Appendix A. Configuration Options

List of names of kernel modules that should not be loaded automatically by the hardware probing code.

Type: list of strings

Default: [ ]

Example: [ "cirrusfb" "i2c_piix4" ]

Declared by:

The kernel console loglevel. All Kernel Messages with a log level smaller than this setting will be printed to the console.

Type: signed integer

Default: 4

Declared by:

This option has no description.

Type: string

Default: "50%"

Example: "256m"

Declared by:

This option has no description.

Type: string

Default: "5%"

Example: "32m"

Declared by:

Any additional configuration to be appended to the generated modprobe.conf. This is typically used to specify module options. See modprobe.d(5) for details.

Type: strings concatenated with "\n"

Default: ""

Example:

''
options parport_pc io=0x378 irq=7 dma=1
''

Declared by:

A list of additional packages supplying kernel modules.

Type: list of packages

Default: [ ]

Example:

[ config.boot.kernelPackages.nvidia_x11 ]

Declared by:

Whether to enable the NixOS initial RAM disk (initrd). This may be needed to perform some initialisation tasks (like mounting network/encrypted file systems) before continuing the boot process.

Type: boolean

Default: "!config.boot.isContainer"

Declared by:

The set of kernel modules in the initial ramdisk used during the boot process. This set must include all modules necessary for mounting the root device. That is, it should include modules for the physical device (e.g., SCSI drivers) and for the file system (e.g., ext3). The set specified here is automatically closed under the module dependency relation, i.e., all dependencies of the modules list here are included automatically. The modules listed here are available in the initrd, but are only loaded on demand (e.g., the ext3 module is loaded automatically when an ext3 filesystem is mounted, and modules for PCI devices are loaded when they match the PCI ID of a device in your system). To force a module to be loaded, include it in boot.initrd.kernelModules.

Type: list of strings

Default: [ ]

Example: [ "sata_nv" "ext3" ]

Declared by:

List of modules that are always loaded by the initrd.

Type: list of strings

Default: [ ]

Declared by:

A list of cryptographic kernel modules needed to decrypt the root device(s). The default includes all common modules.

Type: list of strings

Default: [ "aes" "aes_generic" "blowfish" "twofish" "serpent" "cbc" "xts" "lrw" "sha1" "sha256" "sha512" "af_alg" "algif_skcipher" ]

Declared by:

The encrypted disk that should be opened before the root filesystem is mounted. Both LVM-over-LUKS and LUKS-over-LVM setups are supported. The unencrypted devices can be accessed as /dev/mapper/name.

Type: attribute set of submodules

Default: { }

Example: { luksroot = { device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; } ; }

Declared by:

Whether to allow TRIM requests to the underlying device. This option has security implications; please read the LUKS documentation before activating it.

Type: boolean

Default: false

Declared by:

Path of the underlying encrypted block device.

Type: string

Example: "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"

Declared by:

Whether to fallback to interactive passphrase prompt if the keyfile cannot be found. This will prevent unattended boot should the keyfile go missing.

Type: boolean

Default: false

Declared by:

The FIDO2 credential ID.

Type: null or string

Default: null

Example: "f1d00200d8dc783f7fb1e10ace8da27f8312d72692abfca2f7e4960a73f48e82e1f7571f6ebfcee9fb434f9886ccc8fcc52a6614d8d2"

Declared by:

Time in seconds to wait for the FIDO2 key.

Type: signed integer

Default: 10

Declared by:

Defines whatever to use an empty string as a default salt. Enable only when your device is PIN protected, such as Trezor.

Type: boolean

Default: false

Declared by:

The option to use this LUKS device with a GPG encrypted luks password by the GPG Smartcard. If null (the default), GPG-Smartcard will be disabled for this device.

Type: null or submodule

Default: null

Declared by:

Path to the GPG encrypted passphrase.

Type: path

Default: ""

Declared by:

Time in seconds to wait for the GPG Smartcard.

Type: signed integer

Default: 10

Declared by:

Path to the Public Key.

Type: path

Default: ""

Declared by:

The name of the file or block device that should be used as header for the encrypted device.

Type: null or string

Default: null

Example: "/root/header.img"

Declared by:

The name of the file (can be a raw device or a partition) that should be used as the decryption key for the encrypted device. If not specified, you will be prompted for a passphrase instead.

Type: null or string

Default: null

Example: "/dev/sdb1"

Declared by:

The offset of the key file. Use this in combination with keyFileSize to use part of a file as key file (often the case if a raw device or partition is used as a key file). If not specified, the key begins at the first byte of keyFile.

Type: null or signed integer

Default: null

Example: 4096

Declared by:

The size of the key file. Use this if only the beginning of the key file should be used as a key (often the case if a raw device or partition is used as key file). If not specified, the whole keyFile will be used decryption, instead of just the first keyFileSize bytes.

Type: null or signed integer

Default: null

Example: 4096

Declared by:

Commands that should be run right after we have mounted our LUKS device.

Type: strings concatenated with "\n"

Default: ""

Example:

''
umount /tmp/persistent
''

Declared by:

Whether the luksOpen will be attempted before LVM scan or after it.

Type: boolean

Default: true

Declared by:

Commands that should be run right before we try to mount our LUKS device. This can be useful, if the keys needed to open the drive is on another partion.

Type: strings concatenated with "\n"

Default: ""

Example:

''
mkdir -p /tmp/persistent
mount -t zfs rpool/safe/persistent /tmp/persistent
''

Declared by:

The options to use for this LUKS device in Yubikey-PBA. If null (the default), Yubikey-PBA will be disabled for this device.

Type: null or submodule

Default: null

Declared by:

Time in seconds to wait for the Yubikey.

Type: signed integer

Default: 10

Declared by:

How much the iteration count for PBKDF2 is increased at each successful authentication.

Type: signed integer

Default: 0

Declared by:

Length of the LUKS slot key derived with PBKDF2 in byte.

Type: signed integer

Default: 64

Declared by:

Length of the new salt in byte (64 is the effective maximum).

Type: signed integer

Default: 16

Declared by:

Which slot on the Yubikey to challenge.

Type: signed integer

Default: 2

Declared by:

An unencrypted device that will temporarily be mounted in stage-1. Must contain the current salt to create the challenge for this LUKS device.

Type: path

Default: "/dev/sda1"

Declared by:

The filesystem of the unencrypted device.

Type: string

Default: "vfat"

Declared by:

Absolute path of the salt on the unencrypted device with that device's root directory as "/".

Type: string

Default: "/crypt-storage/default"

Declared by:

Whether to use a passphrase and a Yubikey (true), or only a Yubikey (false).

Type: boolean

Default: true

Declared by:

Enables support for authenticating with FIDO2 devices.

Type: boolean

Default: false

Declared by:

Enables support for authenticating with a GPG encrypted password.

