whether users of the wheel
group must
provide a password to run commands as super user via sudo.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/security/sudo.nix>
|
security.virtualisation
This option has no description.
Type: unspecified
Declared by:
<vpsadminos/os/modules/nixos-compat.nix>
|
security.wrappers
This option allows the ownership and permissions on the setuid wrappers for specific programs to be overridden from the default (setuid root, but not setgid root).
The sub-attribute source
is mandatory,
it must be the absolute path to the program to be wrapped.
The sub-attribute program
is optional and
can give the wrapper program a new name. The default name is the same
as the attribute name itself.
Additionally, this option can set capabilities on a wrapper program that propagates those capabilities down to the wrapped, real program.
NOTE: cap_setpcap, which is required for the wrapper program to be able to raise caps into the Ambient set is NOT raised to the Ambient set so that the real program cannot modify its own capabilities!! This may be too restrictive for cases in which the real program needs cap_setpcap but it at least leans on the side security paranoid vs. too relaxed.
Type: attribute set
Default:
{
}
Example:
{ sendmail.source = "/nix/store/.../bin/sendmail"; ping = { source = "${pkgs.iputils.out}/bin/ping"; owner = "nobody"; group = "nogroup"; capabilities = "cap_net_raw+ep"; }; }
Declared by:
<nixpkgs/nixos/modules/security/wrappers/default.nix>
|
services.apcupsd.enable
Whether to enable the APC UPS daemon. apcupsd monitors your UPS and permits orderly shutdown of your computer in the event of a power failure. User manual: http://www.apcupsd.com/manual/manual.html. Note that apcupsd runs as root (to allow shutdown of computer). You can check the status of your UPS with the "apcaccess" command.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/services/monitoring/apcupsd.nix>
|
services.apcupsd.configText
Contents of the runtime configuration file, apcupsd.conf. The default settings makes apcupsd autodetect USB UPSes, limit network access to localhost and shutdown the system when the battery level is below 50 percent, or when the UPS has calculated that it has 5 minutes or less of remaining power-on time. See man apcupsd.conf for details.
Type: strings concatenated with "\n"
Default:
'' UPSTYPE usb NISIP 127.0.0.1 BATTERYLEVEL 50 MINUTES 5 ''
Declared by:
<vpsadminos/os/modules/services/monitoring/apcupsd.nix>
|
services.apcupsd.hooks
Each attribute in this option names an apcupsd event and the string value it contains will be executed in a shell, in response to that event (prior to the default action). See "man apccontrol" for the list of events and what they represent. A hook script can stop apccontrol from doing its default action by exiting with value 99. Do not do this unless you know what you're doing.
Type: attribute set of strings concatenated with "\n"s
Default:
{
}
Example:
{
doshutdown = "# shell commands to notify that the computer is shutting down";
}
Declared by:
<vpsadminos/os/modules/services/monitoring/apcupsd.nix>
|
services.avahi
This option has no description.
Type: unspecified
Declared by:
<vpsadminos/os/modules/nixos-compat.nix>
|
services.cgmanager
This option has no description.
Type: unspecified
Declared by:
<vpsadminos/os/modules/nixos-compat.nix>
|
services.cron.enable
Whether to enable the Vixie cron daemon.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/services/scheduling/cron.nix>
|
services.cron.cronFiles
A list of extra crontab files that will be read and appended to the main crontab file when the cron service starts.
Type: list of paths
Default:
[
]
Declared by:
<vpsadminos/os/modules/services/scheduling/cron.nix>
|
services.cron.mailto
Email address to which job output will be mailed.
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/services/scheduling/cron.nix>
|
services.cron.systemCronJobs
A list of Cron jobs to be appended to the system-wide
crontab. See the manual page for crontab for the expected
format. If you want to get the results mailed you must setuid
sendmail. See security.wrappers
If neither /var/cron/cron.deny nor /var/cron/cron.allow exist only root
will is allowed to have its own crontab file. The /var/cron/cron.deny file
is created automatically for you. So every user can use a crontab.
Many nixos modules set systemCronJobs, so if you decide to disable vixie cron
and enable another cron daemon, you may want it to get its system crontab
based on systemCronJobs.
Type: list of strings
Default:
[
]
Example:
[ "* * * * * test ls -l / > /tmp/cronout 2>&1" "* * * * * eelco echo Hello World > /home/eelco/cronout" ]
Declared by:
<vpsadminos/os/modules/services/scheduling/cron.nix>
|
services.dhcpd4.enable
Whether to enable the DHCPv4 server.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
|
services.dhcpd4.authoritative
Whether the DHCP server shall send DHCPNAK messages to misconfigured clients. If this is not done, clients may be unable to get a correct IP address after changing subnets until their old lease has expired.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
|
services.dhcpd4.configFile
The path of the DHCP server configuration file. If no file is specified, a file is generated using the other options.
Type: null or path
Default:
null
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
|
services.dhcpd4.extraConfig
Extra text to be appended to the DHCP server configuration file. Currently, you almost certainly need to specify something there, such as the options specifying the subnet mask, DNS servers, etc.
Type: strings concatenated with "\n"
Default:
""
Example:
'' option subnet-mask 255.255.255.0; option broadcast-address 192.168.1.255; option routers 192.168.1.5; option domain-name-servers 130.161.158.4, 130.161.33.17, 130.161.180.1; option domain-name "example.org"; subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.100 192.168.1.200; } ''
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
|
services.dhcpd4.extraFlags
Additional command line flags to be passed to the dhcpd daemon.
Type: list of strings
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
|
services.dhcpd4.interfaces
The interfaces on which the DHCP server should listen.
Type: list of strings
Default:
[
"eth0"
]
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
|
services.dhcpd4.machines
A list mapping Ethernet addresses to IPv4 addresses for the DHCP server.
Type: list of submodules
Default:
[
]
Example:
[
{
ethernetAddress = "00:16:76:9a:32:1d"; hostName = "foo"; ipAddress = "192.168.1.10";
}
{
ethernetAddress = "00:19:d1:1d:c4:9a"; hostName = "bar"; ipAddress = "192.168.1.11";
}
]
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
|
services.dhcpd4.machines.*.ethernetAddress
MAC address of the machine.
Type: string
Example:
"00:16:76:9a:32:1d"
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
|
services.dhcpd4.machines.*.hostName
Hostname which is assigned statically to the machine.
Type: string
Example:
"foo"
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
|
services.dhcpd4.machines.*.ipAddress
IP address of the machine.
Type: string
Example:
"192.168.1.10"
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
|
services.dhcpd4.stateDir
State directory for the DHCP server.
Type: path
Default:
"/var/lib/dhcp"
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
|
services.dhcpd6.enable
Whether to enable the DHCPv6 server.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
|
services.dhcpd6.authoritative
Whether the DHCP server shall send DHCPNAK messages to misconfigured clients. If this is not done, clients may be unable to get a correct IP address after changing subnets until their old lease has expired.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
|
services.dhcpd6.configFile
The path of the DHCP server configuration file. If no file is specified, a file is generated using the other options.
Type: null or path
Default:
null
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
|
services.dhcpd6.extraConfig
Extra text to be appended to the DHCP server configuration file. Currently, you almost certainly need to specify something there, such as the options specifying the subnet mask, DNS servers, etc.
Type: strings concatenated with "\n"
Default:
""
Example:
'' option subnet-mask 255.255.255.0; option broadcast-address 192.168.1.255; option routers 192.168.1.5; option domain-name-servers 130.161.158.4, 130.161.33.17, 130.161.180.1; option domain-name "example.org"; subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.100 192.168.1.200; } ''
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
|
services.dhcpd6.extraFlags
Additional command line flags to be passed to the dhcpd daemon.
Type: list of strings
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
|
services.dhcpd6.interfaces
The interfaces on which the DHCP server should listen.
Type: list of strings
Default:
[
"eth0"
]
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
|
services.dhcpd6.machines
A list mapping Ethernet addresses to IPv6 addresses for the DHCP server.
Type: list of submodules
Default:
[
]
Example:
[
{
ethernetAddress = "00:16:76:9a:32:1d"; hostName = "foo"; ipAddress = "192.168.1.10";
}
{
ethernetAddress = "00:19:d1:1d:c4:9a"; hostName = "bar"; ipAddress = "192.168.1.11";
}
]
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
|
services.dhcpd6.machines.*.ethernetAddress
MAC address of the machine.
Type: string
Example:
"00:16:76:9a:32:1d"
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
|
services.dhcpd6.machines.*.hostName
Hostname which is assigned statically to the machine.
Type: string
Example:
"foo"
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
|
services.dhcpd6.machines.*.ipAddress
IP address of the machine.
Type: string
Example:
"192.168.1.10"
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
|
services.dhcpd6.stateDir
State directory for the DHCP server.
Type: path
Default:
"/var/lib/dhcp6"
Declared by:
<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
|
services.fprintd
This option has no description.
Type: unspecified
Declared by:
<vpsadminos/os/modules/nixos-compat.nix>
|
services.geoclue2
This option has no description.
Type: unspecified
Declared by:
<vpsadminos/os/modules/nixos-compat.nix>
|
services.haveged.enable
Whether to enable to haveged entropy daemon, which refills /dev/random when low.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/services/security/haveged.nix>
|
services.haveged.refill_threshold
The number of bits of available entropy beneath which haveged should refill the entropy pool.
Type: signed integer
Default:
1024
Declared by:
<vpsadminos/os/modules/services/security/haveged.nix>
|
services.logrotate.enable
Whether to enable Enable log rotation.