Type: boolean

Default: false

Declared by:

Unless enabled, encryption keys can be easily recovered by an attacker with physical access to any machine with PCMCIA, ExpressCard, ThunderBolt or FireWire port. More information is available at http://en.wikipedia.org/wiki/DMA_attack. This option blacklists FireWire drivers, but doesn't remove them. You can manually load the drivers if you need to use a FireWire device, but don't forget to unload them!

Type: boolean

Default: true

Declared by:

When opening a new LUKS device try reusing last successful passphrase. Useful for mounting a number of devices that use the same passphrase without retyping it several times. Such setup can be useful if you use cryptsetup luksSuspend. Different LUKS devices will still have different master keys even when using the same passphrase.

Type: boolean

Default: true

Declared by:

Enables support for authenticating with a Yubikey on LUKS devices. See the NixOS wiki for information on how to properly setup a LUKS device and a Yubikey to work with this feature.

Type: boolean

Default: false

Declared by:

Add network connectivity support to initrd. The network may be configured using the ip kernel parameter, as described in the kernel documentation. Otherwise, if networking.useDHCP is enabled, an IP address is acquired using DHCP. You should add the module(s) required for your network card to boot.initrd.availableKernelModules. lspci -v | grep -iA8 'network\|ethernet' will tell you which.

Type: boolean

Default: false

Declared by:

Whether to clear the configuration of the interfaces that were set up in the initrd right before stage 2 takes over. Stage 2 will do the regular network configuration based on the NixOS networking options.

Type: boolean

Default: true

Declared by:

Shell commands to be executed after stage 1 of the boot has initialised the network.

Type: strings concatenated with "\n"

Default: ""

Declared by:

Start SSH service during initrd boot. It can be used to debug failing boot on a remote server, enter pasphrase for an encrypted partition etc. Service is killed when stage-1 boot is finished. The sshd configuration is largely inherited from services.openssh.

Type: boolean

Default: false

Declared by:

Authorized keys for the root user on initrd.

Type: list of strings

Default: "config.users.users.root.openssh.authorizedKeys.keys"

Declared by:

Verbatim contents of sshd_config.

Type: strings concatenated with "\n"

Default: ""

Declared by:

Specify SSH host keys to import into the initrd. To generate keys, use ssh-keygen(1):

# ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
# ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key

Type: list of string or paths

Default: [ ]

Example: [ "/etc/secrets/initrd/ssh_host_rsa_key" "/etc/secrets/initrd/ssh_host_ed25519_key" ]

Declared by:

Port on which SSH initrd service should listen.

Type: signed integer

Default: 22

Declared by:

Login shell of the remote user. Can be used to limit actions user can do.

Type: string

Default: "/bin/ash"

Declared by:

Additional command-line arguments passed verbatim to udhcpc if boot.initrd.network.enable and networking.useDHCP are enabled.

Type: list of strings

Default: [ ]

Declared by:

Shell commands to be executed immediately after stage 1 of the boot has loaded kernel modules and created device nodes in /dev.

Type: strings concatenated with "\n"

Default: ""

Declared by:

Shell commands to be executed immediately after the stage 1 filesystems have been mounted.

Type: strings concatenated with "\n"

Default: ""

Declared by:

Shell commands to be executed before the failure prompt is shown.

Type: strings concatenated with "\n"

Default: ""

Declared by:

Shell commands to be executed immediately before LVM discovery. vpsAdminOS actually does not support LVM, this is just for compatibility with other modules.

Type: strings concatenated with "\n"

Default: ""

Declared by:

Names of supported filesystem types in the initial ramdisk.

Type: list of strings

Default: [ ]

Example: [ "btrfs" ]

Declared by:

Include hardware support kernel modules in initrd (so e.g. zfs sees disks)

Type: boolean

Default: true

Declared by:

This option has no description.

Type: boolean

Default: false

Declared by:

Provides a custom seed for the RANDSTRUCT security option of the Linux kernel. Note that RANDSTRUCT is only enabled in NixOS hardened kernels. Using a custom seed requires building the kernel and dependent packages locally, since this customization happens at build time.

Type: string

Default: ""

Example: "my secret seed"

Declared by:

Runtime parameters of the Linux kernel, as set by sysctl(8). Note that sysctl parameters names must be enclosed in quotes (e.g. "vm.swappiness" instead of vm.swappiness). The value of each parameter may be a string, integer, boolean, or null (signifying the option will not appear at all).

Type: attribute set of sysctl option values

Default: { }

Example:

{ "net.ipv4.tcp_syncookies" = false; "vm.swappiness" = 60; }

Declared by:

The set of kernel modules to be loaded in the second stage of the boot process. Note that modules that are needed to mount the root file system should be added to boot.initrd.availableKernelModules or boot.initrd.kernelModules.

Type: list of strings

Default: [ ]

Declared by:

base linux kernel package

Type: package

Default: (build of linux-5.9.2)

Declared by:

This option allows you to override the Linux kernel used by NixOS. Since things like external kernel module packages are tied to the kernel you're using, it also overrides those. This option is a function that takes Nixpkgs as an argument (as a convenience), and returns an attribute set containing at the very least an attribute kernel. Additional attributes may be needed depending on your configuration. For instance, if you use the NVIDIA X driver, then it also needs to contain an attribute nvidia_x11.

Type: unspecified

Default: "pkgs.linuxPackages"

Example:

pkgs.linuxPackages_2_6_25

Declared by:

Parameters added to the kernel command line.

Type: list of strings

Default: [ ]

Declared by:

A list of additional patches to apply to the kernel.

Type: list of attribute sets

Default: [ ]

Example:

[ pkgs.kernelPatches.ubuntu_fan_4_4 ]

Declared by:

Whether the installation process is allowed to modify EFI boot variables.

Type: boolean

Default: false

Declared by:

Where the EFI System Partition is mounted.

Type: string

Default: "/boot"

Declared by:

Whether to create symlinks to the system generations under /boot. When enabled, /boot/default/kernel, /boot/default/initrd, etc., are updated to point to the current generation's kernel image, initial RAM disk, and other bootstrap files. This optional is not necessary with boot loaders such as GNU GRUB for which the menu is updated to point to the latest bootstrap files. However, it is needed for U-Boot on platforms where the boot command line is stored in flash memory rather than in a menu file.

Type: boolean

Default: false

Declared by:

Whether copy the necessary boot files into /boot, so /nix/store is not needed by the boot loader.

Type: boolean

Default: false

Declared by:

Whether to enable the GNU GRUB boot loader.

Type: boolean

Default: true

Declared by:

Enable support for encrypted partitions. GRUB should automatically unlock the correct encrypted partition and look for filesystems.

Type: boolean

Default: false

Declared by:

Maximum of configurations in boot menu. GRUB has problems when there are too many entries.

Type: signed integer

Default: 100

Example: 120

Declared by:

GRUB entry name instead of default.

Type: string

Default: ""

Example: "Stable 2.6.21"

Declared by:

Whether the GRUB menu builder should copy kernels and initial ramdisks to /boot. This is done automatically if /boot is on a different partition than /.

Type: boolean

Default: false

Declared by:

Index of the default menu item to be booted.

Type: signed integer or string

Default: "0"

Declared by:

The device on which the GRUB boot loader will be installed. The special value nodev means that a GRUB boot menu will be generated, but GRUB itself will not actually be installed. To install GRUB on multiple devices, use boot.loader.grub.devices.

Type: string

Default: ""

Example: "/dev/disk/by-id/wwn-0x500001234567890a"

Declared by:

The devices on which the boot loader, GRUB, will be installed. Can be used instead of device to install GRUB onto multiple devices.

Type: list of strings

Default: [ ]

Example: [ "/dev/disk/by-id/wwn-0x500001234567890a" ]

Declared by:

Whether to invoke grub-install with --removable.

Unless you turn this on, GRUB will install itself somewhere in boot.loader.efi.efiSysMountPoint (exactly where depends on other config variables). If you've set boot.loader.efi.canTouchEfiVariables *AND* you are currently booted in UEFI mode, then GRUB will use efibootmgr to modify the boot order in the EFI variables of your firmware to include this location. If you are *not* booted in UEFI mode at the time GRUB is being installed, the NVRAM will not be modified, and your system will not find GRUB at boot time. However, GRUB will still return success so you may miss the warning that gets printed ("efibootmgr: EFI variables are not supported on this system.").

If you turn this feature on, GRUB will install itself in a special location within efiSysMountPoint (namely EFI/boot/boot$arch.efi) which the firmwares are hardcoded to try first, regardless of NVRAM EFI variables.

To summarize, turn this on if:

Type: boolean

Default: false

Declared by:

Whether GRUB should be built with EFI support. EFI support is only available for GRUB v2. This option is ignored for GRUB v1.

Type: boolean

Default: false

Declared by:

Additional GRUB commands inserted in the configuration file just before the menu entries.

Type: strings concatenated with "\n"

Default: ""

Example: "serial; terminal_output.serial"

Declared by:

Any additional entries you want added to the GRUB boot menu.

Type: strings concatenated with "\n"

Default: ""

Example:

''
# GRUB 1 example (not GRUB 2 compatible)
title Windows
  chainloader (hd0,1)+1

# GRUB 2 example
menuentry "Windows 7" {
  chainloader (hd0,4)+1
}

# GRUB 2 with UEFI example, chainloading another distro
menuentry "Fedora" {
  set root=(hd1,1)
  chainloader /efi/fedora/grubx64.efi
}
''

Declared by:

Whether extraEntries are included before the default option.

Type: boolean

Default: false

Declared by:

A set of files to be copied to /boot. Each attribute name denotes the destination file name in /boot, while the corresponding attribute value specifies the source file.

Type: attribute set of paths

Default: { }

Example:

{ "memtest.bin" = "${pkgs.memtest86plus}/memtest.bin"; }

Declared by:

The path to a second initramfs to be supplied to the kernel. This ramfs will not be copied to the store, so that it can contain secrets such as LUKS keyfiles or ssh keys. This implies that rolling back to a previous configuration won't rollback the state of this file.

Type: null or path

Default: null

Example: "/boot/extra_initramfs.gz"

Declared by:

Additional GRUB commands inserted in the configuration file at the start of each vpsAdminOS menu entry.

Type: strings concatenated with "\n"

Default: ""

Example: "root (hd0)"

Declared by:

Additional bash commands to be run at the script that prepares the GRUB menu entries.

Type: strings concatenated with "\n"

Default: ""

Declared by:

Path to a TrueType, OpenType, or pf2 font to be used by Grub.

Type: null or path

Default: "\${pkgs.grub2}/share/grub/unicode.pf2"

Declared by:

Font size for the grub menu. Ignored unless font is set to a ttf or otf font.

Type: null or signed integer

Default: null

Example:

Declared by:

Whether to try and forcibly install GRUB even if problems are detected. It is not recommended to enable this unless you know what you are doing.

Type: boolean

Default: false

Declared by:

Determines how GRUB will identify devices when generating the configuration file. A value of uuid / label signifies that grub will always resolve the uuid or label of the device before using it in the configuration. A value of provided means that GRUB will use the device name as show in df or mount. Note, zfs zpools / datasets are ignored and will always be mounted using their labels.

Type: one of "uuid", "label", "provided"

Default: "uuid"

Declared by:

The gfxmode to pass to GRUB when loading a graphical boot interface under BIOS.

Type: string

Default: "1024x768"

Example: "auto"

Declared by:

The gfxmode to pass to GRUB when loading a graphical boot interface under EFI.

Type: string

Default: "auto"

Example: "1024x768"

Declared by:

Set of iPXE scripts available for booting from the GRUB boot menu.

Type: attribute set of path or strings

Default: { }

Example:

{ demo = ''
    #!ipxe
    dhcp
    chain http://boot.vpsadminos.org/script.ipxe
  '';
}

Declared by:

Mirror the boot configuration to multiple partitions and install grub to the respective devices corresponding to those partitions.

Type: list of submodules

Default: [ ]

Example: [ { devices = [ "/dev/disk/by-id/wwn-0x500001234567890a" ] ; path = "/boot1"; } { devices = [ "/dev/disk/by-id/wwn-0x500009876543210a" ] ; path = "/boot2"; } ]

Declared by:

The path to the devices which will have the GRUB MBR written. Note these are typically device paths and not paths to partitions.

Type: list of strings

Default: [ ]

Example: [ "/dev/disk/by-id/wwn-0x500001234567890a" "/dev/disk/by-id/wwn-0x500009876543210a" ]

Declared by:

The id of the bootloader to store in efi nvram. The default is to name it vpsAdminOS and append the path or efiSysMountPoint. This is only used if boot.loader.efi.canTouchEfiVariables is true.

Type: null or string

Default: null

Example: "vpsAdminOS-fsid"

Declared by:

The path to the efi system mount point. Usually this is the same partition as the above path and can be left as null.

Type: null or string

Default: null

Example: "/boot1/efi"

Declared by:

The path to the boot directory where GRUB will be written. Generally this boot path should double as an EFI path.

Type: string

Example: "/boot1"

Declared by:

Background image used for GRUB. Set to null to run GRUB in text mode.

Type: null or path

Example:

./my-background.png

Declared by:

Path to the Nix store when looking for kernels at boot. Only makes sense when copyKernels is false.

Type: string

Default: "/nix/store"

Declared by:

Enable trusted boot. GRUB will measure all critical components during the boot process to offer TCG (TPM) support.

Type: boolean

Default: false

Declared by:

Use a special version of TrustedGRUB that is needed by some HP laptops and works only for the HP laptops.

Type: boolean

Default: false

Declared by:

Assertion that the target system has an activated TPM. It is a safety check before allowing the activation of 'trustedBoot.enable'. TrustedBoot WILL FAIL TO BOOT YOUR SYSTEM if no TPM is available.