Type: boolean
Default:
false
Example:
true
Declared by:
<vpsadminos/os/modules/services/logging/logrotate.nix>
|
services.logrotate.extraConfig
Additional text to append to logrotate.conf
Type: string
Default:
""
Example:
'' /var/log/wtmp { monthly minsize 1M create 0664 root utmp rotate 1 } ''
Declared by:
<vpsadminos/os/modules/services/logging/logrotate.nix>
|
services.logrotate.logFiles
This option has no description.
Type: list of submodules
Default:
[
]
Declared by:
<vpsadminos/os/modules/services/logging/logrotate.nix>
|
services.logrotate.logFiles.*.config
logrotate configuration
Type: string
Example:
'' daily rotate 7 dateext copytruncate notifempty nocompress ''
Declared by:
<vpsadminos/os/modules/services/logging/logrotate.nix>
|
services.logrotate.logFiles.*.files
Files to rotate
Type: list of strings
Example:
[
"/var/log/messages" "/var/log/*.log"
]
Declared by:
<vpsadminos/os/modules/services/logging/logrotate.nix>
|
services.munin-node.enable
Enable Munin Node agent. Munin node listens on 0.0.0.0 and by default accepts connections only from 127.0.0.1 for security reasons. See http://guide.munin-monitoring.org/en/latest/architecture/index.html.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/services/monitoring/munin.nix>
|
services.munin-node.disabledPlugins
Munin plugins to disable, even if
munin-node-configure --suggest
tries to enable
them. To disable a wildcard plugin, use an actual wildcard, as in
the example.
munin_stats is disabled by default as it tries to read
/var/log/munin/munin-update.log
for timing
information, and the NixOS build of Munin does not write this file.
Type: list of strings
Default:
[
"munin_stats"
]
Example:
[
"diskstats" "zfs_usage_*"
]
Declared by:
<vpsadminos/os/modules/services/monitoring/munin.nix>
|
services.munin-node.extraAutoPlugins
Additional Munin plugins to autoconfigure, using
munin-node-configure --suggest
. These should be
the actual paths to the plugin files (or directories containing them),
not just their names.
If you want to manually enable individual plugins instead, use
services.munin-node.extraPlugins
.
Note that only plugins that have the 'autoconfig' capability will do
anything if listed here, since plugins that cannot autoconfigure
won't be automatically enabled by
munin-node-configure
.
Plugins will be copied into the Nix store, and it will attempt to
modify them to run properly by fixing hardcoded references to
/bin
, /usr/bin
,
/sbin
, and /usr/sbin
.
Type: list of paths
Default:
[
]
Example:
[ /src/munin-contrib/plugins/zfs /src/munin-contrib/plugins/ssh ];
Declared by:
<vpsadminos/os/modules/services/monitoring/munin.nix>
|
services.munin-node.extraConfig
munin-node.conf
extra configuration. See
http://guide.munin-monitoring.org/en/latest/reference/munin-node.conf.html
Type: strings concatenated with "\n"
Default:
""
Declared by:
<vpsadminos/os/modules/services/monitoring/munin.nix>
|
services.munin-node.extraPluginConfig
plugin-conf.d
extra plugin configuration. See
http://guide.munin-monitoring.org/en/latest/plugin/use.html
Type: strings concatenated with "\n"
Default:
""
Example:
'' [fail2ban_*] user root ''
Declared by:
<vpsadminos/os/modules/services/monitoring/munin.nix>
|
services.munin-node.extraPlugins
Additional Munin plugins to activate. Keys are the name of the plugin
symlink, values are the path to the underlying plugin script. You
can use the same plugin script multiple times (e.g. for wildcard
plugins).
Note that these plugins do not participate in autoconfiguration. If
you want to autoconfigure additional plugins, use
services.munin-node.extraAutoPlugins
.
Plugins enabled in this manner take precedence over autoconfigured
plugins.
Plugins will be copied into the Nix store, and it will attempt to
modify them to run properly by fixing hardcoded references to
/bin
, /usr/bin
,
/sbin
, and /usr/sbin
.
Type: attribute set of paths
Default:
{
}
Example:
{ zfs_usage_bigpool = /src/munin-contrib/plugins/zfs/zfs_usage_; zfs_usage_smallpool = /src/munin-contrib/plugins/zfs/zfs_usage_; zfs_list = /src/munin-contrib/plugins/zfs/zfs_list; };
Declared by:
<vpsadminos/os/modules/services/monitoring/munin.nix>
|
services.nfs.server.enable
Whether to enable Enable NFS server.
Type: boolean
Default:
false
Example:
true
Declared by:
<vpsadminos/os/modules/services/network-filesystems/nfs.nix>
|
services.nfs.server.exports
Contents of the /etc/exports file. See exports(5) for the format.
Type: strings concatenated with "\n"
Default:
""
Declared by:
<vpsadminos/os/modules/services/network-filesystems/nfs.nix>
|
services.nfs.server.lockdPort
Use a fixed port for the NFS lock manager kernel module
(lockd/nlockmgr
). This is useful if the
NFS server is behind a firewall.
Type: null or signed integer
Default:
null
Example:
4001
Declared by:
<vpsadminos/os/modules/services/network-filesystems/nfs.nix>
|
services.nfs.server.mountdPort
Use fixed port for rpc.mountd, useful if server is behind firewall.
Type: null or signed integer
Default:
null
Example:
4002
Declared by:
<vpsadminos/os/modules/services/network-filesystems/nfs.nix>
|
services.nfs.server.nfsd.allowedVersions
This option can be used to request that rpc.nfsd offer certain versions of NFS. The current version of rpc.nfsd can support major NFS versions 2,3,4 and the minor versions 4.0, 4.1 and 4.2.
Type: list of one of "2", "3", "4", "4.0", "4.1", "4.2"s
Default:
[
]
Declared by:
<vpsadminos/os/modules/services/network-filesystems/nfs.nix>
|
services.nfs.server.nfsd.disallowedVersions
This option can be used to request that rpc.nfsd does not offer certain versions of NFS. The current version of rpc.nfsd can support major NFS versions 2,3,4 and the minor versions 4.0, 4.1 and 4.2.
Type: list of one of "2", "3", "4", "4.0", "4.1", "4.2"s
Default:
[
]
Declared by:
<vpsadminos/os/modules/services/network-filesystems/nfs.nix>
|
services.nfs.server.nfsd.nproc
Specify the number of NFS server threads. By default, eight threads are started. However, for optimum performance several threads should be used.
Type: positive integer, meaning >0
Default:
8
Declared by:
<vpsadminos/os/modules/services/network-filesystems/nfs.nix>
|
services.nfs.server.nfsd.port
Configure port for rpc.nfsd, useful if server is behind firewall.
Type: signed integer
Default:
2049
Declared by:
<vpsadminos/os/modules/services/network-filesystems/nfs.nix>
|
services.nfs.server.nfsd.syslog
By default, rpc.nfsd logs error messages (and debug messages, if enabled) to stderr. This option makes rpc.nfsd log these messages to syslog instead. Note that errors encountered during option processing will still be logged to stderr regardless of this option.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/services/network-filesystems/nfs.nix>
|
services.nfs.server.nfsd.tcp
Instruct the kernel nfs server to open and listen on a TCP socket.
Type: boolean
Default:
true
Declared by:
<vpsadminos/os/modules/services/network-filesystems/nfs.nix>
|
services.nfs.server.nfsd.udp
Instruct the kernel nfs server to open and listen on a UDP socket.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/services/network-filesystems/nfs.nix>
|
services.nfs.server.statdPort
Use a fixed port for rpc.statd. This is useful if the NFS server is behind a firewall.
Type: null or signed integer
Default:
null
Example:
4000
Declared by:
<vpsadminos/os/modules/services/network-filesystems/nfs.nix>
|
services.nscd
This option has no description.
Type: unspecified
Declared by:
<vpsadminos/os/modules/nixos-compat.nix>
|
services.opensmtpd.enable
Whether to enable the OpenSMTPD server.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/services/mail/opensmtpd.nix>
|
services.opensmtpd.package
The OpenSMTPD package to use.
Type: package
Default:
"pkgs.opensmtpd"
Declared by:
<vpsadminos/os/modules/services/mail/opensmtpd.nix>
|
services.opensmtpd.addSendmailToSystemPath
Whether to add OpenSMTPD's sendmail binary to the system path or not.
Type: boolean
Default:
true
Declared by:
<vpsadminos/os/modules/services/mail/opensmtpd.nix>
|
services.opensmtpd.extraServerArgs
Extra command line arguments provided when the smtpd process is started.
Type: list of strings
Default:
[
]
Example:
[
"-v" "-P mta"
]
Declared by:
<vpsadminos/os/modules/services/mail/opensmtpd.nix>
|
services.opensmtpd.procPackages
Packages to search for filters, tables, queues, and schedulers. Add OpenSMTPD-extras here if you want to use the filters, etc. from that package.
Type: list of packages
Default:
[
]
Declared by:
<vpsadminos/os/modules/services/mail/opensmtpd.nix>
|
services.opensmtpd.serverConfiguration
The contents of the smtpd.conf configuration file. See the OpenSMTPD documentation for syntax information.
Type: null or strings concatenated with "\n"
Default:
null
Example:
'' listen on lo accept for any deliver to lmtp localhost:24 ''
Declared by:
<vpsadminos/os/modules/services/mail/opensmtpd.nix>
|
services.openssh.enable
Whether to enable the OpenSSH secure shell daemon, which allows secure remote logins.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.allowSFTP
Whether to enable the SFTP subsystem in the SSH daemon. This enables the use of commands such as sftp and sshfs.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.authorizedKeysCommand
Specifies a program to be used to look up the user's public keys. The program must be owned by root, not writable by group or others and specified by an absolute path.