Type: string

Default: ""

Example: "YES_TPM_is_activated"

Declared by:

If set to true, append entries for other OSs detected by os-prober.

Type: boolean

Default: false

Declared by:

The version of GRUB to use: 1 for GRUB Legacy (versions 0.9x), or 2 (the default) for GRUB 2.

Type: signed integer

Default: 2

Example: 1

Declared by:

Whether GRUB should be built against libzfs. ZFS support is only available for GRUB v2. This option is ignored for GRUB v1.

Type: boolean

Default: false

Declared by:

Timeout (in seconds) until loader boots the default menu item. Use null if the loader menu should be displayed indefinitely.

Type: null or signed integer

Default: 5

Declared by:

Shell commands to be executed just before runit is started.

Type: strings concatenated with "\n"

Default: ""

Example: "rm -f /var/log/messages"

Declared by:

Action to take automatically if stage-1 fails. n - create new pool (may also erase disks and run partitioning if configured) i - interactive shell r - reboot * - ignore Useful for unattended installations and testing.

Type: one of "", "n", "i", "r", "*"

Default: ""

Declared by:

mount proc with hidepid=2

Type: boolean

Default: false

Declared by:

Disks available within the VM

Type: list of submodules

Default: [ { create = true; device = "sda.img"; size = "8G"; type = "file"; } ]

Declared by:

Create the device if it does not exist. Applicable only for file-backed devices.

Type: boolean

Declared by:

Path to the disk device

Type: string

Declared by:

Device size

Type: string

Default: ""

Declared by:

Device type

Type: one of "file", "blockdev"

Declared by:

This option has no description.

Type: string

Default: "25%"

Example: "256m"

Declared by:

Location of the device.

Type: null or string (with check: non-empty)

Default: null

Example: "/dev/sda"

Declared by:

Type of the file system.

Type: string (with check: non-empty)

Default: "auto"

Example: "ext3"

Declared by:

Location of the mounted the file system.

Type: string (with check: non-empty)

Example: "/mnt/usb"

Declared by:

Options used to mount the file system.

Type: list of string (with check: non-empty)s

Default: [ "defaults" ]

Example: [ "data=journal" ]

Declared by:

Names of supported filesystem types.

Type: list of strings

Default: [ ]

Example: [ "btrfs" ]

Declared by:

(Deprecated) This option, if set, activates the VESA 800x600 video mode on boot and disables kernel modesetting. It is equivalent to specifying [ "vga=0x317" "nomodeset" ] in the boot.kernelParams option. This option is deprecated as of 2020: Xorg now works better with modesetting, and you might want a different VESA vga setting, anyway.

Type: boolean

Default: false

Declared by:

Directories used to search disk devices. This should be a path under /dev containing stable names for all devices needed, as import may fail if device nodes are renamed concurrently with a device failing.

Type: list of strings

Default: [ "/dev/disk/by-id" ]

Declared by:

Forcibly import the ZFS root pool(s) during early boot.

Type: boolean

Default: false

Declared by:

This option has no description.

Type: attribute set of submodules

Declared by:

Devices used for secondary read cache (L2ARC).

Type: list of strings

Default: [ ]

Example: [ "sde2" "sdf2" ]

Declared by:

Declaratively create ZFS file systems or volumes and configure properties. Dataset names are relative to the pool and optionally may start with a slash. Configured properties are passed directly to ZFS, see man zfs(8) for more information. No dataset is ever destroyed and properties removed from the configuration are not unset once deployed. To reset a property, set its value to `inherit`.

Type: attribute set of submodules

Default: { / = { properties = { xattr = { _type = "override"; content = "sa"; priority = 1000; } ; } ; } ; }

Example: { / = { properties = { sharenfs = "on"; } ; } ; data = { properties = { quota = "100G"; } ; } ; volume = { properties = { volsize = "50G"; } ; type = "volume"; } ; }

Declared by:

ZFS properties, see man zfs(8).

Type: attribute set

Default: { }

Declared by:

Dataset type

Type: one of "filesystem", "volume"

Default: "filesystem"

Declared by:

Determines whether disks are partitioned and zpool is created when the pool cannot be imported, suggesting it does not exist. Do not enable this in production, existing pools might fail to import for unforeseen reasons and recreating them will result in data loss.

Type: boolean

Default: false

Declared by:

Pool ID used for importing.

Type: null or string

Default: null

Declared by:

Import the pool into osctld to be used for containers.

Type: boolean

Default: false

Declared by:

Pool layout to pass to zpool create. The pool can be created either manually using script do-create-pool-<pool> or automatically when boot.zfs.pools.<pool>.doCreate is set and the pool cannot be imported.

Type: list of submodules

Default: [ ]

Declared by:

List of device names.

Type: list of strings

Declared by:

Virtual device type, see man zpool(8) for more information.

Type: one of "stripe", "mirror", "raidz", "raidz1", "raidz2", "raidz3"

Default: "stripe"

Example: "mirror"

Declared by:

Devices used for ZFS Intent Log (ZIL).

Type: list of submodules

Default: [ ]

Example: { devices = [ "sde1" "sdf1" ] ; mirror = true; }

Declared by:

List of device names.

Type: list of strings

Declared by:

Determines whether the log devices will be mirrored or not.

Type: boolean

Declared by:

Partition disks This creates a sfdisk input for simple partitioning, X in 'pX' means partition number. If sizeGB is not specified the rest of the dist will be used for this partition.

Type: attribute set of attribute set of submoduless

Default: { }

Example: { sde = { p1 = { sizeGB = 20; } ; p2 = { sizeGB = 10; type = "fd"; } ; p3 = { } ; } ; }

Declared by:

Partition size in gigabytes

Type: null or positive integer, meaning >0

Default: null

Declared by:

Partition type (list with `sfdisk -T`)

Type: one of "fd"

Default: "fd"

Declared by:

zpool properties, see man zpool(8) for more information.

Type: attribute set

Default: { }

Example: { readonly = "on"; }

Declared by:

Enables periodic scrubbing

Type: boolean

Default: false

Declared by:

Date and time expression for when to scrub the pool in a crontab format, i.e. minute, hour, day of month, month and day of month separated by spaces.

Type: string

Default: "0 4 */14 * *"

Declared by:

Determines whether ZFS filesystems with sharenfs set should be exported. When set to always, zfs share is run every time the service is started. When set to once, filesystems are exported only once for this pool, e.g. when the service is restarted on upgrade, filesystems are not reexported. off disables automated exporting completely.

Type: one of "always", "once", "off"

Default: "always"

Declared by:

List of devices to be used as hot spares.

Type: list of strings

Default: [ ]

Declared by:

Wipe disks prior to disk partitioning and pool creation (dangerous!). Uses dd to erase first and last 1024 sectors of the device.

Type: list of strings

Default: [ ]

Example: [ "sda" "sdb" ]

Declared by:

Some NixOS packages provide debug symbols. However, these are not included in the system closure by default to save disk space. Enabling this option causes the debug symbols to appear in /run/current-system/sw/lib/debug/.build-id, where tools such as gdb can find them. If you need debug symbols for a package that doesn't provide them by default, you can enable them as follows:

nixpkgs.config.packageOverrides = pkgs: {
  hello = pkgs.hello.overrideAttrs (oldAttrs: {
    separateDebugInfo = true;
  });
};

Type: boolean

Default: false

Declared by:

Set of files that have to be linked in /etc.

Type: attribute set of submodules

Default: { }

Example:

{ example-configuration-file =
    { source = "/nix/store/.../etc/dir/file.conf.example";
      mode = "0440";
    };
  "default/useradd".text = "GROUP=100 ...";
}

Declared by:

Whether this /etc file should be generated. This option allows specific /etc files to be disabled.

Type: boolean

Default: true

Declared by:

GID of created file. Only takes effect when the file is copied (that is, the mode is not 'symlink').

Type: signed integer

Default: 0

Declared by:

Group name of created file. Only takes effect when the file is copied (that is, the mode is not 'symlink'). Changing this option takes precedence over gid.

Type: string

Default: "+0"

Declared by:

If set to something else than symlink, the file is copied instead of symlinked, with the given file mode.

Type: string

Default: "symlink"

Example: "0600"

Declared by:

Path of the source file.

Type: path

Declared by:

Name of symlink (relative to /etc). Defaults to the attribute name.

Type: string

Declared by:

Text of the file.

Type: null or strings concatenated with "\n"

Default: null

Declared by:

UID of created file. Only takes effect when the file is copied (that is, the mode is not 'symlink').

Type: signed integer

Default: 0

Declared by:

User name of created file. Only takes effect when the file is copied (that is, the mode is not 'symlink'). Changing this option takes precedence over uid.

Type: string

Default: "+0"

Declared by:

Shell script code called during global environment initialisation after all variables and profileVariables have been set. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.

Type: strings concatenated with "\n"

Default: ""

Declared by:

List of additional package outputs to be symlinked into /run/current-system/sw.

Type: list of strings

Default: [ ]

Example: [ "doc" "info" "docdev" ]

Declared by:

Include ~/bin/ in $PATH.

Type: boolean

Default: false

Declared by:

Shell script code called during interactive shell initialisation. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.

Type: strings concatenated with "\n"

Default: ""

Declared by:

Shell script code called during login shell initialisation. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.

Type: strings concatenated with "\n"

Default: ""

Declared by:

List of directories to be symlinked in /run/current-system/sw.

Type: list of strings

Default: [ ]

Example: [ "/" ]

Declared by:

Attribute set of environment variable. Each attribute maps to a list of relative paths. Each relative path is appended to the each profile of environment.profiles to form the content of the corresponding environment variable.

Type: attribute set of list of stringss

Example: { MANPATH = [ "/man" "/share/man" ] ; PATH = [ "/bin" ] ; }

Declared by:

Attribute set of environment variable used in the global environment. These variables will be set by PAM early in the login process. Variable substitution is available as described in pam_env.conf(5). Each attribute maps to a list of relative paths. Each relative path is appended to the each profile of environment.profiles to form the content of the corresponding environment variable. Also, these variables are merged into environment.profileRelativeEnvVars and it is therefore not possible to use PAM style variables such as @{HOME}.

Type: attribute set of list of stringss

Example: { MANPATH = [ "/man" "/share/man" ] ; PATH = [ "/bin" ] ; }

Declared by:

A list of profiles used to setup the global environment.

Type: list of strings

Default: [ ]

Declared by:

A set of environment variables used in the global environment. These variables will be set by PAM early in the login process. The value of each session variable can be either a string or a list of strings. The latter is concatenated, interspersed with colon characters. Note, due to limitations in the PAM format values may not contain the " character. Also, these variables are merged into environment.variables and it is therefore not possible to use PAM style variables such as @{HOME}.

Type: attribute set of string or list of stringss

Default: { }

Declared by:

An attribute set that maps aliases (the top level attribute names in this option) to command strings or directly to build outputs. The aliases are added to all users' shells. Aliases mapped to null are ignored.

Type: attribute set of null or string or paths

Example: { l = null; ll = "ls -l"; }

Declared by:

Shell script code called during shell initialisation. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.

Type: strings concatenated with "\n"

Default: ""

Declared by:

A list of permissible login shells for user accounts. No need to mention /bin/sh here, it is placed into this list implicitly.

Type: list of package or paths

Default: [ ]

Example:

[ pkgs.bashInteractive pkgs.zsh ]

Declared by:

This option has no description.

Type: list of packages

Default: [ ]

Example:

[ pkgs.firefox pkgs.thunderbird ]

Declared by:

A set of environment variables used in the global environment. These variables will be set on shell initialisation (e.g. in /etc/profile). The value of each variable can be either a string or a list of strings. The latter is concatenated, interspersed with colon characters.

Type: attribute set of string or list of stringss

Default: { }

Example: { EDITOR = "nvim"; VISUAL = "nvim"; }

Declared by:

The file systems to be mounted. It must include an entry for the root directory (mountPoint = "/"). Each entry in the list is an attribute set with the following fields: mountPoint, device, fsType (a file system type recognised by mount; defaults to "auto"), and options (the mount options passed to mount using the -o flag; defaults to [ "defaults" ]). Instead of specifying device, you can also specify a volume label (label) for file systems that support it, such as ext2/ext3 (see mke2fs -L).

Type: attribute set of submodules

Default: { }

Example:

{
  "/".device = "/dev/hda1";
  "/data" = {
    device = "/dev/hda2";
    fsType = "ext3";
    options = [ "data=journal" ];
  };
  "/bigdisk".label = "bigdisk";
}

Declared by:

If the device does not currently contain a filesystem (as determined by blkid, then automatically format it with the filesystem type specified in fsType. Use with caution.

Type: boolean

Default: false

Declared by:

If set, the filesystem is grown to its maximum size before being mounted. (This is typically the size of the containing partition.) This is currently only supported for ext2/3/4 filesystems that are mounted during early boot.

Type: boolean

Default: false

Declared by:

Location of the device.

Type: null or string (with check: non-empty)

Default: null

Example: "/dev/sda"

Declared by:

If autoFormat option is set specifies extra options passed to mkfs.

Type: string

Default: ""

Declared by:

Type of the file system.

Type: string (with check: non-empty)

Default: "auto"

Example: "ext3"

Declared by:

Label of the device (if any).

Type: null or string (with check: non-empty)

Default: null

Example: "root-partition"

Declared by:

Location of the mounted the file system.

Type: string (with check: non-empty)

Example: "/mnt/usb"

Declared by:

If set, this file system will be mounted in the initial ramdisk. By default, this applies to the root file system and to the file system containing /nix/store.