Type: string
Default:
"none"
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.authorizedKeysCommandUser
Specifies the user under whose account the AuthorizedKeysCommand is run. It is recommended to use a dedicated user that has no other role on the host than running authorized keys commands.
Type: string
Default:
"nobody"
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.authorizedKeysFiles
Files from which authorized keys are read.
Type: list of strings
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.banner
Message to display to the remote user before authentication is allowed.
Type: null or strings concatenated with "\n"
Default:
null
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.challengeResponseAuthentication
Specifies whether challenge/response authentication is allowed.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.ciphers
Allowed ciphers
Defaults to recommended settings from both https://stribika.github.io/2015/01/04/secure-secure-shell.html and https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29
Type: list of strings
Default:
[
"chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes128-gcm@openssh.com" "aes256-ctr" "aes192-ctr" "aes128-ctr"
]
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.extraConfig
Verbatim contents of sshd_config
.
Type: strings concatenated with "\n"
Default:
""
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.forwardX11
Whether to allow X11 connections to be forwarded.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.gatewayPorts
Specifies whether remote hosts are allowed to connect to ports forwarded for the client. See sshd_config(5).
Type: string
Default:
"no"
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.hostKeys
NixOS can automatically generate SSH host keys. This option specifies the path, type and size of each key. See ssh-keygen(1) for supported types and sizes.
Type: list of attribute sets
Default:
[
{
bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; type = "rsa";
}
{
path = "/etc/ssh/ssh_host_ed25519_key"; type = "ed25519";
}
]
Example:
[
{
bits = 4096; openSSHFormat = true; path = "/etc/ssh/ssh_host_rsa_key"; rounds = 100; type = "rsa";
}
{
comment = "key comment"; path = "/etc/ssh/ssh_host_ed25519_key"; rounds = 100; type = "ed25519";
}
]
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.kexAlgorithms
Allowed key exchange algorithms
Defaults to recommended settings from both https://stribika.github.io/2015/01/04/secure-secure-shell.html and https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29
Type: list of strings
Default:
[
"curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256"
]
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.knownHosts
Alias of programs.ssh.knownHosts
.
Type: attribute set of submodules
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.knownHosts.<name>.certAuthority
This public key is an SSH certificate authority, rather than an individual host's key.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
|
services.openssh.knownHosts.<name>.hostNames
A list of host names and/or IP numbers used for accessing the host's ssh service.
Type: list of strings
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
|
services.openssh.knownHosts.<name>.publicKey
The public key data for the host. You can fetch a public key from a running SSH server with the ssh-keyscan command. The public key should not include any host names, only the key type and the key itself.
Type: null or string
Default:
null
Example:
"ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg=="
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
|
services.openssh.knownHosts.<name>.publicKeyFile
The path to the public key file for the host. The public
key file is read at build time and saved in the Nix store.
You can fetch a public key file from a running SSH server
with the ssh-keyscan command. The content
of the file should follow the same format as described for
the publicKey
option.
Type: null or path
Default:
null
Declared by:
<nixpkgs/nixos/modules/programs/ssh.nix>
|
services.openssh.listenAddresses
List of addresses and ports to listen on (ListenAddress directive
in config). If port is not specified for address sshd will listen
on all ports specified by ports
option.
NOTE: this will override default listening on all local addresses and port 22.
NOTE: setting this option won't automatically enable given ports
in firewall configuration.
Type: list of submodules
Default:
[
]
Example:
[
{
addr = "192.168.3.1"; port = 22;
}
{
addr = "0.0.0.0"; port = 64022;
}
]
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.listenAddresses.*.addr
Host, IPv4 or IPv6 address to listen to.
Type: null or string
Default:
null
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.listenAddresses.*.port
Port to listen to.
Type: null or signed integer
Default:
null
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.logLevel
Gives the verbosity level that is used when logging messages from sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is VERBOSE. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. Logging with a DEBUG level violates the privacy of users and is not recommended. LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was used to log in.
Type: one of "QUIET", "FATAL", "ERROR", "INFO", "VERBOSE", "DEBUG", "DEBUG1", "DEBUG2", "DEBUG3"
Default:
"VERBOSE"
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.macs
Allowed MACs
Defaults to recommended settings from both https://stribika.github.io/2015/01/04/secure-secure-shell.html and https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29
Type: list of strings
Default:
[
"hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" "hmac-sha2-512" "hmac-sha2-256" "umac-128@openssh.com"
]
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.moduliFile
Path to moduli
file to install in
/etc/ssh/moduli
. If this option is unset, then
the moduli
file shipped with OpenSSH will be used.
Type: path
Example:
"/etc/my-local-ssh-moduli;"
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.openFirewall
Whether to automatically open the specified ports in the firewall.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.passwordAuthentication
Specifies whether password authentication is allowed.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.permitRootLogin
Whether the root user can login using ssh.
Type: one of "yes", "without-password", "prohibit-password", "forced-commands-only", "no"
Default:
"prohibit-password"
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.ports
Specifies on which ports the SSH daemon listens.
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)s
Default:
[
22
]
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.sftpFlags
Commandline flags to add to sftp-server.
Type: list of strings
Default:
[
]
Example:
[
"-f AUTHPRIV" "-l INFO"
]
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.startWhenNeeded
If set, sshd is socket-activated; that is, instead of having it permanently running as a daemon, systemd will start an instance for each incoming connection.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.openssh.useDns
Specifies whether sshd(8) should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. If this option is set to no (the default) then only addresses and not host names may be used in ~/.ssh/authorized_keys from and sshd_config Match Host directives.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.osctl.image-repository
Configure container image repositories
Type: attribute set of submodules
Default:
{
}
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.osctl.image-repository.<name>.buildDataset
Name of a dataset used to build images
Type: string
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.osctl.image-repository.<name>.buildInterval
Date and time expression for when to build images in a crontab format, i.e. minute, hour, day of month, month and day of month separated by spaces.
Type: null or string
Default:
"0 4 * * *"
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.osctl.image-repository.<name>.buildScriptDir
Path to directory with image build scripts for use with osctl-image
Type: string
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.osctl.image-repository.<name>.cacheDir
Path to directory where built images are cached before added to the repository.
Type: string
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.osctl.image-repository.<name>.defaultVendor
Name of the default image vendor
Type: string
Example:
"vpsadminos"
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.osctl.image-repository.<name>.garbageCollection
Garbage collection of old images
Type: list of submodules
Default:
[
]
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.osctl.image-repository.<name>.garbageCollection.*.arch
Regular expression to match image arch
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.osctl.image-repository.<name>.garbageCollection.*.distribution
Regular expression to match image distribution
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.osctl.image-repository.<name>.garbageCollection.*.keep
Number of matched images to keep
Type: signed integer
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.osctl.image-repository.<name>.garbageCollection.*.variant
Regular expression to match image variant
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.osctl.image-repository.<name>.garbageCollection.*.vendor
Regular expression to match image vendor
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.osctl.image-repository.<name>.garbageCollection.*.version
Regular expression to match image version
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.osctl.image-repository.<name>.images
Configure container images
Type: attribute set of attribute set of submoduless
Default:
{
}
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.osctl.image-repository.<name>.images.<name>.<name>.keepFailedTests
Keep containers of failed tests for further analysis
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.osctl.image-repository.<name>.images.<name>.<name>.name
Optional image name
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.osctl.image-repository.<name>.images.<name>.<name>.rebuild
Rebuild the image even if it is found in cacheDir
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.osctl.image-repository.<name>.images.<name>.<name>.tags
Image tags
Type: list of strings
Default:
[
]
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.osctl.image-repository.<name>.keepAllFailedTests
Keep containers of all failed tests for further analysis
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.osctl.image-repository.<name>.logDir
Directory where build logs will be stored.
Type: string
Default:
"/tmp"
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.osctl.image-repository.<name>.path
Path to the generated image repository.
Type: string
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.osctl.image-repository.<name>.postBuild
Shell commands run after all images were built, or attempted to be built
Type: strings concatenated with "\n"
Default:
""
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.osctl.image-repository.<name>.rebuildAll
Rebuild all images, even when they're found in cacheDir
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.osctl.image-repository.<name>.vendors
Vendors
Type: attribute set of submodules
Default:
{
}
Example:
{
vpsadminos =
{
defaultVariant = "minimal";
}
;
}
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.osctl.image-repository.<name>.vendors.<name>.defaultVariant
Name of the default image variant
Type: string
Example:
"minimal"
Declared by:
<vpsadminos/os/modules/services/osctl/image-repository>
|
services.prometheus.exporters.node.enable
Whether to enable Enable node_exporter service.
Type: boolean
Default:
false
Example:
true
Declared by:
<vpsadminos/os/modules/services/monitoring/prometheus/node_exporter.nix>
|
services.prometheus.exporters.node.enabledCollectors
Collectors to enable. The collectors listed here are enabled in addition to the default ones.
Type: list of strings
Default:
[
"runit" "nfs" "textfile"
]
Example:
''[ "nfs" ]''
Declared by:
<vpsadminos/os/modules/services/monitoring/prometheus/node_exporter.nix>
|
services.prometheus.exporters.node.disabledCollectors
Collectors to disable which are enabled by default.
Type: list of strings
Default:
[
"systemd"
]
Example:
''[ "timex" ]''
Declared by:
<vpsadminos/os/modules/services/monitoring/prometheus/node_exporter.nix>
|
services.prometheus.exporters.node.extraFlags
Extra commandline options to pass to node_exporter.
Type: list of strings
Default:
[
]
Declared by:
<vpsadminos/os/modules/services/monitoring/prometheus/node_exporter.nix>
|
services.prometheus.exporters.node.listenAddress
Address to listen on.
Type: string
Default:
"0.0.0.0"
Declared by:
<vpsadminos/os/modules/services/monitoring/prometheus/node_exporter.nix>
|
services.prometheus.exporters.node.port
Port to listen on.