Type: boolean

Default: false

Declared by:

Disable running fsck on this filesystem.

Type: boolean

Default: false

Declared by:

Options used to mount the file system.

Type: list of string (with check: non-empty)s

Default: [ "defaults" ]

Example: [ "data=journal" ]

Declared by:

Turn on this option if you want to enable all the firmware.

Type: boolean

Default: false

Declared by:

Turn on this option if you want to enable all the firmware with a license allowing redistribution. (i.e. free firmware and firmware-linux-nonfree)

Type: boolean

Default: false

Declared by:

This option has no description.

Type: list of packages

Default: [ ]

Declared by:

The default locale. It determines the language for program messages, the format for dates and times, sort order, and so on. It also determines the character set, such as UTF-8.

Type: string

Default: "en_US.UTF-8"

Example: "nl_NL.UTF-8"

Declared by:

A set of additional system-wide locale settings other than LANG which can be configured with i18n.defaultLocale.

Type: attribute set of strings

Default: { }

Example: { LC_MESSAGES = "en_US.UTF-8"; LC_TIME = "de_DE.UTF-8"; }

Declared by:

Customized pkg.glibcLocales package. Changing this option can disable handling of i18n.defaultLocale and supportedLocale.

Type: path

Default: (build of glibc-locales-2.31)

Example:

pkgs.glibcLocales

Declared by:

List of locales that the system should support. The value "all" means that all locales supported by Glibc will be installed. A full list of supported locales can be found at https://sourceware.org/git/?p=glibc.git;a=blob;f=localedata/SUPPORTED.

Type: list of strings

Default: [ "all" ]

Example: [ "en_US.UTF-8/UTF-8" "nl_NL.UTF-8/UTF-8" "nl_NL/ISO-8859-1" ]

Declared by:

This option has no description.

Type: unspecified

Declared by:

This option allows modules to define helper functions, constants, etc.

Type: attribute set of attribute sets

Default: { }

Declared by:

Your current latitude, between -90.0 and 90.0. Must be provided along with longitude.

Type: floating point number

Declared by:

Your current longitude, between between -180.0 and 180.0. Must be provided along with latitude.

Type: floating point number

Declared by:

The location provider to use for determining your location. If set to manual you must also provide latitude/longitude.

Type: one of "manual", "geoclue2"

Default: "manual"

Declared by:

Whether to install the HTML manual.

Type: boolean

Default: false

Declared by:

Whether to install a JSON formatted list of all vpsAdminOS options. This can be located at <profile directory>/share/doc/vpsadminos/options.json, and may be used for navigating definitions, auto-completing, and other miscellaneous tasks.

Type: boolean

Default: false

Example: true

Declared by:

Whether to install the configuration manual page. The manual can be reached by man vpsadminos-configuration.nix.

Type: boolean

Default: true

Example: false

Declared by:

This option has no description.

Type: unspecified

Declared by:

This option has no description.

Type: unspecified

Default: true

Declared by:

Whether to enable BIRD Internet Routing Daemon.

Type: boolean

Default: false

Example: true

Declared by:

BIRD Internet Routing Daemon configuration file. http://bird.network.cz/

Type: strings concatenated with "\n"

Default: ""

Declared by:

This option has no description.

Type: string

Default: "/var/log/bird.log"

Declared by:

This option has no description.

Type: string

Default: "all"

Declared by:

Enable BFD

Type: boolean

Default: false

Declared by:

BFD interfaces

Type: attribute set of submodules

Declared by:

desired TX interval if neighbor not available or not running BFD (milliseconds)

Type: positive integer, meaning >0

Default: 1000

Declared by:

minimum RX interval (milliseconds)

Type: positive integer, meaning >0

Default: 10

Declared by:

desired TX interval (milliseconds)

Type: positive integer, meaning >0

Default: 100

Declared by:

BGP instances

Type: attribute set of submodules

Declared by:

BGP autonomous system ID

Type: positive integer, meaning >0

Declared by:

This option has no description.

Type: strings concatenated with "\n"

Default: ""

Declared by:

Our neighbors

Type: attribute set of positive integer, meaning >0s

Declared by:

Always advertise our own local address as a next hop

Type: boolean

Default: false

Declared by:

Extra config for device protocol

Type: strings concatenated with "\n"

Default: ""

Declared by:

Time in seconds between two scans of the network interface list.

Type: positive integer, meaning >0

Default: 1

Declared by:

Restrict devices used by direct protocol

Type: string

Default: "*"

Declared by:

Extra config for kernel protocol

Type: strings concatenated with "\n"

Default: ""

Declared by:

Whether to enable Enable learning of routes added to the kernel routing tables by other routing daemons or by the system administrator..

Type: boolean

Default: false

Example: true

Declared by:

Whether to enable Tell BIRD to leave all its routes in the routing tables when it exits (instead of cleaning them up)..

Type: boolean

Default: false

Example: true

Declared by:

Time in seconds between two consecutive scans of the kernel routing table.

Type: positive integer, meaning >0

Default: 10

Declared by:

Set BIRD's router ID based on an IP address of an interface specified by an interface pattern.

Type: string

Declared by:

Whether to enable BIRD Internet Routing Daemon.

Type: boolean

Default: false

Example: true

Declared by:

BIRD Internet Routing Daemon configuration file. http://bird.network.cz/

Type: strings concatenated with "\n"

Default: ""

Declared by:

This option has no description.

Type: string

Default: "/var/log/bird6.log"

Declared by:

This option has no description.

Type: string

Default: "all"

Declared by:

Enable BFD

Type: boolean

Default: false

Declared by:

BFD interfaces

Type: attribute set of submodules

Declared by:

desired TX interval if neighbor not available or not running BFD (milliseconds)

Type: positive integer, meaning >0

Default: 1000

Declared by:

minimum RX interval (milliseconds)

Type: positive integer, meaning >0

Default: 10

Declared by:

desired TX interval (milliseconds)

Type: positive integer, meaning >0

Default: 100

Declared by:

BGP instances

Type: attribute set of submodules

Declared by:

BGP autonomous system ID

Type: positive integer, meaning >0

Declared by:

This option has no description.

Type: strings concatenated with "\n"

Default: ""

Declared by:

Our neighbors

Type: attribute set of positive integer, meaning >0s

Declared by:

Always advertise our own local address as a next hop

Type: boolean

Default: false

Declared by:

Extra config for device protocol

Type: strings concatenated with "\n"

Default: ""

Declared by:

Time in seconds between two scans of the network interface list.

Type: positive integer, meaning >0

Default: 1

Declared by:

Restrict devices used by direct protocol

Type: string

Default: "*"

Declared by:

Extra config for kernel protocol

Type: strings concatenated with "\n"

Default: ""

Declared by:

Whether to enable Enable learning of routes added to the kernel routing tables by other routing daemons or by the system administrator..