Type: signed integer
Default:
9100
Declared by:
<vpsadminos/os/modules/services/monitoring/prometheus/node_exporter.nix>
|
services.rpcbind.enable
Whether to enable Enable rpcbind service.
Type: boolean
Default:
false
Example:
true
Declared by:
<vpsadminos/os/modules/services/networking/rpcbind.nix>
|
services.rsyslogd.extraConfig
Additional text to append to syslog.conf
Type: string
Default:
""
Example:
"news.* -/var/log/news"
Declared by:
<vpsadminos/os/modules/services/logging/rsyslog.nix>
|
services.rsyslogd.forward
Forward logs over TCP to a set of hosts
Type: list of strings
Default:
[
]
Example:
[
"10.0.0.1:11514"
]
Declared by:
<vpsadminos/os/modules/services/logging/rsyslog.nix>
|
services.rsyslogd.hostName
Optional hostname
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/services/logging/rsyslog.nix>
|
services.samba
This option has no description.
Type: unspecified
Declared by:
<vpsadminos/os/modules/nixos-compat.nix>
|
services.sshd.enable
Alias of services.openssh.enable
.
Type: boolean
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
services.sssd
This option has no description.
Type: unspecified
Declared by:
<vpsadminos/os/modules/nixos-compat.nix>
|
services.udev.packages
List of packages containing udev rules.
Type: list of paths
Default:
[
]
Declared by:
<vpsadminos/os/modules/services/hardware/eudev.nix>
|
services.udev.extraRules
Additional udev rules
Type: strings concatenated with "\n"
Default:
""
Example:
'' KERNEL=="eth*", ATTR{address}=="00:1D:60:B9:6D:4F", NAME="my_fast_network_card" ''
Declared by:
<vpsadminos/os/modules/services/hardware/eudev.nix>
|
services.udev.path
Packages added to the PATH
environment variable when
executing programs from Udev rules.
Type: list of paths
Default:
[
]
Declared by:
<vpsadminos/os/modules/services/hardware/eudev.nix>
|
services.xserver
This option has no description.
Type: unspecified
Declared by:
<vpsadminos/os/modules/nixos-compat.nix>
|
services.zfs.autoScrub.enable
Enables periodic scrubbing of ZFS pools.
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
services.zfs.autoScrub.interval
Date and time expression for when to scrub ZFS pools in a crontab format, i.e. minute, hour, day of month, month and day of month separated by spaces.
Type: string
Default:
"0 4 */14 * *"
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
services.zfs.autoScrub.pools
List of ZFS pools to periodically scrub. If empty, all pools will be scrubbed.
Type: list of strings
Default:
[
]
Example:
[
"tank"
]
Declared by:
<vpsadminos/os/modules/tasks/filesystems/zfs>
|
services.znapzend.enable
Whether to enable ZnapZend ZFS backup daemon.
Type: boolean
Default:
false
Example:
true
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.autoCreation
Automatically create the destination dataset if it does not exists.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.features.compressed
Whether to enable compressed feature which adds the options -Lce
to
the zfs send command. When this is enabled, make
sure that both the sending and receiving pool have the same relevant
features enabled. Using -c
will skip unneccessary
decompress-compress stages, -L
is for large block
support and -e is for embedded data support. see
znapzend(1)
and zfs(8)
for more info.
.
Type: boolean
Default:
false
Example:
true
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.features.lowmemRecurse
Whether to enable use lowmemRecurse on systems where you have too many datasets, so a recursive listing of attributes to find backup plans exhausts the memory available to znapzend: instead, go the slower way to first list all impacted dataset names, and then query their configs one by one. .
Type: boolean
Default:
false
Example:
true
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.features.oracleMode
Whether to enable Destroy snapshots one by one instead of using one long argument list. If source and destination are out of sync for a long time, you may have so many snapshots to destroy that the argument gets is too long and the command fails. .
Type: boolean
Default:
false
Example:
true
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.features.recvu
Whether to enable recvu feature which uses -u
on the receiving end to keep the destination
filesystem unmounted.
.
Type: boolean
Default:
false
Example:
true
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.features.sendRaw
Whether to enable sendRaw feature which adds the options -w
to the
zfs send command. For encrypted source datasets this
instructs zfs not to decrypt before sending which results in a remote
backup that can't be read without the encryption key/passphrase, useful
when the remote isn't fully trusted or not physically secure. This
option must be used consistently, raw incrementals cannot be based on
non-raw snapshots and vice versa.
.
Type: boolean
Default:
false
Example:
true
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.features.skipIntermediates
Whether to enable Enable the skipIntermediates feature to send a single increment between latest common snapshot and the newly made one. It may skip several source snaps if the destination was offline for some time, and it should skip snapshots not managed by znapzend. Normally for online destinations, the new snapshot is sent as soon as it is created on the source, so there are no automatic increments to skip. .
Type: boolean
Default:
false
Example:
true
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.features.zfsGetType
Whether to enable use zfsGetType if your zfs get supports a
-t
argument for filtering by dataset type at all AND
lists properties for snapshots by default when recursing, so that there
is too much data to process while searching for backup plans.
If these two conditions apply to your system, the time needed for a
--recursive
search for backup plans can literally
differ by hundreds of times (depending on the amount of snapshots in
that dataset tree... and a decent backup plan will ensure you have a lot
of those), so you would benefit from requesting this feature.
.
Type: boolean
Default:
false
Example:
true
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.logLevel
The log level when logging to file. Any of debug, info, warning, err, alert. Default in daemonized form is debug.
Type: one of "debug", "info", "warning", "err", "alert"
Default:
"debug"
Example:
"warning"
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.logTo
Where to log to (syslog::<facility> or <filepath>).
Type: string
Default:
"syslog::daemon"
Example:
"/var/log/znapzend.log"
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.noDestroy
Does all changes to the filesystem except destroy.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.pure
Do not persist any stateful znapzend setups. If this option is enabled, your previously set znapzend setups will be cleared and only the ones defined with this module will be applied.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.zetup
Znapzend configuration.
Type: attribute set of submodules
Default:
{
}
Example:
{ "tank/home" = { # Make snapshots of tank/home every hour, keep those for 1 day, # keep every days snapshot for 1 month, etc. plan = "1d=>1h,1m=>1d,1y=>1m"; recursive = true; # Send all those snapshots to john@example.com:rtank/john as well destinations.remote = { host = "john@example.com"; dataset = "rtank/john"; }; }; };
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.zetup.<name>.enable
Whether to enable this source.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.zetup.<name>.dataset
The dataset to use for this source.
Type: string
Example:
"tank/home"
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.zetup.<name>.destinations
Additional destinations.
Type: attribute set of submodules
Default:
{
}
Example:
{ local = { dataset = "btank/backup"; presend = "zpool import -N btank"; postsend = "zpool export btank"; }; remote = { host = "john@example.com"; dataset = "tank/john"; }; };
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.zetup.<name>.destinations.<name>.dataset
Dataset name to send snapshots to.
Type: string
Example:
"tank/main"
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.zetup.<name>.destinations.<name>.host
Host to use for the destination dataset. Can be prefixed with
user@
to specify the ssh user.
Type: null or string
Default:
null
Example:
"john@example.com"
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.zetup.<name>.destinations.<name>.label
Label for this destination. Defaults to the attribute name.
Type: string
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.zetup.<name>.destinations.<name>.plan
The znapzend backup plan to use for the source.
The plan specifies how often to backup and for how long to keep the
backups. It consists of a series of retention periodes to interval
associations:
retA=>intA,retB=>intB,...
Both intervals and retention periods are expressed in standard units
of time or multiples of them. You can use both the full name or a
shortcut according to the following listing:
second|sec|s, minute|min, hour|h, day|d, week|w, month|mon|m, year|y
See znapzendzetup(1) for more info.
Type: string
Example:
"1h=>10min,1d=>1h,1w=>1d,1m=>1w,1y=>1m"
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.zetup.<name>.destinations.<name>.postsend
Command to run after sending the snapshot to the destination.
Intended to run a remote script via ssh on the
destination, e.g. to bring up a backup disk or server or to put a
zpool online/offline. See also presend
.
Type: null or string
Default:
null
Example:
"ssh root@bserv zpool export tank"
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.zetup.<name>.destinations.<name>.presend
Command to run before sending the snapshot to the destination.
Intended to run a remote script via ssh on the
destination, e.g. to bring up a backup disk or server or to put a
zpool online/offline. See also postsend
.
Type: null or string
Default:
null
Example:
"ssh root@bserv zpool import -Nf tank"
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.zetup.<name>.mbuffer.enable
Whether to use mbuffer.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.zetup.<name>.mbuffer.port
Port to use for mbuffer. If this is null, it will run mbuffer through ssh. If this is not null, it will run mbuffer directly through TCP, which is not encrypted but faster. In that case the given port needs to be open on the destination host.
Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
null
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.zetup.<name>.mbuffer.size
The size for mbuffer. Supports the units b, k, M, G.
Type: string of the form number{b|k|M|G}
Default:
"1G"
Example:
"128M"
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.zetup.<name>.plan
The znapzend backup plan to use for the source.
The plan specifies how often to backup and for how long to keep the
backups. It consists of a series of retention periodes to interval
associations:
retA=>intA,retB=>intB,...
Both intervals and retention periods are expressed in standard units
of time or multiples of them. You can use both the full name or a
shortcut according to the following listing:
second|sec|s, minute|min, hour|h, day|d, week|w, month|mon|m, year|y
See znapzendzetup(1) for more info.
Type: string
Example:
"1h=>10min,1d=>1h,1w=>1d,1m=>1w,1y=>1m"
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.zetup.<name>.postsnap
Command to run after snapshots are taken on the source dataset,
e.g. for database unlocking. See also presnap
.
Type: null or string
Default:
null
Example:
${pkgs.coreutils}/bin/kill `${pkgs.coreutils}/bin/cat /tmp/mariadblock.pid`;${pkgs.coreutils}/bin/rm /tmp/mariadblock.pid
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.zetup.<name>.presnap
Command to run before snapshots are taken on the source dataset,
e.g. for database locking/flushing. See also
postsnap
.
Type: null or string
Default:
null
Example:
${pkgs.mariadb}/bin/mysql -e "set autocommit=0;flush tables with read lock;\\! ${pkgs.coreutils}/bin/sleep 600" & ${pkgs.coreutils}/bin/echo $! > /tmp/mariadblock.pid ; sleep 10
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.zetup.<name>.recursive
Whether to do recursive snapshots.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.zetup.<name>.sendDelay
Specify delay (in seconds) before sending snaps to the destination. May be useful if you want to control sending time.
Type: signed integer
Default:
0
Example:
60
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
services.znapzend.zetup.<name>.timestampFormat
The timestamp format to use for constructing snapshot names.
The syntax is strftime
-like. The string must
consist of the mandatory %Y %m %d %H %M %S
.
Optionally - _ . :
characters as well as any
alphanumeric character are allowed. If suffixed by a
Z
, times will be in UTC.
Type: string containing all of the characters %Y, %m, %d, %H, %M, %S
Default:
"%Y-%m-%d-%H%M%S"
Example:
"znapzend-%m.%d.%Y-%H%M%SZ"
Declared by:
<nixpkgs/nixos/modules/services/backup/znapzend.nix>
|
swapDevices
The swap devices and swap files. These must have been
initialised using mkswap. Each element
should be an attribute set specifying either the path of the
swap device or file (device
) or the label
of the swap device (label
, see
mkswap -L). Using a label is
recommended.
Type: list of submodules
Default:
[
]
Example:
[
{
device = "/dev/hda7";
}
{
device = "/var/swapfile";
}
{
label = "bigswap";
}
]
Declared by:
<nixpkgs/nixos/modules/config/swap.nix>
|
swapDevices.*.device
Path of the device or swap file.
Type: string
Example:
"/dev/sda3"
Declared by:
<nixpkgs/nixos/modules/config/swap.nix>
|
swapDevices.*.label
Label of the device. Can be used instead of device
.
Type: string
Example:
"swap"
Declared by:
<nixpkgs/nixos/modules/config/swap.nix>
|
swapDevices.*.priority
Specify the priority of the swap device. Priority is a value between 0 and 32767. Higher numbers indicate higher priority. null lets the kernel choose a priority, which will show up as a negative value.
Type: null or signed integer
Default:
null
Example:
2048
Declared by:
<nixpkgs/nixos/modules/config/swap.nix>
|
swapDevices.*.randomEncryption
Encrypt swap device with a random key. This way you won't have a persistent swap device. HINT: run "cryptsetup benchmark" to test cipher performance on your machine. WARNING: Don't try to hibernate when you have at least one swap partition with this option enabled! We have no way to set the partition into which hibernation image is saved, so if your image ends up on an encrypted one you would lose it! WARNING #2: Do not use /dev/disk/by-uuid/… or /dev/disk/by-label/… as your swap device when using randomEncryption as the UUIDs and labels will get erased on every boot when the partition is encrypted. Best to use /dev/disk/by-partuuid/…
Type: submodule or boolean convertible to it
Default:
false
Example:
{
cipher = "serpent-xts-plain64"; enable = true; source = "/dev/random";
}
Declared by:
<nixpkgs/nixos/modules/config/swap.nix>
|
swapDevices.*.randomEncryption.enable
Encrypt swap device with a random key. This way you won't have a persistent swap device. WARNING: Don't try to hibernate when you have at least one swap partition with this option enabled! We have no way to set the partition into which hibernation image is saved, so if your image ends up on an encrypted one you would lose it! WARNING #2: Do not use /dev/disk/by-uuid/… or /dev/disk/by-label/… as your swap device when using randomEncryption as the UUIDs and labels will get erased on every boot when the partition is encrypted. Best to use /dev/disk/by-partuuid/…
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/config/swap.nix>
|
swapDevices.*.randomEncryption.cipher
Use specified cipher for randomEncryption. Hint: Run "cryptsetup benchmark" to see which one is fastest on your machine.
Type: string
Default:
"aes-xts-plain64"
Example:
"serpent-xts-plain64"
Declared by:
<nixpkgs/nixos/modules/config/swap.nix>
|
swapDevices.*.randomEncryption.source
Define the source of randomness to obtain a random key for encryption.
Type: string
Default:
"/dev/urandom"
Example:
"/dev/random"
Declared by:
<nixpkgs/nixos/modules/config/swap.nix>
|
swapDevices.*.size
If this option is set, ‘device’ is interpreted as the path of a swapfile that will be created automatically with the indicated size (in megabytes).
Type: null or signed integer
Default:
null
Example:
2048
Declared by:
<nixpkgs/nixos/modules/config/swap.nix>
|
system.activationScripts
A set of shell script fragments that are executed when a NixOS system configuration is activated. Examples are updating /etc, creating accounts, and so on. Since these are executed every time you boot the system or run nixos-rebuild, it's important that they are idempotent and fast.
Type: attribute set of unspecifieds
Default:
{
}
Example:
{ stdio = { text = '' # Needed by some programs. ln -sfn /proc/self/fd /dev/fd ln -sfn /proc/self/fd/0 /dev/stdin ln -sfn /proc/self/fd/1 /dev/stdout ln -sfn /proc/self/fd/2 /dev/stderr ''; deps = []; }; }
Declared by:
<nixpkgs/nixos/modules/system/activation/activation-script.nix>
|
system.boot.restrict-proc-sysfs.enable
Restrict proc and sysfs contents
Type: boolean
Default:
true
Declared by:
<vpsadminos/os/modules/system/boot/restrict-proc-sysfs>
|
system.boot.restrict-proc-sysfs.config
Config passed to ../restrict-dirs.nix
Type: attribute set
Default:
{
/proc/bus = false; /sys/block = false; /sys/bus =
{
subdirs =
{
pci = true;
}
;
}
; /sys/class =
{
subdirs =
{
mem = true; misc = true; net = true; pci_bus = true; tty = true;
}
;
}
; /sys/dev/block = true; /sys/devices =
{
subdirs =
{
pci* = true; system =
{
subdirs =
{
cpu = true; node = true;
}
;
}
; virtual =
{
subdirs =
{
mem = true; misc = true; net = true; tty = true;
}
;
}
;
}
;
}
; /sys/firmware = false; /sys/module =
{
subdirs =
{
* =
{
default = true; subdirs =
{
sections = false;
}
;
}
;
}
;
}
; /sys/power = false;
}
Declared by:
<vpsadminos/os/modules/system/boot/restrict-proc-sysfs>
|
system.extraDependencies
A list of packages that should be included in the system closure but not otherwise made available to users. This is primarily used by the installation tests.
Type: list of packages
Default:
[
]
Declared by:
<vpsadminos/os/modules/system/activation/top-level.nix>
|
system.nssDatabases.group
List of group entries to configure in /etc/nsswitch.conf
.
Note that "files" is always prepended while "systemd" is appended if nscd is enabled.
This option only takes effect if nscd is enabled.
Type: list of strings
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/config/nsswitch.nix>
|
system.nssDatabases.hosts
List of hosts entries to configure in /etc/nsswitch.conf
.
Note that "files" is always prepended, and "dns" and "myhostname" are always appended.
This option only takes effect if nscd is enabled.
Type: list of strings
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/config/nsswitch.nix>
|
system.nssDatabases.passwd
List of passwd entries to configure in /etc/nsswitch.conf
.
Note that "files" is always prepended while "systemd" is appended if nscd is enabled.
This option only takes effect if nscd is enabled.
Type: list of strings
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/config/nsswitch.nix>
|
system.nssDatabases.services
List of services entries to configure in /etc/nsswitch.conf
.
Note that "files" is always prepended.
This option only takes effect if nscd is enabled.
Type: list of strings
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/config/nsswitch.nix>
|
system.nssDatabases.shadow
List of shadow entries to configure in /etc/nsswitch.conf
.
Note that "files" is always prepended.
This option only takes effect if nscd is enabled.
Type: list of strings
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/config/nsswitch.nix>
|
system.osCodeName
The vpsAdminOS release code name (e.g. Emu
).
Type: string (read only)
Declared by:
<vpsadminos/os/modules/misc/version.nix>
|
system.osLabel
Label to be used in the names of generated outputs and boot labels.
Type: string
Declared by:
<vpsadminos/os/modules/misc/version.nix>
|
system.osRelease
The vpsAdminOS release (e.g. 16.03
).
Type: string (read only)
Default:
"20.09.0"
Declared by:
<vpsadminos/os/modules/misc/version.nix>
|
system.secretsDir
Path to a directory containing secret keys and other files that should
not be stored in the Nix store. The directory's base name has to be
secrets
.
If the sandbox is enabled (nix.useSandbox = true;
)
on the build machine, you need to add your directory with secrets
to nix.sandboxPaths
and then set this option to the
path within the sandbox. For example, if your secrets on the build
machine are stored in /home/vpsadminos/secrets
, you
could set
nix.sandboxPaths = [ "/secrets=/home/vpsadminos/secrets" ];
on the build machine and system.secretsDir = "/secrets";
in vpsAdminOS config.
Type: null or string
Default:
null
Declared by:
<vpsadminos/os/modules/system/activation/secrets.nix>
|
system.stateVersion
Every once in a while, a new vpsAdminOS release may change configuration defaults in a way incompatible with stateful data. For instance, if the default version of PostgreSQL changes, the new version will probably be unable to read your existing databases. To prevent such breakage, you can set the value of this option to the vpsAdminOS release with which you want to be compatible. The effect is that vpsAdminOS will option defaults corresponding to the specified release (such as using an older version of PostgreSQL).
Type: string
Default:
"20.09.0"
Declared by:
<vpsadminos/os/modules/misc/version.nix>
|
system.storeOverlaySize
Size of the tmpfs filesystems used as an overlay for /nix/store. See option size in man tmpfs(5) for possible values.
Type: string
Default:
"2G"
Declared by:
<vpsadminos/os/modules/system/activation/top-level.nix>
|
system.userActivationScripts
A set of shell script fragments that are executed by a systemd user service when a NixOS system configuration is activated. Examples are rebuilding the .desktop file cache for showing applications in the menu. Since these are executed every time you run nixos-rebuild, it's important that they are idempotent and fast.
Type: attribute set of unspecifieds
Default:
{
}
Example:
{ plasmaSetup = { text = '' ${pkgs.libsForQt5.kservice}/bin/kbuildsycoca5" ''; deps = []; }; }
Declared by:
<nixpkgs/nixos/modules/system/activation/activation-script.nix>
|
systemd.packages
This option has no description.
Type: unspecified
Declared by:
<vpsadminos/os/modules/nixos-compat.nix>
|
systemd.globalEnvironment
This option has no description.
Type: unspecified
Declared by:
<vpsadminos/os/modules/nixos-compat.nix>
|
systemd.services
This option has no description.
Type: attribute set of unspecifieds
Declared by:
<vpsadminos/os/modules/nixos-compat.nix>
|
systemd.sockets
This option has no description.
Type: unspecified
Declared by:
<vpsadminos/os/modules/nixos-compat.nix>
|
systemd.targets
This option has no description.
Type: unspecified
Declared by:
<vpsadminos/os/modules/nixos-compat.nix>
|
systemd.tmpfiles
This option has no description.
Type: unspecified
Declared by:
<vpsadminos/os/modules/nixos-compat.nix>
|
systemd.user
This option has no description.
Type: unspecified
Declared by:
<vpsadminos/os/modules/nixos-compat.nix>
|
time.hardwareClockInLocalTime
If set, keep the hardware clock in local time instead of UTC.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/config/locale.nix>
|
time.timeZone
The time zone used when displaying times and dates. See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for a comprehensive list of possible values for this setting. If null, the timezone will default to UTC and can be set imperatively using timedatectl.
Type: null or string without spaces
Default:
null
Example:
"America/New_York"
Declared by:
<nixpkgs/nixos/modules/config/locale.nix>
|
tty.autologin.enable
Whether to enable Enable autologin on ttys.
Type: boolean
Default:
false
Example:
true
Declared by:
<vpsadminos/os/modules/services/ttys/agetty.nix>
|
tty.autologin.user
Autologin user
Type: string
Default:
"root"
Declared by:
<vpsadminos/os/modules/services/ttys/agetty.nix>
|
tty.spawnSerial
Number of serial TTYs (STTYs) spawned (for /dev/ttyS0)
Type: integer between 0 and 10 (both inclusive)
Default:
1
Declared by:
<vpsadminos/os/modules/services/ttys/agetty.nix>
|
tty.spawnStandard
Number of TTYs spawned, set to 0 to disable
Type: integer between 0 and 10 (both inclusive)
Default:
4
Declared by:
<vpsadminos/os/modules/services/ttys/agetty.nix>
|
users.defaultUserShell
This option defines the default shell assigned to user accounts. This can be either a full system path or a shell package. This must not be a store path, since the path is used outside the store (in particular in /etc/passwd).
Type: path or package
Example:
pkgs.zsh
Declared by:
<nixpkgs/nixos/modules/programs/shadow.nix>
|
users.enforceIdUniqueness
Whether to require that no two users/groups share the same uid/gid.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraGroups
Alias of users.groups
.
Type: attribute set of submodules
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraGroups.<name>.gid
The group GID. If the GID is null, a free GID is picked on activation.
Type: null or signed integer
Default:
null
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraGroups.<name>.members
The user names of the group members, added to the
/etc/group
file.
Type: list of strings
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraGroups.<name>.name
The name of the group. If undefined, the name of the attribute set will be used.
Type: string
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers
Alias of users.users
.
Type: attribute set of submodules
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers.<name>.packages
The set of packages that should be made available to the user.
This is in contrast to environment.systemPackages
,
which adds packages to all users.
Type: list of packages
Default:
[
]
Example:
[ pkgs.firefox pkgs.thunderbird ]
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers.<name>.createHome
If true, the home directory will be created automatically. If this option is true and the home directory already exists but is not owned by the user, directory owner and group will be changed to match the user.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers.<name>.cryptHomeLuks
Path to encrypted luks device that contains the user's home directory.
Type: null or string
Default:
null
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers.<name>.description
A short description of the user account, typically the
user's full name. This is actually the “GECOS” or “comment”
field in /etc/passwd
.
Type: string
Default:
""
Example:
"Alice Q. User"
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers.<name>.extraGroups
The user's auxiliary groups.
Type: list of strings
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers.<name>.group
The user's primary group.
Type: string
Default:
"nogroup"
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers.<name>.hashedPassword
Specifies the hashed password for the user.
The options hashedPassword
,
password
and passwordFile
controls what password is set for the user.
hashedPassword
overrides both
password
and passwordFile
.
password
overrides passwordFile
.
If none of these three options are set, no password is assigned to
the user, and the user will not be able to do password logins.
If the option users.mutableUsers
is true, the
password defined in one of the three options will only be set when
the user is created for the first time. After that, you are free to
change the password with the ordinary user management commands. If
users.mutableUsers
is false, you cannot change
user passwords, they will always be set according to the password
options.
To generate a hashed password install the mkpasswd
package and run mkpasswd -m sha-512
.
If set to an empty string (""
), this user will
be able to log in without being asked for a password (but not via remote
services such as SSH, or indirectly via su or
sudo). This should only be used for e.g. bootable
live systems. Note: this is different from setting an empty password,
which ca be achieved using users.users.<name?>.password
.
If set to null
(default) this user will not
be able to log in using a password (i.e. via login
command).
Type: null or string
Default:
null
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers.<name>.home
The user's home directory.
Type: path
Default:
"/var/empty"
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers.<name>.initialHashedPassword
Specifies the initial hashed password for the user, i.e. the
hashed password assigned if the user does not already
exist. If users.mutableUsers
is true, the
password can be changed subsequently using the
passwd command. Otherwise, it's
equivalent to setting the hashedPassword
option.
To generate a hashed password install the mkpasswd
package and run mkpasswd -m sha-512
.
If set to an empty string (""
), this user will
be able to log in without being asked for a password (but not via remote
services such as SSH, or indirectly via su or
sudo). This should only be used for e.g. bootable
live systems. Note: this is different from setting an empty password,
which ca be achieved using users.users.<name?>.password
.
If set to null
(default) this user will not
be able to log in using a password (i.e. via login
command).
Type: null or string
Default:
null
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers.<name>.initialPassword
Specifies the initial password for the user, i.e. the
password assigned if the user does not already exist. If
users.mutableUsers
is true, the password
can be changed subsequently using the
passwd command. Otherwise, it's
equivalent to setting the password
option. The same caveat applies: the password specified here
is world-readable in the Nix store, so it should only be
used for guest accounts or passwords that will be changed
promptly.
Type: null or string
Default:
null
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers.<name>.isNormalUser
Indicates whether this is an account for a “real” user. This
automatically sets group
to
users
, createHome
to
true
, home
to
/home/
,
username
useDefaultShell
to true
,
and isSystemUser
to
false
.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers.<name>.isSystemUser
Indicates if the user is a system user or not. This option
only has an effect if uid
is
null
, in which case it determines whether
the user's UID is allocated in the range for system users
(below 500) or in the range for normal users (starting at
1000).
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers.<name>.name
The name of the user account. If undefined, the name of the attribute set will be used.
Type: string
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers.<name>.openssh.authorizedKeys.keyFiles
A list of files each containing one OpenSSH public key that should be
added to the user's authorized keys. The contents of the files are
read at build time and added to a file that the SSH daemon reads in
addition to the the user's authorized_keys file. You can combine the
keyFiles
and keys
options.
Type: list of paths
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
users.extraUsers.<name>.openssh.authorizedKeys.keys
A list of verbatim OpenSSH public keys that should be added to the
user's authorized keys. The keys are added to a file that the SSH
daemon reads in addition to the the user's authorized_keys file.
You can combine the keys
and
keyFiles
options.
Warning: If you are using NixOps
then don't use this
option since it will replace the key required for deployment via ssh.
Type: list of strings
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
users.extraUsers.<name>.password
Specifies the (clear text) password for the user.
Warning: do not set confidential information here
because it is world-readable in the Nix store. This option
should only be used for public accounts.
The options hashedPassword
,
password
and passwordFile
controls what password is set for the user.
hashedPassword
overrides both
password
and passwordFile
.
password
overrides passwordFile
.
If none of these three options are set, no password is assigned to
the user, and the user will not be able to do password logins.
If the option users.mutableUsers
is true, the
password defined in one of the three options will only be set when
the user is created for the first time. After that, you are free to
change the password with the ordinary user management commands. If
users.mutableUsers
is false, you cannot change
user passwords, they will always be set according to the password
options.
Type: null or string
Default:
null
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers.<name>.passwordFile
The full path to a file that contains the user's password. The password
file is read on each system activation. The file should contain
exactly one line, which should be the password in an encrypted form
that is suitable for the chpasswd -e
command.
The options hashedPassword
,
password
and passwordFile
controls what password is set for the user.
hashedPassword
overrides both
password
and passwordFile
.
password
overrides passwordFile
.
If none of these three options are set, no password is assigned to
the user, and the user will not be able to do password logins.
If the option users.mutableUsers
is true, the
password defined in one of the three options will only be set when
the user is created for the first time. After that, you are free to
change the password with the ordinary user management commands. If
users.mutableUsers
is false, you cannot change
user passwords, they will always be set according to the password
options.
Type: null or string
Default:
null
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers.<name>.shell
The path to the user's shell. Can use shell derivations,
like pkgs.bashInteractive
. Don’t
forget to enable your shell in
programs
if necessary,
like programs.zsh.enable = true;
.
Type: package or path
Default:
"pkgs.shadow"
Example:
pkgs.bashInteractive
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers.<name>.subGidRanges
Subordinate group ids that user is allowed to use.
They are set into /etc/subgid
and are used
by newgidmap
for user namespaces.
Type: list of submodules
Default:
[
]
Example:
[
{
count = 1; startGid = 100;
}
{
count = 999; startGid = 1001;
}
]
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers.<name>.subGidRanges.*.count
Count of subordinate group ids
Type: signed integer
Default:
1
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers.<name>.subGidRanges.*.startGid
Start of the range of subordinate group ids that user is allowed to use.
Type: signed integer
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers.<name>.subUidRanges
Subordinate user ids that user is allowed to use.
They are set into /etc/subuid
and are used
by newuidmap
for user namespaces.
Type: list of submodules
Default:
[
]
Example:
[
{
count = 1; startUid = 1000;
}
{
count = 65534; startUid = 100001;
}
]
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers.<name>.subUidRanges.*.count
Count of subordinate user ids
Type: signed integer
Default:
1
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers.<name>.subUidRanges.*.startUid
Start of the range of subordinate user ids that user is allowed to use.
Type: signed integer
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers.<name>.uid
The account UID. If the UID is null, a free UID is picked on activation.
Type: null or signed integer
Default:
null
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.extraUsers.<name>.useDefaultShell
If true, the user's shell will be set to
users.defaultUserShell
.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.groups
Additional groups to be created automatically by the system.
Type: attribute set of submodules
Default:
{
}
Example:
{
hackers =
{
}
; students =
{
gid = 1001;
}
;
}
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.groups.<name>.gid
The group GID. If the GID is null, a free GID is picked on activation.
Type: null or signed integer
Default:
null
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.groups.<name>.members
The user names of the group members, added to the
/etc/group
file.
Type: list of strings
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.groups.<name>.name
The name of the group. If undefined, the name of the attribute set will be used.
Type: string
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.ldap.enable
Whether to enable authentication against an LDAP server.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/config/ldap.nix>
|
users.ldap.base
The distinguished name of the search base.
Type: unspecified
Example:
"dc=example,dc=org"
Declared by:
<nixpkgs/nixos/modules/config/ldap.nix>
|
users.ldap.bind.distinguishedName
The distinguished name to bind to the LDAP server with. If this is not specified, an anonymous bind will be done.
Type: string
Default:
""
Example:
"cn=admin,dc=example,dc=com"
Declared by:
<nixpkgs/nixos/modules/config/ldap.nix>
|
users.ldap.bind.passwordFile
The path to a file containing the credentials to use when binding to the LDAP server (if not binding anonymously).
Type: string
Default:
"/etc/ldap/bind.password"
Declared by:
<nixpkgs/nixos/modules/config/ldap.nix>
|
users.ldap.bind.policy
Specifies the policy to use for reconnecting to an unavailable
LDAP server. The default is hard_open
, which
reconnects if opening the connection to the directory server
failed. By contrast, hard_init
reconnects if
initializing the connection failed. Initializing may not
actually contact the directory server, and it is possible that
a malformed configuration file will trigger reconnection. If
soft
is specified, then
nss_ldap
will return immediately on server
failure. All hard reconnect policies block with exponential
backoff before retrying.
Type: one of "hard_open", "hard_init", "soft"
Default:
"hard_open"
Declared by:
<nixpkgs/nixos/modules/config/ldap.nix>
|
users.ldap.bind.timeLimit
Specifies the time limit (in seconds) to use when connecting
to the directory server. This is distinct from the time limit
specified in users.ldap.timeLimit
and affects
the initial server connection only.
Type: signed integer
Default:
30
Declared by:
<nixpkgs/nixos/modules/config/ldap.nix>
|
users.ldap.daemon.enable
Whether to let the nslcd daemon (nss-pam-ldapd) handle the LDAP lookups for NSS and PAM. This can improve performance, and if you need to bind to the LDAP server with a password, it increases security, since only the nslcd user needs to have access to the bindpw file, not everyone that uses NSS and/or PAM. If this option is enabled, a local nscd user is created automatically, and the nslcd service is started automatically when the network get up.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/config/ldap.nix>
|
users.ldap.daemon.extraConfig
Extra configuration options that will be added verbatim at the end of the nslcd configuration file (nslcd.conf).
Type: strings concatenated with "\n"
Default:
""
Declared by:
<nixpkgs/nixos/modules/config/ldap.nix>
|
users.ldap.daemon.rootpwmoddn
The distinguished name to use to bind to the LDAP server when the root user tries to modify a user's password.
Type: string
Default:
""
Example:
"cn=admin,dc=example,dc=com"
Declared by:
<nixpkgs/nixos/modules/config/ldap.nix>
|
users.ldap.daemon.rootpwmodpwFile
The path to a file containing the credentials with which to bind to the LDAP server if the root user tries to change a user's password.
Type: string
Default:
""
Example:
"/run/keys/nslcd.rootpwmodpw"
Declared by:
<nixpkgs/nixos/modules/config/ldap.nix>
|
users.ldap.extraConfig
Extra configuration options that will be added verbatim at
the end of the ldap configuration file (ldap.conf).
If users.ldap.daemon
is enabled, this
configuration will not be used. In that case, use
users.ldap.daemon.extraConfig
instead.
Type: strings concatenated with "\n"
Default:
""
Declared by:
<nixpkgs/nixos/modules/config/ldap.nix>
|
users.ldap.loginPam
Whether to include authentication against LDAP in login PAM
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/config/ldap.nix>
|
users.ldap.nsswitch
Whether to include lookup against LDAP in NSS
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/config/ldap.nix>
|
users.ldap.server
The URL of the LDAP server.
Type: unspecified
Example:
"ldap://ldap.example.org/"
Declared by:
<nixpkgs/nixos/modules/config/ldap.nix>
|
users.ldap.timeLimit
Specifies the time limit (in seconds) to use when performing searches. A value of zero (0), which is the default, is to wait indefinitely for searches to be completed.
Type: signed integer
Default:
0
Declared by:
<nixpkgs/nixos/modules/config/ldap.nix>
|
users.ldap.useTLS
If enabled, use TLS (encryption) over an LDAP (port 389)
connection. The alternative is to specify an LDAPS server (port
636) in users.ldap.server
or to forego
security.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/config/ldap.nix>
|
users.motd
Message of the day shown to users when they log in.
Type: null or strings concatenated with "\n"
Default:
null
Example:
"Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3178."
Declared by:
<nixpkgs/nixos/modules/security/pam.nix>
|
users.mutableUsers
If set to true
, you are free to add new users and groups to the system
with the ordinary useradd
and
groupadd
commands. On system activation, the
existing contents of the /etc/passwd
and
/etc/group
files will be merged with the
contents generated from the users.users
and
users.groups
options.
The initial password for a user will be set
according to users.users
, but existing passwords
will not be changed.
If set to false
, the contents of the user and
group files will simply be replaced on system activation. This also
holds for the user passwords; all changed
passwords will be reset according to the
users.users
configuration on activation.
Type: boolean
Default:
true
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.users
Additional user accounts to be created automatically by the system. This can also be used to set options for root.
Type: attribute set of submodules
Default:
{
}
Example:
{
alice =
{
createHome = true; description = "Alice Q. User"; extraGroups =
[
"wheel"
]
; group = "users"; home = "/home/alice"; shell = "/bin/sh"; uid = 1234;
}
;
}
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
users.users.<name>.packages
The set of packages that should be made available to the user.
This is in contrast to environment.systemPackages
,
which adds packages to all users.
Type: list of packages
Default:
[
]
Example:
[ pkgs.firefox pkgs.thunderbird ]
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.users.<name>.createHome
If true, the home directory will be created automatically. If this option is true and the home directory already exists but is not owned by the user, directory owner and group will be changed to match the user.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.users.<name>.cryptHomeLuks
Path to encrypted luks device that contains the user's home directory.
Type: null or string
Default:
null
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.users.<name>.description
A short description of the user account, typically the
user's full name. This is actually the “GECOS” or “comment”
field in /etc/passwd
.
Type: string
Default:
""
Example:
"Alice Q. User"
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.users.<name>.extraGroups
The user's auxiliary groups.
Type: list of strings
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.users.<name>.group
The user's primary group.
Type: string
Default:
"nogroup"
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.users.<name>.hashedPassword
Specifies the hashed password for the user.
The options hashedPassword
,
password
and passwordFile
controls what password is set for the user.
hashedPassword
overrides both
password
and passwordFile
.
password
overrides passwordFile
.
If none of these three options are set, no password is assigned to
the user, and the user will not be able to do password logins.
If the option users.mutableUsers
is true, the
password defined in one of the three options will only be set when
the user is created for the first time. After that, you are free to
change the password with the ordinary user management commands. If
users.mutableUsers
is false, you cannot change
user passwords, they will always be set according to the password
options.
To generate a hashed password install the mkpasswd
package and run mkpasswd -m sha-512
.
If set to an empty string (""
), this user will
be able to log in without being asked for a password (but not via remote
services such as SSH, or indirectly via su or
sudo). This should only be used for e.g. bootable
live systems. Note: this is different from setting an empty password,
which ca be achieved using users.users.<name?>.password
.
If set to null
(default) this user will not
be able to log in using a password (i.e. via login
command).
Type: null or string
Default:
null
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.users.<name>.home
The user's home directory.
Type: path
Default:
"/var/empty"
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.users.<name>.initialHashedPassword
Specifies the initial hashed password for the user, i.e. the
hashed password assigned if the user does not already
exist. If users.mutableUsers
is true, the
password can be changed subsequently using the
passwd command. Otherwise, it's
equivalent to setting the hashedPassword
option.
To generate a hashed password install the mkpasswd
package and run mkpasswd -m sha-512
.
If set to an empty string (""
), this user will
be able to log in without being asked for a password (but not via remote
services such as SSH, or indirectly via su or
sudo). This should only be used for e.g. bootable
live systems. Note: this is different from setting an empty password,
which ca be achieved using users.users.<name?>.password
.
If set to null
(default) this user will not
be able to log in using a password (i.e. via login
command).
Type: null or string
Default:
null
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.users.<name>.initialPassword
Specifies the initial password for the user, i.e. the
password assigned if the user does not already exist. If
users.mutableUsers
is true, the password
can be changed subsequently using the
passwd command. Otherwise, it's
equivalent to setting the password
option. The same caveat applies: the password specified here
is world-readable in the Nix store, so it should only be
used for guest accounts or passwords that will be changed
promptly.
Type: null or string
Default:
null
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.users.<name>.isNormalUser
Indicates whether this is an account for a “real” user. This
automatically sets group
to
users
, createHome
to
true
, home
to
/home/
,
username
useDefaultShell
to true
,
and isSystemUser
to
false
.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.users.<name>.isSystemUser
Indicates if the user is a system user or not. This option
only has an effect if uid
is
null
, in which case it determines whether
the user's UID is allocated in the range for system users
(below 500) or in the range for normal users (starting at
1000).
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.users.<name>.name
The name of the user account. If undefined, the name of the attribute set will be used.
Type: string
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.users.<name>.openssh.authorizedKeys.keyFiles
A list of files each containing one OpenSSH public key that should be
added to the user's authorized keys. The contents of the files are
read at build time and added to a file that the SSH daemon reads in
addition to the the user's authorized_keys file. You can combine the
keyFiles
and keys
options.
Type: list of paths
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
users.users.<name>.openssh.authorizedKeys.keys
A list of verbatim OpenSSH public keys that should be added to the
user's authorized keys. The keys are added to a file that the SSH
daemon reads in addition to the the user's authorized_keys file.
You can combine the keys
and
keyFiles
options.
Warning: If you are using NixOps
then don't use this
option since it will replace the key required for deployment via ssh.
Type: list of strings
Default:
[
]
Declared by:
<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
|
users.users.<name>.password
Specifies the (clear text) password for the user.
Warning: do not set confidential information here
because it is world-readable in the Nix store. This option
should only be used for public accounts.
The options hashedPassword
,
password
and passwordFile
controls what password is set for the user.
hashedPassword
overrides both
password
and passwordFile
.
password
overrides passwordFile
.
If none of these three options are set, no password is assigned to
the user, and the user will not be able to do password logins.
If the option users.mutableUsers
is true, the
password defined in one of the three options will only be set when
the user is created for the first time. After that, you are free to
change the password with the ordinary user management commands. If
users.mutableUsers
is false, you cannot change
user passwords, they will always be set according to the password
options.
Type: null or string
Default:
null
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.users.<name>.passwordFile
The full path to a file that contains the user's password. The password
file is read on each system activation. The file should contain
exactly one line, which should be the password in an encrypted form
that is suitable for the chpasswd -e
command.
The options hashedPassword
,
password
and passwordFile
controls what password is set for the user.
hashedPassword
overrides both
password
and passwordFile
.
password
overrides passwordFile
.
If none of these three options are set, no password is assigned to
the user, and the user will not be able to do password logins.
If the option users.mutableUsers
is true, the
password defined in one of the three options will only be set when
the user is created for the first time. After that, you are free to
change the password with the ordinary user management commands. If
users.mutableUsers
is false, you cannot change
user passwords, they will always be set according to the password
options.
Type: null or string
Default:
null
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.users.<name>.shell
The path to the user's shell. Can use shell derivations,
like pkgs.bashInteractive
. Don’t
forget to enable your shell in
programs
if necessary,
like programs.zsh.enable = true;
.
Type: package or path
Default:
"pkgs.shadow"
Example:
pkgs.bashInteractive
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.users.<name>.subGidRanges
Subordinate group ids that user is allowed to use.
They are set into /etc/subgid
and are used
by newgidmap
for user namespaces.
Type: list of submodules
Default:
[
]
Example:
[
{
count = 1; startGid = 100;
}
{
count = 999; startGid = 1001;
}
]
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.users.<name>.subGidRanges.*.count
Count of subordinate group ids
Type: signed integer
Default:
1
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.users.<name>.subGidRanges.*.startGid
Start of the range of subordinate group ids that user is allowed to use.
Type: signed integer
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.users.<name>.subUidRanges
Subordinate user ids that user is allowed to use.
They are set into /etc/subuid
and are used
by newuidmap
for user namespaces.
Type: list of submodules
Default:
[
]
Example:
[
{
count = 1; startUid = 1000;
}
{
count = 65534; startUid = 100001;
}
]
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.users.<name>.subUidRanges.*.count
Count of subordinate user ids
Type: signed integer
Default:
1
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.users.<name>.subUidRanges.*.startUid
Start of the range of subordinate user ids that user is allowed to use.
Type: signed integer
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.users.<name>.uid
The account UID. If the UID is null, a free UID is picked on activation.
Type: null or signed integer
Default:
null
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
users.users.<name>.useDefaultShell
If true, the user's shell will be set to
users.defaultUserShell
.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/config/users-groups.nix>
|
virtualisation.lxc.enable
This enables Linux Containers (LXC), which provides tools for creating and managing system or application containers on Linux.
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/virtualisation/lxc.nix>
|
virtualisation.lxc.defaultConfig
Default config (default.conf) for new containers, i.e. for network config. See lxc.container.conf (5).
Type: strings concatenated with "\n"
Default:
""
Declared by:
<nixpkgs/nixos/modules/virtualisation/lxc.nix>
|
virtualisation.lxc.lxcfs.enable
This enables LXCFS, a FUSE filesystem for LXC.
To use lxcfs in include the following configuration in your
container configuration:
virtualisation.lxc.defaultConfig = "lxc.include = ${pkgs.lxcfs}/share/lxc/config/common.conf.d/00-lxcfs.conf";
Type: boolean
Default:
false
Declared by:
<nixpkgs/nixos/modules/virtualisation/lxcfs.nix>
|
virtualisation.lxc.systemConfig
This is the system-wide LXC config. See lxc.system.conf(5).
Type: strings concatenated with "\n"
Default:
""
Declared by:
<nixpkgs/nixos/modules/virtualisation/lxc.nix>
|
virtualisation.lxc.usernetConfig
This is the config file for managing unprivileged user network administration access in LXC. See lxc-usernet(5).
Type: strings concatenated with "\n"
Default:
""
Declared by:
<nixpkgs/nixos/modules/virtualisation/lxc.nix>
|
vpsadmin.enable
Enable vpsAdmin integration, i.e. include nodectld and nodectl
Type: boolean
Default:
false
Declared by:
<vpsadminos/os/modules/vpsadmin/nodectld.nix>
|
vpsadmin.consoleHost
Address for console server to listen on
Type: string
Declared by:
<vpsadminos/os/modules/vpsadmin/nodectld.nix>
|
vpsadmin.db
Database credentials. Don't use this for production deployments, as the credentials would be world readable in the Nix store. Pass the database credentials through deployment.keys.nodectld-config in NixOps.
Type: submodule
Default:
{
host = ""; name = ""; password = ""; user = "";
}
Declared by:
<vpsadminos/os/modules/vpsadmin/nodectld.nix>
|
vpsadmin.db.host
Database hostname
Type: string
Declared by:
<vpsadminos/os/modules/vpsadmin/nodectld.nix>
|
vpsadmin.db.name
Database name
Type: string
Declared by:
<vpsadminos/os/modules/vpsadmin/nodectld.nix>
|
vpsadmin.db.password
Database password
Type: string
Declared by:
<vpsadminos/os/modules/vpsadmin/nodectld.nix>
|
vpsadmin.db.user
Database user
Type: string
Declared by:
<vpsadminos/os/modules/vpsadmin/nodectld.nix>
|
vpsadmin.netInterfaces
Network interfaces
Type: list of strings
Declared by:
<vpsadminos/os/modules/vpsadmin/nodectld.nix>
|
vpsadmin.nodeId
Node ID
Type: signed integer
Declared by:
<vpsadminos/os/modules/vpsadmin/nodectld.nix>
|
vpsadmin.transactionPublicKeyFile
Path to file with public key used to verify transactions
Type: path
Default:
"/etc/vpsadmin/transaction.key"
Declared by:
<vpsadminos/os/modules/vpsadmin/nodectld.nix>
|
vpsadminos.nix
enable nix-daemon and a writeable store
Type: boolean
Default:
true
Declared by:
<vpsadminos/os/modules/system/activation/top-level.nix>
|