Type: boolean

Default: false

Example: true

Declared by:

Whether to enable Tell BIRD to leave all its routes in the routing tables when it exits (instead of cleaning them up)..

Type: boolean

Default: false

Example: true

Declared by:

Time in seconds between two consecutive scans of the kernel routing table.

Type: positive integer, meaning >0

Default: 10

Declared by:

Set BIRD's router ID based on an IP address of an interface specified by an interface pattern.

Type: string

Declared by:

use Chrony daemon for network time synchronization

Type: boolean

Default: true

Declared by:

Custom set of commands used to set-up networking

Type: strings concatenated with "\n"

Default: ""

Example:

''

          ip addr add 10.0.0.1 dev ix0
          ip link set ix0 up
        ''

Declared by:

use DHCP to obtain IP

Type: boolean

Default: false

Declared by:

Whether to enable Enable dhcpd for lxc containers.

Type: boolean

Default: false

Example: true

Declared by:

The domain. It can be left empty if it is auto-detected through DHCP.

Type: null or string

Default: null

Example: "home"

Declared by:

Additional verbatim entries to be appended to /etc/hosts.

Type: strings concatenated with "\n"

Default: ""

Example: "192.168.0.1 lanlocalhost"

Declared by:

Whether to enable the firewall. This is a simple stateful firewall that blocks connection attempts to unauthorised TCP or UDP ports on this machine. It does not affect packet forwarding.

Type: boolean

Default: true

Declared by:

The iptables package to use for running the firewall service."

Type: package

Default: "pkgs.iptables"

Example:

pkgs.iptables-nftables-compat

Declared by:

Whether to respond to incoming ICMPv4 echo requests ("pings"). ICMPv6 pings are always allowed because the larger address space of IPv6 makes network scanning much less effective.

Type: boolean

Default: true

Declared by:

A range of TCP ports on which incoming connections are accepted.

Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)ss

Default: [ ]

Example: [ { from = 8999; to = 9003; } ]

Declared by:

List of TCP ports on which incoming connections are accepted.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)s

Default: [ ]

Example: [ 22 80 ]

Declared by:

Range of open UDP ports.

Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)ss

Default: [ ]

Example: [ { from = 60000; to = 61000; } ]

Declared by:

List of open UDP ports.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)s

Default: [ ]

Example: [ 53 ]

Declared by:

Whether to auto-load connection-tracking helpers. See the description at networking.firewall.connectionTrackingModules (needs kernel 3.5+)

Type: boolean

Default: false

Declared by:

Performs a reverse path filter test on a packet. If a reply to the packet would not be sent via the same interface that the packet arrived on, it is refused. If using asymmetric routing or other complicated routing, set this option to loose mode or disable it and setup your own counter-measures. This option can be either true (or "strict"), "loose" (only drop the packet if the source address is not reachable via any interface) or false. Defaults to the value of kernelHasRPFilter. (needs kernel 3.3+)

Type: boolean or one of "strict", "loose"

Default: true

Example: "loose"

Declared by:

List of connection-tracking helpers that are auto-loaded. The complete list of possible values is given in the example. As helpers can pose as a security risk, it is advised to set this to an empty list and disable the setting networking.firewall.autoLoadConntrackHelpers unless you know what you are doing. Connection tracking is disabled by default. Loading of helpers is recommended to be done through the CT target. More info: https://home.regit.org/netfilter-en/secure-use-of-helpers/

Type: list of strings

Default: [ ]

Example: [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]

Declared by:

Additional shell commands executed as part of the firewall initialisation script. These are executed just before the final "reject" firewall rule is added, so they can be used to allow packets that would otherwise be refused.

Type: strings concatenated with "\n"

Default: ""

Example: "iptables -A INPUT -p icmp -j ACCEPT"

Declared by:

Additional packages to be included in the environment of the system as well as the path of networking.firewall.extraCommands.

Type: list of packages

Default: [ ]

Example:

[ pkgs.ipset ]

Declared by:

Additional shell commands executed as part of the firewall shutdown script. These are executed just after the removal of the NixOS input rule, or if the service enters a failed state.

Type: strings concatenated with "\n"

Default: ""

Example: "iptables -P INPUT ACCEPT"

Declared by:

Interface-specific open ports.

Type: attribute set of submodules

Default: { }

Declared by:

A range of TCP ports on which incoming connections are accepted.

Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)ss

Default: [ ]

Example: [ { from = 8999; to = 9003; } ]

Declared by:

List of TCP ports on which incoming connections are accepted.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)s

Default: [ ]

Example: [ 22 80 ]

Declared by:

Range of open UDP ports.

Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)ss

Default: [ ]

Example: [ { from = 60000; to = 61000; } ]

Declared by:

List of open UDP ports.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)s

Default: [ ]

Example: [ 53 ]

Declared by:

Whether to log rejected or dropped incoming connections.

Type: boolean

Default: true

Declared by:

Whether to log all rejected or dropped incoming packets. This tends to give a lot of log messages, so it's mostly useful for debugging.

Type: boolean

Default: false

Declared by:

If networking.firewall.logRefusedPackets and this option are enabled, then only log packets specifically directed at this machine, i.e., not broadcasts or multicasts.

Type: boolean

Default: true

Declared by:

Logs dropped packets failing the reverse path filter test if the option networking.firewall.checkReversePath is enabled.

Type: boolean

Default: false

Declared by:

If pings are allowed, this allows setting rate limits on them. If non-null, this option should be in the form of flags like "--limit 1/minute --limit-burst 5"

Type: null or strings concatenated with " "

Default: null

Example: "--limit 1/minute --limit-burst 5"

Declared by:

If set, refused packets are rejected rather than dropped (ignored). This means that an ICMP "port unreachable" error message is sent back to the client (or a TCP RST packet in case of an existing connection). Rejecting packets makes port scanning somewhat easier.

Type: boolean

Default: false

Declared by:

Traffic coming in from these interfaces will be accepted unconditionally. Traffic from the loopback (lo) interface will always be accepted.

Type: list of strings

Default: [ ]

Example: [ "enp0s2" ]

Declared by:

machine hostname

Type: string

Default: "default"

Declared by:

Locally defined maps of hostnames to IP addresses.

Type: attribute set of list of stringss

Default: { }

Example:

{
  "127.0.0.1" = [ "foo.bar.baz" ];
  "192.168.0.2" = [ "fileserver.local" "nameserver.local" ];
};

Declared by:

create lxc bridge interface

Type: boolean

Default: false

Declared by:

The list of nameservers. It can be left empty if it is auto-detected through DHCP.

Type: list of strings

Default: [ ]

Example: [ "208.67.222.222" "208.67.220.220" ]

Declared by:

enable NAT for containers

Type: boolean

Default: true

Declared by:

Set of commands run prior to any other network configuration

Type: strings concatenated with "\n"

Default: ""

Declared by:

The list of search paths used when resolving domain names.

Type: list of strings

Default: [ ]

Example: [ "example.com" "local.domain" ]

Declared by:

use static networking configuration

Type: boolean

Default: false

Declared by:

gateway IP address for static networking configuration

Type: string

Default: "10.0.2.2"

Declared by:

interface for static networking configuration

Type: string

Default: "eth0"

Declared by:

IP address for static networking configuration

Type: string

Default: "10.0.2.15"

Declared by:

route

Type: string

Default: "10.0.2.0/24"

Declared by:

The set of NTP servers from which to synchronise.

Type: unspecified

Default: [ "0.nixos.pool.ntp.org" "1.nixos.pool.ntp.org" "2.nixos.pool.ntp.org" "3.nixos.pool.ntp.org" ]

Declared by:

Alias of networking.dhcp.

Type: boolean

Declared by:

This option specifies the Nix package instance to use throughout the system.

Type: package

Default: "pkgs.nix"

Declared by:

A list of names of users (separated by whitespace) that are allowed to connect to the Nix daemon. As with nix.trustedUsers, you can specify groups by prefixing them with @. Also, you can allow all users by specifying *. The default is *. Note that trusted users are always allowed to connect.

Type: list of strings

Default: [ "*" ]

Example: [ "@wheel" "@builders" "alice" "bob" ]

Declared by:

If set to true, Nix automatically detects files in the store that have identical contents, and replaces them with hard links to a single copy. This saves disk space. If set to false (the default), you can still run nix-store --optimise to get rid of duplicate files.

Type: boolean

Default: false

Example: true

Declared by:

List of public keys used to sign binary caches. If nix.requireSignedBinaryCaches is enabled, then Nix will use a binary from a binary cache if and only if it is signed by any of the keys listed here. By default, only the key for cache.nixos.org is included.

Type: list of strings

Example: [ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]

Declared by:

List of binary cache URLs used to obtain pre-built binaries of Nix packages. By default https://cache.nixos.org/ is added, to override it use lib.mkForce [].

Type: list of strings

Declared by:

This option defines the maximum number of concurrent tasks during one build. It affects, e.g., -j option for make. The special value 0 means that the builder should use all available CPU cores in the system. Some builds may become non-deterministic with this option; use with care! Packages will only be affected if enableParallelBuilding is set for them.

Type: signed integer

Default: 0

Example: 64

Declared by:

This option lists the machines to be used if distributed builds are enabled (see nix.distributedBuilds). Nix will perform derivations on those machines via SSH by copying the inputs to the Nix store on the remote machine, starting the build, then copying the output back to the local Nix store.

Type: list of submodules

Default: [ ]

Declared by:

The hostname of the build machine.

Type: string

Example: "nixbuilder.example.org"

Declared by:

A list of features mandatory for this builder. The builder will be ignored for derivations that don't require all features in this list. All mandatory features are automatically included in supportedFeatures.

Type: list of strings

Default: [ ]

Example: [ "big-parallel" ]

Declared by:

The number of concurrent jobs the build machine supports. The build machine will enforce its own limits, but this allows hydra to schedule better since there is no work-stealing between build machines.

Type: signed integer

Default: 1

Declared by:

The relative speed of this builder. This is an arbitrary integer that indicates the speed of this builder, relative to other builders. Higher is faster.

Type: signed integer

Default: 1

Declared by:

The path to the SSH private key with which to authenticate on the build machine. The private key must not have a passphrase. If null, the building user (root on NixOS machines) must have an appropriate ssh configuration to log in non-interactively. Note that for security reasons, this path must point to a file in the local filesystem, *not* to the nix store.

Type: null or string

Default: null

Example: "/root/.ssh/id_buildhost_builduser"

Declared by:

The username to log in as on the remote host. This user must be able to log in and run nix commands non-interactively. It must also be privileged to build derivations, so must be included in nix.trustedUsers.

Type: null or string

Default: null

Example: "builder"

Declared by:

A list of features supported by this builder. The builder will be ignored for derivations that require features not in this list.

Type: list of strings

Default: [ ]

Example: [ "kvm" "big-parallel" ]

Declared by:

The system type the build machine can execute derivations on. Either this attribute or systems must be present, where system takes precedence if both are set.

Type: null or string

Default: null

Example: "x86_64-linux"

Declared by:

The system types the build machine can execute derivations on. Either this attribute or system must be present, where system takes precedence if both are set.

Type: list of strings

Default: [ ]

Example: [ "x86_64-linux" "aarch64-linux" ]

Declared by:

If enabled (the default), checks that Nix can parse the generated nix.conf.

Type: boolean

Default: true

Declared by:

Whether to enable Enable nix daemon.

Type: boolean

Default: false

Example: true

Declared by:

Nix daemon process I/O priority. This priority propagates to build processes. 0 is the default Unix process I/O priority, 7 is the lowest.

Type: signed integer

Default: 0

Declared by:

Nix daemon process priority. This priority propagates to build processes. 0 is the default Unix process priority, 19 is the lowest.

Type: signed integer

Default: 0

Declared by:

Whether to distribute builds to the machines listed in nix.buildMachines.

Type: boolean

Default: false

Declared by:

Additional text appended to nix.conf.

Type: strings concatenated with "\n"

Default: ""

Example:

''
keep-outputs = true
keep-derivations = true
''

Declared by:

This option defines the maximum number of jobs that Nix will try to build in parallel. The default is auto, which means it will use all available logical cores. It is recommend to set it to the total number of logical cores in your system (e.g., 16 for two CPUs with 4 cores each and hyper-threading).

Type: signed integer or one of "auto"

Default: "auto"

Example: 64

Declared by:

The default Nix expression search path, used by the Nix evaluator to look up paths enclosed in angle brackets (e.g. <nixpkgs>).

Type: list of strings

Default: [ "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos" "nixos-config=/etc/nixos/configuration.nix" "/nix/var/nix/profiles/per-user/root/channels" ]

Declared by:

Number of nixbld user accounts created to perform secure concurrent builds. If you receive an error message saying that “all build users are currently in use”, you should increase this value.

Type: signed integer

Declared by:

If set, NixOS will enforce the immutability of the Nix store by making /nix/store a read-only bind mount. Nix will automatically make the store writable when needed.

Type: boolean

Default: true

Declared by:

A system-wide flake registry.

Type: attribute set of submodules

Default: { }

Declared by:

Whether the from reference needs to match exactly. If set, a from reference like nixpkgs does not match with a reference like nixpkgs/nixos-20.03.

Type: boolean

Default: true

Declared by:

The flake input to which from> is to be rewritten.

Type: unspecified

Default: null

Example:

nixpkgs

Declared by:

The flake reference to be rewritten.

Type: attribute set of string or signed integer or boolean or packages

Example: { id = "nixpkgs"; type = "indirect"; }

Declared by:

The flake reference to which from> is to be rewritten.

Type: attribute set of string or signed integer or boolean or packages

Example: { owner = "my-org"; repo = "my-nixpkgs"; type = "github"; }

Declared by: