Configuration Options¶
appstream.enable¶
Whether to install files to support the AppStream metadata specification.
Type: boolean
Default:
trueDeclared by:
boot.enableContainers¶
Whether to enable support for NixOS containers.
Type: boolean
Default:
trueDeclared by:
boot.binfmt.emulatedSystems¶
List of systems to emulate. Will also configure Nix to support your new systems.
Type: list of strings
Default: ``[
]``
Example:
[ "wasm32-wasi" "x86_64-windows" "aarch64-linux" ]Declared by:
boot.binfmt.registrations¶
Extra binary formats to register with the kernel. See https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.html for more details.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
boot.binfmt.registrations.<name>.fixBinary¶
Whether to open the interpreter file as soon as the registration is loaded, rather than waiting for a relevant file to be invoked.
See the description of the ‘F’ flag in the kernel docs for more details.
Type: boolean
Default:
falseDeclared by:
boot.binfmt.registrations.<name>.interpreter¶
The interpreter to invoke to run the program.
Note that the actual registration will point to /run/binfmt/${name}, so the kernel interpreter length limit doesn’t apply.
Type: path
Declared by:
boot.binfmt.registrations.<name>.magicOrExtension¶
The magic number or extension to match on.
Type: string
Declared by:
boot.binfmt.registrations.<name>.mask¶
A mask to be ANDed with the byte sequence of the file before matching
Type: null or string
Default:
nullDeclared by:
boot.binfmt.registrations.<name>.matchCredentials¶
Whether to launch with the credentials and security token of the binary, not the interpreter (e.g. setuid bit).
See the description of the ‘C’ flag in the kernel docs for more details.
Implies/requires openBinary = true.
Type: boolean
Default:
falseDeclared by:
boot.binfmt.registrations.<name>.offset¶
The byte offset of the magic number used for recognition.
Type: null or signed integer
Default:
nullDeclared by:
boot.binfmt.registrations.<name>.openBinary¶
Whether to pass the binary to the interpreter as an open file descriptor, instead of a path.
Type: boolean
Default:
falseDeclared by:
boot.binfmt.registrations.<name>.preserveArgvZero¶
Whether to pass the original argv[0] to the interpreter.
See the description of the ‘P’ flag in the kernel docs for more details;
Type: boolean
Default:
falseDeclared by:
boot.binfmt.registrations.<name>.recognitionType¶
Whether to recognize executables by magic number or extension.
Type: one of “magic”, “extension”
Default:
"magic"Declared by:
boot.binfmtMiscRegistrations.<name>.fixBinary¶
Whether to open the interpreter file as soon as the registration is loaded, rather than waiting for a relevant file to be invoked.
See the description of the ‘F’ flag in the kernel docs for more details.
Type: boolean
Default:
falseDeclared by:
boot.binfmtMiscRegistrations.<name>.interpreter¶
The interpreter to invoke to run the program.
Note that the actual registration will point to /run/binfmt/${name}, so the kernel interpreter length limit doesn’t apply.
Type: path
Declared by:
boot.binfmtMiscRegistrations.<name>.magicOrExtension¶
The magic number or extension to match on.
Type: string
Declared by:
boot.binfmtMiscRegistrations.<name>.mask¶
A mask to be ANDed with the byte sequence of the file before matching
Type: null or string
Default:
nullDeclared by:
boot.binfmtMiscRegistrations.<name>.matchCredentials¶
Whether to launch with the credentials and security token of the binary, not the interpreter (e.g. setuid bit).
See the description of the ‘C’ flag in the kernel docs for more details.
Implies/requires openBinary = true.
Type: boolean
Default:
falseDeclared by:
boot.binfmtMiscRegistrations.<name>.offset¶
The byte offset of the magic number used for recognition.
Type: null or signed integer
Default:
nullDeclared by:
boot.binfmtMiscRegistrations.<name>.openBinary¶
Whether to pass the binary to the interpreter as an open file descriptor, instead of a path.
Type: boolean
Default:
falseDeclared by:
boot.binfmtMiscRegistrations.<name>.preserveArgvZero¶
Whether to pass the original argv[0] to the interpreter.
See the description of the ‘P’ flag in the kernel docs for more details;
Type: boolean
Default:
falseDeclared by:
boot.binfmtMiscRegistrations.<name>.recognitionType¶
Whether to recognize executables by magic number or extension.
Type: one of “magic”, “extension”
Default:
"magic"Declared by:
boot.blacklistedKernelModules¶
List of names of kernel modules that should not be loaded automatically by the hardware probing code.
Type: list of strings
Default: ``[
]``
Example:
[ "cirrusfb" "i2c_piix4" ]Declared by:
boot.cleanTmpDir¶
Whether to delete all files in
/tmpduring boot.Type: boolean
Default:
falseDeclared by:
boot.consoleLogLevel¶
The kernel console
loglevel. All Kernel Messages with a log level smaller than this setting will be printed to the console.Type: signed integer
Default:
4Declared by:
boot.crashDump.enable¶
If enabled, NixOS will set up a kernel that will boot on crash, and leave the user in systemd rescue to be able to save the crashed kernel dump at /proc/vmcore. It also activates the NMI watchdog.
Type: boolean
Default:
falseDeclared by:
boot.crashDump.kernelParams¶
Parameters that will be passed to the kernel kexec-ed on crash.
Type: list of strings
Default:
[ "1" "boot.shell_on_fail" ]Declared by:
boot.crashDump.reservedMemory¶
The amount of memory reserved for the crashdump kernel. If you choose a too high value, dmesg will mention “crashkernel reservation failed”.
Type: unspecified
Default:
"128M"Declared by:
boot.devShmSize¶
Size limit for the /dev/shm tmpfs. Look at mount(8), tmpfs size option, for the accepted syntax.
Type: string
Default:
"50%"Example:
"256m"Declared by:
boot.devSize¶
Size limit for the /dev tmpfs. Look at mount(8), tmpfs size option, for the accepted syntax.
Type: string
Default:
"5%"Example:
"32m"Declared by:
boot.extraModprobeConfig¶
Any additional configuration to be appended to the generated:file:modprobe.conf. This is typically used to specify module options. Seemodprobe.conf5 for details.
Type: strings concatenated with “\n”
Default:
""Example:
'' options parport_pc io=0x378 irq=7 dma=1 ''Declared by:
boot.extraModulePackages¶
A list of additional packages supplying kernel modules.
Type: list of packages
Default: ``[
]``
Example:
[ config.boot.kernelPackages.nvidia_x11 ]Declared by:
boot.growPartition¶
Whether to enable grow the root partition on boot.
Type: boolean
Default:
falseExample:
trueDeclared by:
boot.hardwareScan¶
Whether to try to load kernel modules for all detected hardware. Usually this does a good job of providing you with the modules you need, but sometimes it can crash the system or cause other nasty effects.
Type: boolean
Default:
trueDeclared by:
boot.initrd.availableKernelModules¶
The set of kernel modules in the initial ramdisk used during the boot process. This set must include all modules necessary for mounting the root device. That is, it should include modules for the physical device (e.g., SCSI drivers) and for the file system (e.g., ext3). The set specified here is automatically closed under the module dependency relation, i.e., all dependencies of the modules list here are included automatically. The modules listed here are available in the initrd, but are only loaded on demand (e.g., the ext3 module is loaded automatically when an ext3 filesystem is mounted, and modules for PCI devices are loaded when they match the PCI ID of a device in your system). To force a module to be loaded, include it in .
Type: list of strings
Default: ``[
]``
Example:
[ "sata_nv" "ext3" ]Declared by:
boot.initrd.checkJournalingFS¶
Whether to run fsck on journaling filesystems such as ext3.
Type: boolean
Default:
trueDeclared by:
boot.initrd.kernelModules¶
List of modules that are always loaded by the initrd.
Type: list of strings
Default: ``[
]``
Declared by:
boot.initrd.luks.cryptoModules¶
A list of cryptographic kernel modules needed to decrypt the root device(s). The default includes all common modules.
Type: list of strings
Default:
[ "aes" "aes_generic" "blowfish" "twofish" "serpent" "cbc" "xts" "lrw" "sha1" "sha256" "sha512" "af_alg" "algif_skcipher" "aes_x86_64" ]Declared by:
boot.initrd.luks.devices¶
The encrypted disk that should be opened before the root filesystem is mounted. Both LVM-over-LUKS and LUKS-over-LVM setups are supported. The unencrypted devices can be accessed as:file:/dev/mapper/.
Type: list or attribute set of submodules
Default: ``{
}``
Example:
{ luksroot = { device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; } ; }Declared by:
boot.initrd.luks.devices.<name?>.allowDiscards¶
Whether to allow TRIM requests to the underlying device. This option has security implications; please read the LUKS documentation before activating it.
Type: boolean
Default:
falseDeclared by:
boot.initrd.luks.devices.<name?>.device¶
Path of the underlying encrypted block device.
Type: string
Example:
"/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"Declared by:
boot.initrd.luks.devices.<name?>.fallbackToPassword¶
Whether to fallback to interactive passphrase prompt if the keyfile cannot be found. This will prevent unattended boot should the keyfile go missing.
Type: boolean
Default:
falseDeclared by:
boot.initrd.luks.devices.<name?>.fido2.credential¶
The FIDO2 credential ID.
Type: string
Default:
nullExample:
"f1d00200d8dc783f7fb1e10ace8da27f8312d72692abfca2f7e4960a73f48e82e1f7571f6ebfcee9fb434f9886ccc8fcc52a6614d8d2"Declared by:
boot.initrd.luks.devices.<name?>.fido2.gracePeriod¶
Time in seconds to wait for the FIDO2 key.
Type: signed integer
Default:
10Declared by:
boot.initrd.luks.devices.<name?>.fido2.passwordLess¶
Defines whatever to use an empty string as a default salt.
Enable only when your device is PIN protected, such as Trezor.
Type: boolean
Default:
falseDeclared by:
boot.initrd.luks.devices.<name?>.gpgCard¶
The option to use this LUKS device with a GPG encrypted luks password by the GPG Smartcard. If null (the default), GPG-Smartcard will be disabled for this device.
Type: null or submodule
Default:
nullDeclared by:
boot.initrd.luks.devices.<name?>.gpgCard.encryptedPass¶
Path to the GPG encrypted passphrase.
Type: path
Default:
""Declared by:
boot.initrd.luks.devices.<name?>.gpgCard.gracePeriod¶
Time in seconds to wait for the GPG Smartcard.
Type: signed integer
Default:
10Declared by:
boot.initrd.luks.devices.<name?>.gpgCard.publicKey¶
Path to the Public Key.
Type: path
Default:
""Declared by:
boot.initrd.luks.devices.<name?>.header¶
The name of the file or block device that should be used as header for the encrypted device.
Type: null or string
Default:
nullExample:
"/root/header.img"Declared by:
boot.initrd.luks.devices.<name?>.keyFile¶
The name of the file (can be a raw device or a partition) that should be used as the decryption key for the encrypted device. If not specified, you will be prompted for a passphrase instead.
Type: null or string
Default:
nullExample:
"/dev/sdb1"Declared by:
boot.initrd.luks.devices.<name?>.keyFileOffset¶
The offset of the key file. Use this in combination with``keyFileSize`` to use part of a file as key file (often the case if a raw device or partition is used as a key file). If not specified, the key begins at the first byte of``keyFile``.
Type: null or signed integer
Default:
nullExample:
4096Declared by:
boot.initrd.luks.devices.<name?>.keyFileSize¶
The size of the key file. Use this if only the beginning of the key file should be used as a key (often the case if a raw device or partition is used as key file). If not specified, the whole``keyFile`` will be used decryption, instead of just the first
keyFileSizebytes.Type: null or signed integer
Default:
nullExample:
4096Declared by:
boot.initrd.luks.devices.<name?>.preLVM¶
Whether the luksOpen will be attempted before LVM scan or after it.
Type: boolean
Default:
trueDeclared by:
boot.initrd.luks.devices.<name?>.yubikey¶
The options to use for this LUKS device in Yubikey-PBA. If null (the default), Yubikey-PBA will be disabled for this device.
Type: null or submodule
Default:
nullDeclared by:
boot.initrd.luks.devices.<name?>.yubikey.gracePeriod¶
Time in seconds to wait for the Yubikey.
Type: signed integer
Default:
10Declared by:
boot.initrd.luks.devices.<name?>.yubikey.iterationStep¶
How much the iteration count for PBKDF2 is increased at each successful authentication.
Type: signed integer
Default:
0Declared by:
boot.initrd.luks.devices.<name?>.yubikey.keyLength¶
Length of the LUKS slot key derived with PBKDF2 in byte.
Type: signed integer
Default:
64Declared by:
boot.initrd.luks.devices.<name?>.yubikey.saltLength¶
Length of the new salt in byte (64 is the effective maximum).
Type: signed integer
Default:
16Declared by:
boot.initrd.luks.devices.<name?>.yubikey.slot¶
Which slot on the Yubikey to challenge.
Type: signed integer
Default:
2Declared by:
boot.initrd.luks.devices.<name?>.yubikey.storage.device¶
An unencrypted device that will temporarily be mounted in stage-1. Must contain the current salt to create the challenge for this LUKS device.
Type: path
Default:
"/dev/sda1"Declared by:
boot.initrd.luks.devices.<name?>.yubikey.storage.fsType¶
The filesystem of the unencrypted device.
Type: string
Default:
"vfat"Declared by:
boot.initrd.luks.devices.<name?>.yubikey.storage.path¶
Absolute path of the salt on the unencrypted device with that device’s root directory as “/”.
Type: string
Default:
"/crypt-storage/default"Declared by:
boot.initrd.luks.devices.<name?>.yubikey.twoFactor¶
Whether to use a passphrase and a Yubikey (true), or only a Yubikey (false).
Type: boolean
Default:
trueDeclared by:
boot.initrd.luks.fido2Support¶
Enables support for authenticating with FIDO2 devices.
Type: boolean
Default:
falseDeclared by:
boot.initrd.luks.gpgSupport¶
Enables support for authenticating with a GPG encrypted password.
Type: boolean
Default:
falseDeclared by:
boot.initrd.luks.mitigateDMAAttacks¶
Unless enabled, encryption keys can be easily recovered by an attacker with physical access to any machine with PCMCIA, ExpressCard, ThunderBolt or FireWire port. More information is available at ` <http://en.wikipedia.org/wiki/DMA_attack>`_.
This option blacklists FireWire drivers, but doesn’t remove them. You can manually load the drivers if you need to use a FireWire device, but don’t forget to unload them!
Type: boolean
Default:
trueDeclared by:
boot.initrd.luks.reusePassphrases¶
When opening a new LUKS device try reusing last successful passphrase.
Useful for mounting a number of devices that use the same passphrase without retyping it several times.
Such setup can be useful if you use cryptsetup luksSuspend. Different LUKS devices will still have different master keys even when using the same passphrase.
Type: boolean
Default:
trueDeclared by:
boot.initrd.luks.yubikeySupport¶
Enables support for authenticating with a Yubikey on LUKS devices. See the NixOS wiki for information on how to properly setup a LUKS device and a Yubikey to work with this feature.
Type: boolean
Default:
falseDeclared by:
boot.initrd.mdadmConf¶
Contents of
/etc/mdadm.confin stage 1.Type: strings concatenated with “\n”
Default:
""Declared by:
boot.initrd.network.enable¶
Add network connectivity support to initrd. The network may be configured using the
ipkernel parameter, as described in the kernel documentation. Otherwise, if is enabled, an IP address is acquired using DHCP.You should add the module(s) required for your network card to boot.initrd.availableKernelModules.``lspci -v | grep -iA8 ‘network\|ethernet’`` will tell you which.
Type: boolean
Default:
falseDeclared by:
boot.initrd.network.postCommands¶
Shell commands to be executed after stage 1 of the boot has initialised the network.
Type: strings concatenated with “\n”
Default:
""Declared by:
boot.initrd.network.ssh.enable¶
Start SSH service during initrd boot. It can be used to debug failing boot on a remote server, enter pasphrase for an encrypted partition etc. Service is killed when stage-1 boot is finished.
Type: boolean
Default:
falseDeclared by:
boot.initrd.network.ssh.authorizedKeys¶
Authorized keys for the root user on initrd. Note that Dropbear doesn’t support OpenSSH’s Ed25519 key type.
Type: list of strings
Default: ``[
]``
Declared by:
boot.initrd.network.ssh.hostDSSKey¶
DSS SSH private key file in the Dropbear format.
WARNING: Unless your bootloader supports initrd secrets, this key is contained insecurely in the global Nix store. Do NOT use your regular SSH host private keys for this purpose or you’ll expose them to regular users!
Type: null or path
Default:
nullDeclared by:
boot.initrd.network.ssh.hostECDSAKey¶
ECDSA SSH private key file in the Dropbear format.
WARNING: Unless your bootloader supports initrd secrets, this key is contained insecurely in the global Nix store. Do NOT use your regular SSH host private keys for this purpose or you’ll expose them to regular users!
Type: null or path
Default:
nullDeclared by:
boot.initrd.network.ssh.hostRSAKey¶
RSA SSH private key file in the Dropbear format.
WARNING: Unless your bootloader supports initrd secrets, this key is contained insecurely in the global Nix store. Do NOT use your regular SSH host private keys for this purpose or you’ll expose them to regular users!
Type: null or path
Default:
nullDeclared by:
boot.initrd.network.ssh.port¶
Port on which SSH initrd service should listen.
Type: signed integer
Default:
22Declared by:
boot.initrd.network.ssh.shell¶
Login shell of the remote user. Can be used to limit actions user can do.
Type: string
Default:
"/bin/ash"Declared by:
boot.initrd.network.udhcpc.extraArgs¶
Additional command-line arguments passed verbatim to udhcpc if and are enabled.
Type: list of strings
Default: ``[
]``
Declared by:
boot.initrd.postDeviceCommands¶
Shell commands to be executed immediately after stage 1 of the boot has loaded kernel modules and created device nodes in:file:/dev.
Type: strings concatenated with “\n”
Default:
""Declared by:
boot.initrd.postMountCommands¶
Shell commands to be executed immediately after the stage 1 filesystems have been mounted.
Type: strings concatenated with “\n”
Default:
""Declared by:
boot.initrd.preDeviceCommands¶
Shell commands to be executed before udev is started to create device nodes.
Type: strings concatenated with “\n”
Default:
""Declared by:
boot.initrd.preFailCommands¶
Shell commands to be executed before the failure prompt is shown.
Type: strings concatenated with “\n”
Default:
""Declared by:
boot.initrd.preLVMCommands¶
Shell commands to be executed immediately before LVM discovery.
Type: strings concatenated with “\n”
Default:
""Declared by:
boot.initrd.prepend¶
Other initrd files to prepend to the final initrd we are building.
Type: list of strings
Default: ``[
]``
Declared by:
boot.initrd.supportedFilesystems¶
Names of supported filesystem types in the initial ramdisk.
Type: list of strings
Default: ``[
]``
Example:
[ "btrfs" ]Declared by:
boot.isContainer¶
Whether this NixOS machine is a lightweight container running in another NixOS system.
Type: boolean
Default:
falseDeclared by:
boot.kernel.randstructSeed¶
Provides a custom seed for the
RANDSTRUCTsecurity option of the Linux kernel. Note thatRANDSTRUCTis only enabled in NixOS hardened kernels. Using a custom seed requires building the kernel and dependent packages locally, since this customization happens at build time.Type: string
Default:
""Example:
"my secret seed"Declared by:
boot.kernel.sysctl¶
Runtime parameters of the Linux kernel, as set bysysctl8. Note that sysctl parameters names must be enclosed in quotes (e.g.
"vm.swappiness"instead of``vm.swappiness``). The value of each parameter may be a string, integer, boolean, or null (signifying the option will not appear at all).Type: attribute set of sysctl option values
Default: ``{
}``
Example:
{ "net.ipv4.tcp_syncookies" = false; "vm.swappiness" = 60; }Declared by:
boot.kernelModules¶
The set of kernel modules to be loaded in the second stage of the boot process. Note that modules that are needed to mount the root file system should be added to or.
Type: list of strings
Default: ``[
]``
Declared by:
boot.kernelPackages¶
This option allows you to override the Linux kernel used by NixOS. Since things like external kernel module packages are tied to the kernel you’re using, it also overrides those. This option is a function that takes Nixpkgs as an argument (as a convenience), and returns an attribute set containing at the very least an attribute
kernel. Additional attributes may be needed depending on your configuration. For instance, if you use the NVIDIA X driver, then it also needs to contain an attribute``nvidia_x11``.Type: unspecified
Default:
"pkgs.linuxPackages"Example:
pkgs.linuxPackages_2_6_25Declared by:
boot.kernelParams¶
boot.kernelPatches¶
A list of additional patches to apply to the kernel.
Type: list of attribute sets
Default: ``[
]``
Example:
[ pkgs.kernelPatches.ubuntu_fan_4_4 ]Declared by:
boot.loader.efi.canTouchEfiVariables¶
Whether the installation process is allowed to modify EFI boot variables.
Type: boolean
Default:
falseDeclared by:
boot.loader.efi.efiSysMountPoint¶
Where the EFI System Partition is mounted.
Type: string
Default:
"/boot"Declared by:
boot.loader.generationsDir.enable¶
Whether to create symlinks to the system generations under``/boot``. When enabled,``/boot/default/kernel``,``/boot/default/initrd``, etc., are updated to point to the current generation’s kernel image, initial RAM disk, and other bootstrap files.
This optional is not necessary with boot loaders such as GNU GRUB for which the menu is updated to point to the latest bootstrap files. However, it is needed for U-Boot on platforms where the boot command line is stored in flash memory rather than in a menu file.
Type: boolean
Default:
falseDeclared by:
boot.loader.generationsDir.copyKernels¶
Whether copy the necessary boot files into /boot, so /nix/store is not needed by the boot loader.
Type: boolean
Default:
falseDeclared by:
boot.loader.generic-extlinux-compatible.enable¶
Whether to generate an extlinux-compatible configuration file under
/boot/extlinux.conf. For instance, U-Boot’s generic distro boot support uses this file format.See U-boot’s documentation for more information.
Type: boolean
Default:
falseDeclared by:
boot.loader.generic-extlinux-compatible.configurationLimit¶
Maximum number of configurations in the boot menu.
Type: signed integer
Default:
20Example:
10Declared by:
boot.loader.grub.enable¶
Whether to enable the GNU GRUB boot loader.
Type: boolean
Default:
trueDeclared by:
boot.loader.grub.enableCryptodisk¶
Enable support for encrypted partitions. GRUB should automatically unlock the correct encrypted partition and look for filesystems.
Type: boolean
Default:
falseDeclared by:
boot.loader.grub.backgroundColor¶
Background color to be used for GRUB to fill the areas the image isn’t filling.
Note
This options has no effect for GRUB 1.
Type: null or string
Default:
nullExample:
"#7EBAE4"Declared by:
boot.loader.grub.configurationLimit¶
Maximum of configurations in boot menu. GRUB has problems when there are too many entries.
Type: signed integer
Default:
100Example:
120Declared by:
boot.loader.grub.configurationName¶
GRUB entry name instead of default.
Type: string
Default:
""Example:
"Stable 2.6.21"Declared by:
boot.loader.grub.copyKernels¶
Whether the GRUB menu builder should copy kernels and initial ramdisks to /boot. This is done automatically if /boot is on a different partition than /.
Type: boolean
Default:
falseDeclared by:
boot.loader.grub.default¶
Index of the default menu item to be booted.
Type: signed integer or string
Default:
"0"Declared by:
boot.loader.grub.device¶
The device on which the GRUB boot loader will be installed. The special value
nodevmeans that a GRUB boot menu will be generated, but GRUB itself will not actually be installed. To install GRUB on multiple devices, useboot.loader.grub.devices.Type: string
Default:
""Example:
"/dev/disk/by-id/wwn-0x500001234567890a"Declared by:
boot.loader.grub.devices¶
The devices on which the boot loader, GRUB, will be installed. Can be used instead of
deviceto install GRUB onto multiple devices.Type: list of strings
Default: ``[
]``
Example:
[ "/dev/disk/by-id/wwn-0x500001234567890a" ]Declared by:
boot.loader.grub.efiInstallAsRemovable¶
Whether to invoke
grub-installwith``–removable``.Unless you turn this on, GRUB will install itself somewhere in``boot.loader.efi.efiSysMountPoint`` (exactly where depends on other config variables). If you’ve set``boot.loader.efi.canTouchEfiVariables`` AND you are currently booted in UEFI mode, then GRUB will use``efibootmgr`` to modify the boot order in the EFI variables of your firmware to include this location. If you are *not* booted in UEFI mode at the time GRUB is being installed, the NVRAM will not be modified, and your system will not find GRUB at boot time. However, GRUB will still return success so you may miss the warning that gets printed (“
efibootmgr: EFI variables are not supported on this system.”).If you turn this feature on, GRUB will install itself in a special location within
efiSysMountPoint(namely``EFI/boot/boot$arch.efi``) which the firmwares are hardcoded to try first, regardless of NVRAM EFI variables.To summarize, turn this on if:
- You are installing NixOS and want it to boot in UEFI mode, but you are currently booted in legacy mode
- You want to make a drive that will boot regardless of the NVRAM state of the computer (like a USB “removable” drive)
- You simply dislike the idea of depending on NVRAM state to make your drive bootable
Type: boolean
Default:
falseDeclared by:
boot.loader.grub.efiSupport¶
Whether GRUB should be built with EFI support. EFI support is only available for GRUB v2. This option is ignored for GRUB v1.
Type: boolean
Default:
falseDeclared by:
boot.loader.grub.extraConfig¶
Additional GRUB commands inserted in the configuration file just before the menu entries.
Type: strings concatenated with “\n”
Default:
""Example:
'' serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1 terminal_input --append serial terminal_output --append serial ''Declared by:
boot.loader.grub.extraEntries¶
Any additional entries you want added to the GRUB boot menu.
Type: strings concatenated with “\n”
Default:
""Example:
'' # GRUB 1 example (not GRUB 2 compatible) title Windows chainloader (hd0,1)+1 # GRUB 2 example menuentry "Windows 7" { chainloader (hd0,4)+1 } # GRUB 2 with UEFI example, chainloading another distro menuentry "Fedora" { set root=(hd1,1) chainloader /efi/fedora/grubx64.efi } ''Declared by:
boot.loader.grub.extraEntriesBeforeNixOS¶
Whether extraEntries are included before the default option.
Type: boolean
Default:
falseDeclared by:
boot.loader.grub.extraFiles¶
A set of files to be copied to
/boot. Each attribute name denotes the destination file name in:file:/boot, while the corresponding attribute value specifies the source file.Type: attribute set of paths
Default: ``{
}``
Example:
{ "memtest.bin" = "${pkgs.memtest86plus}/memtest.bin"; }Declared by:
boot.loader.grub.extraInitrd¶
The path to a second initramfs to be supplied to the kernel. This ramfs will not be copied to the store, so that it can contain secrets such as LUKS keyfiles or ssh keys. This implies that rolling back to a previous configuration won’t rollback the state of this file.
Type: null or path
Default:
nullExample:
"/boot/extra_initramfs.gz"Declared by:
boot.loader.grub.extraPerEntryConfig¶
Additional GRUB commands inserted in the configuration file at the start of each NixOS menu entry.
Type: strings concatenated with “\n”
Default:
""Example:
"root (hd0)"Declared by:
boot.loader.grub.extraPrepareConfig¶
Additional bash commands to be run at the script that prepares the GRUB menu entries.
Type: strings concatenated with “\n”
Default:
""Declared by:
boot.loader.grub.font¶
Path to a TrueType, OpenType, or pf2 font to be used by Grub.
Type: null or path
Default:
''"''${pkgs.grub2}/share/grub/unicode.pf2"''Declared by:
boot.loader.grub.fontSize¶
Font size for the grub menu. Ignored unless
fontis set to a ttf or otf font.Type: null or signed integer
Default:
nullExample:
*Declared by:*
boot.loader.grub.forceInstall¶
Whether to try and forcibly install GRUB even if problems are detected. It is not recommended to enable this unless you know what you are doing.
Type: boolean
Default:
falseDeclared by:
boot.loader.grub.forcei686¶
Whether to force the use of a ia32 boot loader on x64 systems. Required to install and run NixOS on 64bit x86 systems with 32bit (U)EFI.
Type: boolean
Default:
falseDeclared by:
boot.loader.grub.fsIdentifier¶
Determines how GRUB will identify devices when generating the configuration file. A value of uuid / label signifies that grub will always resolve the uuid or label of the device before using it in the configuration. A value of provided means that GRUB will use the device name as show in df or:command:mount. Note, zfs zpools / datasets are ignored and will always be mounted using their labels.
Type: one of “uuid”, “label”, “provided”
Default:
"uuid"Declared by:
boot.loader.grub.gfxmodeBios¶
The gfxmode to pass to GRUB when loading a graphical boot interface under BIOS.
Type: string
Default:
"1024x768"Example:
"auto"Declared by:
boot.loader.grub.gfxmodeEfi¶
The gfxmode to pass to GRUB when loading a graphical boot interface under EFI.
Type: string
Default:
"auto"Example:
"1024x768"Declared by:
boot.loader.grub.gfxpayloadBios¶
The gfxpayload to pass to GRUB when loading a graphical boot interface under BIOS.
Type: string
Default:
"text"Example:
"keep"Declared by:
boot.loader.grub.gfxpayloadEfi¶
The gfxpayload to pass to GRUB when loading a graphical boot interface under EFI.
Type: string
Default:
"keep"Example:
"text"Declared by:
boot.loader.grub.ipxe¶
Set of iPXE scripts available for booting from the GRUB boot menu.
Type: attribute set of path or strings
Default: ``{
}``
Example:
{ demo = '' #!ipxe dhcp chain http://boot.ipxe.org/demo/boot.php ''; }Declared by:
boot.loader.grub.memtest86.enable¶
Make Memtest86+ (or MemTest86 if EFI support is enabled), a memory testing program, available from the GRUB boot menu. MemTest86 is an unfree program, so this requires
allowUnfreeto be set to``true``.Type: boolean
Default:
falseDeclared by:
boot.loader.grub.memtest86.params¶
Parameters added to the Memtest86+ command line. As of memtest86+ 5.01 the following list of (apparently undocumented) parameters are accepted:
console=..., set up a serial console. Examples:console=ttyS0,console=ttyS0,9600orconsole=ttyS0,115200n8.btrace, enable boot trace.maxcpus=N, limit number of CPUs.onepass, run one pass and exit if there are no errors.tstlist=..., list of tests to run. Example:0,1,2.cpumask=..., set a CPU mask, to select CPUs to use for testing.This list of command line options was obtained by reading the Memtest86+ source code.
Type: list of strings
Default: ``[
]``
Example:
[ "console=ttyS0,115200" ]Declared by:
boot.loader.grub.mirroredBoots¶
Mirror the boot configuration to multiple partitions and install grub to the respective devices corresponding to those partitions.
Type: list of submodules
Default: ``[
]``
Example: ``[
{ devices = [ “/dev/disk/by-id/wwn-0x500001234567890a” ] ; path = “/boot1”; }
{ devices = [ “/dev/disk/by-id/wwn-0x500009876543210a” ] ; path = “/boot2”; }
]``
Declared by:
boot.loader.grub.mirroredBoots.*.devices¶
The path to the devices which will have the GRUB MBR written. Note these are typically device paths and not paths to partitions.
Type: list of strings
Default: ``[
]``
Example:
[ "/dev/disk/by-id/wwn-0x500001234567890a" "/dev/disk/by-id/wwn-0x500009876543210a" ]Declared by:
boot.loader.grub.mirroredBoots.*.efiBootloaderId¶
The id of the bootloader to store in efi nvram. The default is to name it NixOS and append the path or efiSysMountPoint. This is only used if
boot.loader.efi.canTouchEfiVariablesis true.Type: null or string
Default:
nullExample:
"NixOS-fsid"Declared by:
boot.loader.grub.mirroredBoots.*.efiSysMountPoint¶
The path to the efi system mount point. Usually this is the same partition as the above path and can be left as null.
Type: null or string
Default:
nullExample:
"/boot1/efi"Declared by:
boot.loader.grub.mirroredBoots.*.path¶
The path to the boot directory where GRUB will be written. Generally this boot path should double as an EFI path.
Type: string
Example:
"/boot1"Declared by:
boot.loader.grub.splashImage¶
Background image used for GRUB. Set to
nullto run GRUB in text mode.Note
For grub 1: It must be a 640x480, 14-colour image in XPM format, optionally compressed with:command:gzip or bzip2.
Note
For grub 2: File must be one of .png, .tga, .jpg, or .jpeg. JPEG images must not be progressive. The image will be scaled if necessary to fit the screen.
Type: null or path
Example:
./my-background.pngDeclared by:
boot.loader.grub.splashMode¶
Whether to stretch the image or show the image in the top-left corner unstretched.
Note
This options has no effect for GRUB 1.
Type: one of “normal”, “stretch”
Default:
"stretch"Declared by:
boot.loader.grub.storePath¶
Path to the Nix store when looking for kernels at boot. Only makes sense when copyKernels is false.
Type: string
Default:
"/nix/store"Declared by:
boot.loader.grub.trustedBoot.enable¶
Enable trusted boot. GRUB will measure all critical components during the boot process to offer TCG (TPM) support.
Type: boolean
Default:
falseDeclared by:
boot.loader.grub.trustedBoot.isHPLaptop¶
Use a special version of TrustedGRUB that is needed by some HP laptops and works only for the HP laptops.
Type: boolean
Default:
falseDeclared by:
boot.loader.grub.trustedBoot.systemHasTPM¶
Assertion that the target system has an activated TPM. It is a safety check before allowing the activation of ‘trustedBoot.enable’. TrustedBoot WILL FAIL TO BOOT YOUR SYSTEM if no TPM is available.
Type: string
Default:
""Example:
"YES_TPM_is_activated"Declared by:
boot.loader.grub.useOSProber¶
If set to true, append entries for other OSs detected by os-prober.
Type: boolean
Default:
falseDeclared by:
boot.loader.grub.version¶
The version of GRUB to use:
1for GRUB Legacy (versions 0.9x), or2(the default) for GRUB 2.Type: signed integer
Default:
2Example:
1Declared by:
boot.loader.grub.zfsSupport¶
Whether GRUB should be built against libzfs. ZFS support is only available for GRUB v2. This option is ignored for GRUB v1.
Type: boolean
Default:
falseDeclared by:
boot.loader.initScript.enable¶
Some systems require a /sbin/init script which is started. Or having it makes starting NixOS easier. This applies to some kind of hosting services and user mode linux.
Additionally this script will create /boot/init-other-configurations-contents.txt containing contents of remaining configurations. You can copy paste them into /sbin/init manually running a rescue system or such.
Type: boolean
Default:
falseDeclared by:
boot.loader.raspberryPi.enable¶
Whether to create files with the system generations in``/boot``.``/boot/old`` will hold files from old generations.
Type: boolean
Default:
falseDeclared by:
boot.loader.raspberryPi.firmwareConfig¶
Extra options that will be appended to
/boot/config.txtfile. For possible values, see: https://www.raspberrypi.org/documentation/configuration/config-txt/Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
boot.loader.raspberryPi.uboot.enable¶
Enable using uboot as bootmanager for the raspberry pi.
Type: boolean
Default:
falseDeclared by:
boot.loader.raspberryPi.uboot.configurationLimit¶
Maximum number of configurations in the boot menu.
Type: signed integer
Default:
20Example:
10Declared by:
boot.loader.raspberryPi.version¶
Type: one of 0, 1, 2, 3, 4
Default:
2Declared by:
boot.loader.systemd-boot.enable¶
Whether to enable the systemd-boot (formerly gummiboot) EFI boot manager
Type: boolean
Default:
falseDeclared by:
boot.loader.systemd-boot.configurationLimit¶
Maximum number of latest generations in the boot menu. Useful to prevent boot partition running out of disk space.
nullmeans no limit i.e. all generations that were not garbage collected yet.Type: null or signed integer
Default:
nullExample:
120Declared by:
boot.loader.systemd-boot.consoleMode¶
The resolution of the console. The following values are valid:
"0": Standard UEFI 80x25 mode"1": 80x50 mode, not supported by all devices"2": The first non-standard mode provided by the device firmware, if any"auto": Pick a suitable mode automatically using heuristics"max": Pick the highest-numbered available mode"keep": Keep the mode selected by firmware (the default)Type: one of “0”, “1”, “2”, “auto”, “max”, “keep”
Default:
"keep"Declared by:
boot.loader.systemd-boot.editor¶
Whether to allow editing the kernel command-line before boot. It is recommended to set this to false, as it allows gaining root access by passing init=/bin/sh as a kernel parameter. However, it is enabled by default for backwards compatibility.
Type: boolean
Default:
trueDeclared by:
boot.loader.systemd-boot.memtest86.enable¶
Make MemTest86 available from the systemd-boot menu. MemTest86 is a program for testing memory. MemTest86 is an unfree program, so this requires
allowUnfreeto be set to``true``.Type: boolean
Default:
falseDeclared by:
boot.loader.timeout¶
Timeout (in seconds) until loader boots the default menu item. Use null if the loader menu should be displayed indefinitely.
Type: null or signed integer
Default:
5Declared by:
boot.plymouth.enable¶
Whether to enable Plymouth boot splash screen.
Type: boolean
Default:
falseExample:
trueDeclared by:
boot.plymouth.extraConfig¶
Literal string to append to
configFileand the config file generated by the plymouth module.Type: strings concatenated with “\n”
Default:
""Declared by:
boot.plymouth.logo¶
Logo which is displayed on the splash screen.
Type: path
Default:
'' pkgs.fetchurl { url = "https://nixos.org/logo/nixos-hires.png"; sha256 = "1ivzgd7iz0i06y36p8m5w48fd8pjqwxhdaavc0pxs7w1g7mcy5si"; }''Declared by:
boot.plymouth.theme¶
Splash screen theme.
Type: string
Default:
"breeze"Declared by:
boot.plymouth.themePackages¶
Extra theme packages for plymouth.
Type: list of packages
Default:
[ *(build of breeze-plymouth-5.17.5)* ]Declared by:
boot.postBootCommands¶
Shell commands to be executed just before systemd is started.
Type: strings concatenated with “\n”
Default:
""Example:
"rm -f /var/log/messages"Declared by:
boot.resumeDevice¶
Device for manual resume attempt during boot. This should be used primarily if you want to resume from file. If left empty, the swap partitions are used. Specify here the device where the file resides. You should also use
boot.kernelParamsto specify``*resume_offset*``.Type: string
Default:
""Example:
"/dev/sda3"Declared by:
boot.runSize¶
Size limit for the /run tmpfs. Look at mount(8), tmpfs size option, for the accepted syntax.
Type: string
Default:
"25%"Example:
"256m"Declared by:
boot.specialFileSystems.<name?>.device¶
Location of the device.
Type: null or string (with check: non-empty)
Default:
nullExample:
"/dev/sda"Declared by:
boot.specialFileSystems.<name?>.fsType¶
Type of the file system.
Type: string (with check: non-empty)
Default:
"auto"Example:
"ext3"Declared by:
boot.specialFileSystems.<name?>.mountPoint¶
Location of the mounted the file system.
Type: string (with check: non-empty)
Example:
"/mnt/usb"Declared by:
boot.specialFileSystems.<name?>.options¶
Options used to mount the file system.
Type: list of string (with check: non-empty)s
Default:
[ "defaults" ]Example:
[ "data=journal" ]Declared by:
boot.supportedFilesystems¶
Names of supported filesystem types.
Type: list of strings
Default: ``[
]``
Example:
[ "btrfs" ]Declared by:
boot.systemd.services.<name>.enable¶
If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g.
serial-getty@ttyS0) from being started. Note thatenable=truedoes not make a unit start by default at boot; if you want that, see``wantedBy``.Type: boolean
Default:
trueDeclared by:
boot.systemd.services.<name>.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.services.<name>.aliases¶
boot.systemd.services.<name>.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.services.<name>.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.services.<name>.confinement.enable¶
If set, all the required runtime store paths for this service are bind-mounted into a
tmpfs-based chroot2.Type: boolean
Default:
falseDeclared by:
boot.systemd.services.<name>.confinement.packages¶
Additional packages or strings with context to add to the closure of the chroot. By default, this includes all the packages from the, , , , and options. If you want to have all the dependencies of this systemd unit, you can use.
Note
The store paths listed in are*not* included in the closure as well as paths from other options except those listed above.
Type: list of string or packages
Default: ``[
]``
Declared by:
boot.systemd.services.<name>.confinement.binSh¶
The program to make available as
/bin/shinside the chroot. If this is set tonull, no:file:/bin/sh is provided at all.This is useful for some applications, which for example use thesystem3 library function to execute commands.
Type: null or path
Default:
"config.environment.binsh"Example:
${pkgs.dash}/bin/dashDeclared by:
boot.systemd.services.<name>.confinement.fullUnit¶
Whether to include the full closure of the systemd unit file into the chroot, instead of just the dependencies for the executables.
Warning
While it may be tempting to just enable this option to make things work quickly, please be aware that this might add paths to the closure of the chroot that you didn’t anticipate. It’s better to use to explicitly add additional store paths to the chroot.
Type: boolean
Default:
falseDeclared by:
boot.systemd.services.<name>.confinement.mode¶
The value
full-apivfs(the default) sets up private/dev,/proc,/sysand/tmpfile systems in a separate user name space.If this is set to
chroot-only, only the file system name space is set up along with the call to chroot2.Note
This doesn’t cover network namespaces and is solely for file system level isolation.
Type: one of “full-apivfs”, “chroot-only”
Default:
"full-apivfs"Declared by:
boot.systemd.services.<name>.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.services.<name>.description¶
Description of this unit used in systemd messages and progress indicators.
Type: string
Default:
""Declared by:
boot.systemd.services.<name>.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.services.<name>.environment¶
Environment variables passed to the service’s processes.
Type: attribute set of null or string or path or packages
Default: ``{
}``
Example:
{ LANG = "nl_NL.UTF-8"; PATH = "/foo/bar/bin"; }Declared by:
boot.systemd.services.<name>.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.services.<name>.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.services.<name>.path¶
Packages added to the service’s PATH environment variable. Both the
binandsbinsubdirectories of each package are added.Type: unspecified
Default: ``[
]``
Declared by:
boot.systemd.services.<name>.postStart¶
Shell commands executed after the service’s main process is started.
Type: strings concatenated with “\n”
Default:
""Declared by:
boot.systemd.services.<name>.postStop¶
Shell commands executed after the service’s main process has exited.
Type: strings concatenated with “\n”
Default:
""Declared by:
boot.systemd.services.<name>.preStart¶
Shell commands executed before the service’s main process is started.
Type: strings concatenated with “\n”
Default:
""Declared by:
boot.systemd.services.<name>.preStop¶
Shell commands executed to stop the service.
Type: strings concatenated with “\n”
Default:
""Declared by:
boot.systemd.services.<name>.reload¶
Shell commands executed when the service’s main process is reloaded.
Type: strings concatenated with “\n”
Default:
""Declared by:
boot.systemd.services.<name>.reloadIfChanged¶
Whether the service should be reloaded during a NixOS configuration switch if its definition has changed. If enabled, the value of is ignored.
Type: boolean
Default:
falseDeclared by:
boot.systemd.services.<name>.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit. The discussion under
wantedByapplies here as well: inverse.requiressymlinks are established.Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.services.<name>.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.services.<name>.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.services.<name>.restartIfChanged¶
Whether the service should be restarted during a NixOS configuration switch if its definition has changed.
Type: boolean
Default:
trueDeclared by:
boot.systemd.services.<name>.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecifieds
Default: ``[
]``
Declared by:
boot.systemd.services.<name>.script¶
Shell commands executed as the service’s main process.
Type: strings concatenated with “\n”
Default:
""Declared by:
boot.systemd.services.<name>.scriptArgs¶
Arguments passed to the main process script.
Type: string
Default:
""Declared by:
boot.systemd.services.<name>.serviceConfig¶
Each attribute in this set specifies an option in the``[Service]`` section of the unit. Seesystemd.service5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ RestartSec = 5; StartLimitInterval = 10; }Declared by:
boot.systemd.services.<name>.startAt¶
Automatically start this unit at the given date/time, which must be in the format described insystemd.time7. This is equivalent to adding a corresponding timer unit with set to the value given here.
Type: string or list of strings
Default: ``[
]``
Example:
"Sun 14:00:00"Declared by:
boot.systemd.services.<name>.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than burst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
boot.systemd.services.<name>.stopIfChanged¶
If set, a changed unit is restarted by calling:command:systemctl stop in the old configuration, then systemctl start in the new one. Otherwise, it is restarted in a single step using:command:systemctl restart in the new configuration. The latter is less correct because it runs the``ExecStop`` commands from the new configuration.
Type: boolean
Default:
trueDeclared by:
boot.systemd.services.<name>.unitConfig¶
Each attribute in this set specifies an option in the``[Unit]`` section of the unit. Seesystemd.unit5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ RequiresMountsFor = "/data"; }Declared by:
boot.systemd.services.<name>.wantedBy¶
Units that want (i.e. depend on) this unit. The standard way to make a unit start by default at boot is to set this option to
[ "multi-user.target" ]. That’s despite the fact that the systemd.unit(5) manpage says this option goes in the[Install]section that controls the behaviour ofsystemctl enable. Since such a process is stateful and thus contrary to the design of NixOS, setting this option instead causes the equivalent inverse.wantssymlink to be present, establishing the same desired relationship in a stateless way.Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.services.<name>.wants¶
Start the specified units when this unit is started.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.sockets.<name>.enable¶
If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g.
serial-getty@ttyS0) from being started. Note thatenable=truedoes not make a unit start by default at boot; if you want that, see``wantedBy``.Type: boolean
Default:
trueDeclared by:
boot.systemd.sockets.<name>.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.sockets.<name>.aliases¶
boot.systemd.sockets.<name>.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.sockets.<name>.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.sockets.<name>.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.sockets.<name>.description¶
Description of this unit used in systemd messages and progress indicators.
Type: string
Default:
""Declared by:
boot.systemd.sockets.<name>.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.sockets.<name>.listenStreams¶
For each item in this list, a
ListenStreamoption in the[Socket]section will be created.Type: list of strings
Default: ``[
]``
Example:
[ "0.0.0.0:993" "/run/my-socket" ]Declared by:
boot.systemd.sockets.<name>.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.sockets.<name>.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.sockets.<name>.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit. The discussion under
wantedByapplies here as well: inverse.requiressymlinks are established.Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.sockets.<name>.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.sockets.<name>.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.sockets.<name>.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecifieds
Default: ``[
]``
Declared by:
boot.systemd.sockets.<name>.socketConfig¶
Each attribute in this set specifies an option in the``[Socket]`` section of the unit. Seesystemd.socket5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ ListenStream = "/run/my-socket"; }Declared by:
boot.systemd.sockets.<name>.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than burst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
boot.systemd.sockets.<name>.unitConfig¶
Each attribute in this set specifies an option in the``[Unit]`` section of the unit. Seesystemd.unit5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ RequiresMountsFor = "/data"; }Declared by:
boot.systemd.sockets.<name>.wantedBy¶
Units that want (i.e. depend on) this unit. The standard way to make a unit start by default at boot is to set this option to
[ "multi-user.target" ]. That’s despite the fact that the systemd.unit(5) manpage says this option goes in the[Install]section that controls the behaviour ofsystemctl enable. Since such a process is stateful and thus contrary to the design of NixOS, setting this option instead causes the equivalent inverse.wantssymlink to be present, establishing the same desired relationship in a stateless way.Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.sockets.<name>.wants¶
Start the specified units when this unit is started.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.targets.<name>.enable¶
If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g.
serial-getty@ttyS0) from being started. Note thatenable=truedoes not make a unit start by default at boot; if you want that, see``wantedBy``.Type: boolean
Default:
trueDeclared by:
boot.systemd.targets.<name>.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.targets.<name>.aliases¶
boot.systemd.targets.<name>.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.targets.<name>.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.targets.<name>.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.targets.<name>.description¶
Description of this unit used in systemd messages and progress indicators.
Type: string
Default:
""Declared by:
boot.systemd.targets.<name>.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.targets.<name>.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.targets.<name>.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.targets.<name>.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit. The discussion under
wantedByapplies here as well: inverse.requiressymlinks are established.Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.targets.<name>.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.targets.<name>.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.targets.<name>.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecifieds
Default: ``[
]``
Declared by:
boot.systemd.targets.<name>.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than burst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
boot.systemd.targets.<name>.unitConfig¶
Each attribute in this set specifies an option in the``[Unit]`` section of the unit. Seesystemd.unit5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ RequiresMountsFor = "/data"; }Declared by:
boot.systemd.targets.<name>.wantedBy¶
Units that want (i.e. depend on) this unit. The standard way to make a unit start by default at boot is to set this option to
[ "multi-user.target" ]. That’s despite the fact that the systemd.unit(5) manpage says this option goes in the[Install]section that controls the behaviour ofsystemctl enable. Since such a process is stateful and thus contrary to the design of NixOS, setting this option instead causes the equivalent inverse.wantssymlink to be present, establishing the same desired relationship in a stateless way.Type: list of strings
Default: ``[
]``
Declared by:
boot.systemd.targets.<name>.wants¶
Start the specified units when this unit is started.
Type: list of strings
Default: ``[
]``
Declared by:
boot.tmpOnTmpfs¶
Whether to mount a tmpfs on
/tmpduring boot.Type: boolean
Default:
falseDeclared by:
boot.vesa¶
(Deprecated) This option, if set, activates the VESA 800x600 video mode on boot and disables kernel modesetting. It is equivalent to specifying
[ "vga=0x317" "nomodeset" ]in the option. This option is deprecated as of 2020: Xorg now works better with modesetting, and you might want a different VESA vga setting, anyway.Type: boolean
Default:
falseDeclared by:
boot.zfs.enableUnstable¶
Use the unstable zfs package. This might be an option, if the latest kernel is not yet supported by a published release of ZFS. Enabling this option will install a development version of ZFS on Linux. The version will have already passed an extensive test suite, but it is more likely to hit an undiscovered bug compared to running a released version of ZFS on Linux.
Type: boolean
Default:
falseDeclared by:
boot.zfs.devNodes¶
Name of directory from which to import ZFS devices.
This should be a path under /dev containing stable names for all devices needed, as import may fail if device nodes are renamed concurrently with a device failing.
Type: path
Default:
"/dev/disk/by-id"Example:
"/dev/disk/by-id"Declared by:
boot.zfs.extraPools¶
Name or GUID of extra ZFS pools that you wish to import during boot.
Usually this is not necessary. Instead, you should set the mountpoint property of ZFS filesystems to
legacyand add the ZFS filesystems to NixOS’s option, which makes NixOS automatically import the associated pool.However, in some cases (e.g. if you have many filesystems) it may be preferable to exclusively use ZFS commands to manage filesystems. If so, since NixOS/systemd will not be managing those filesystems, you will need to specify the ZFS pool here so that NixOS automatically imports it on every boot.
Type: list of strings
Default: ``[
]``
Example:
[ "tank" "data" ]Declared by:
boot.zfs.forceImportAll¶
Forcibly import all ZFS pool(s).
This is enabled by default for backwards compatibility purposes, but it is highly recommended to disable this option, as it bypasses some of the safeguards ZFS uses to protect your ZFS pools.
If you set this option to
falseand NixOS subsequently fails to import your non-root ZFS pool(s), you should manually import each pool with “zpool import -f <pool-name>”, and then reboot. You should only need to do this once.Type: boolean
Default:
trueDeclared by:
boot.zfs.forceImportRoot¶
Forcibly import the ZFS root pool(s) during early boot.
This is enabled by default for backwards compatibility purposes, but it is highly recommended to disable this option, as it bypasses some of the safeguards ZFS uses to protect your ZFS pools.
If you set this option to
falseand NixOS subsequently fails to boot because it cannot import the root pool, you should boot with the``zfs_force=1`` option as a kernel parameter (e.g. by manually editing the kernel params in grub during boot). You should only need to do this once.Type: boolean
Default:
trueDeclared by:
boot.zfs.requestEncryptionCredentials¶
Request encryption keys or passwords for all encrypted datasets on import. For root pools the encryption key can be supplied via both an interactive prompt (keylocation=prompt) and from a file (keylocation=file://). Note that for data pools the encryption key can be only loaded from a file and not via interactive prompt since the import is processed in a background systemd service.
Type: boolean
Default:
trueDeclared by:
console.packages¶
List of additional packages that provide console fonts, keymaps and other resources for virtual consoles use.
Type: list of packages
Default:
"with pkgs.kbdKeymaps; [ dvp neo ]"Declared by:
console.colors¶
The 16 colors palette used by the virtual consoles. Leave empty to use the default colors. Colors must be in hexadecimal format and listed in order from color 0 to color 15.
Type: list of strings
Default: ``[
]``
Example:
[ "002b36" "dc322f" "859900" "b58900" "268bd2" "d33682" "2aa198" "eee8d5" "002b36" "cb4b16" "586e75" "657b83" "839496" "6c71c4" "93a1a1" "fdf6e3" ]Declared by:
console.earlySetup¶
Enable setting virtual console options as early as possible (in initrd).
Type: boolean
Default:
falseDeclared by:
console.extraTTYs¶
TTY (virtual console) devices, in addition to the consoles on which mingetty and syslogd run, that must be initialised. Only useful if you have some program that you want to run on some fixed console. For example, the NixOS installation CD opens the manual in a web browser on console 7, so it sets to
["tty7"].Type: list of strings
Default: ``[
]``
Example:
[ "tty8" "tty9" ]Declared by:
console.font¶
The font used for the virtual consoles. Leave empty to use whatever the setfont program considers the default font.
Type: string
Default:
"Lat2-Terminus16"Example:
"LatArCyrHeb-16"Declared by:
console.keyMap¶
The keyboard mapping table for the virtual consoles.
Type: string or path
Default:
"us"Example:
"fr"Declared by:
console.useXkbConfig¶
If set, configure the virtual console keymap from the xserver keyboard settings.
Type: boolean
Default:
falseDeclared by:
containers¶
A set of NixOS system configurations to be run as lightweight containers. Each container appears as a service``container-*name*`` on the host system, allowing it to be started and stopped via:command:systemctl.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ webserver = { path = "/nix/var/nix/profiles/webserver"; }; database = { config = { config, pkgs, ... }: { services.postgresql.enable = true; services.postgresql.package = pkgs.postgresql_9_6; system.stateVersion = "17.03"; }; }; }Declared by:
containers.<name>.enableTun¶
Allows the container to create and setup tunnel interfaces by granting the
NET_ADMINcapability and enabling access to/dev/net/tun.Type: boolean
Default:
falseDeclared by:
containers.<name>.additionalCapabilities¶
Grant additional capabilities to the container. See the capabilities(7) and systemd-nspawn(1) man pages for more information.
Type: list of strings
Default: ``[
]``
Example:
[ "CAP_NET_ADMIN" "CAP_MKNOD" ]Declared by:
containers.<name>.allowedDevices¶
containers.<name>.allowedDevices.*.modifier¶
Device node access modifier. Takes a combination``r`` (read),
w(write), and``m`` (mknod). See the``systemd.resource-control(5)`` man page for more information.Type: string
Example:
"rw"Declared by:
containers.<name>.allowedDevices.*.node¶
Path to device node
Type: string
Example:
"/dev/net/tun"Declared by:
containers.<name>.autoStart¶
Whether the container is automatically started at boot-time.
Type: boolean
Default:
falseDeclared by:
containers.<name>.bindMounts¶
An extra list of directories that is bound to the container.
Type: list or attribute set of submodules
Default: ``{
}``
Example:
{ /home = { hostPath = "/home/alice"; isReadOnly = false; } ; }Declared by:
containers.<name>.bindMounts.<name?>.hostPath¶
Location of the host path to be mounted.
Type: null or string
Default:
nullExample:
"/home/alice"Declared by:
containers.<name>.bindMounts.<name?>.isReadOnly¶
Determine whether the mounted path will be accessed in read-only mode.
Type: boolean
Default:
trueDeclared by:
containers.<name>.bindMounts.<name?>.mountPoint¶
Mount point on the container file system.
Type: string
Example:
"/mnt/usb"Declared by:
containers.<name>.config¶
A specification of the desired configuration of this container, as a NixOS module.
Type: Toplevel NixOS config
Declared by:
containers.<name>.ephemeral¶
Runs container in ephemeral mode with the empty root filesystem at boot. This way container will be bootstrapped from scratch on each boot and will be cleaned up on shutdown leaving no traces behind. Useful for completely stateless, reproducible containers.
Note that this option might require to do some adjustments to the container configuration, e.g. you might want to set``systemd.network.networks.$interface.dhcpConfig.ClientIdentifier`` to “mac” if you use
macvlansoption. This way dhcp client identifier will be stable between the container restarts.Note that the container journal will not be linked to the host if this option is enabled.
Type: boolean
Default:
falseDeclared by:
containers.<name>.extraFlags¶
Extra flags passed to the systemd-nspawn command. See systemd-nspawn(1) for details.
Type: list of strings
Default: ``[
]``
Example:
[ "--drop-capability=CAP_SYS_CHROOT" ]Declared by:
containers.<name>.extraVeths¶
Extra veth-pairs to be created for the container
Type: attribute set of submodules
Default: ``{
}``
Declared by:
containers.<name>.extraVeths.<name>.forwardPorts¶
List of forwarded ports from host to container. Each forwarded port is specified by protocol, hostPort and containerPort. By default, protocol is tcp and hostPort and containerPort are assumed to be the same if containerPort is not explicitly given.
Type: list of submodules
Default: ``[
]``
Example: ``[
{ containerPort = 80; hostPort = 8080; protocol = “tcp”; }
]``
Declared by:
containers.<name>.extraVeths.<name>.forwardPorts.*.containerPort¶
Target port of container
Type: null or signed integer
Default:
nullDeclared by:
containers.<name>.extraVeths.<name>.forwardPorts.*.hostPort¶
Source port of the external interface on host
Type: signed integer
Declared by:
containers.<name>.extraVeths.<name>.forwardPorts.*.protocol¶
The protocol specifier for port forwarding between host and container
Type: string
Default:
"tcp"Declared by:
containers.<name>.extraVeths.<name>.hostAddress¶
The IPv4 address assigned to the host interface. (Not used when hostBridge is set.)
Type: null or string
Default:
nullExample:
"10.231.136.1"Declared by:
containers.<name>.extraVeths.<name>.hostAddress6¶
The IPv6 address assigned to the host interface. (Not used when hostBridge is set.)
Type: null or string
Default:
nullExample:
"fc00::1"Declared by:
containers.<name>.extraVeths.<name>.hostBridge¶
Put the host-side of the veth-pair into the named bridge. Only one of hostAddress* or hostBridge can be given.
Type: null or string
Default:
nullExample:
"br0"Declared by:
containers.<name>.extraVeths.<name>.localAddress¶
The IPv4 address assigned to the interface in the container. If a hostBridge is used, this should be given with netmask to access the whole network. Otherwise the default netmask is /32 and routing is set up from localAddress to hostAddress and back.
Type: null or string
Default:
nullExample:
"10.231.136.2"Declared by:
containers.<name>.extraVeths.<name>.localAddress6¶
The IPv6 address assigned to the interface in the container. If a hostBridge is used, this should be given with netmask to access the whole network. Otherwise the default netmask is /128 and routing is set up from localAddress6 to hostAddress6 and back.
Type: null or string
Default:
nullExample:
"fc00::2"Declared by:
containers.<name>.forwardPorts¶
List of forwarded ports from host to container. Each forwarded port is specified by protocol, hostPort and containerPort. By default, protocol is tcp and hostPort and containerPort are assumed to be the same if containerPort is not explicitly given.
Type: list of submodules
Default: ``[
]``
Example: ``[
{ containerPort = 80; hostPort = 8080; protocol = “tcp”; }
]``
Declared by:
containers.<name>.forwardPorts.*.containerPort¶
Target port of container
Type: null or signed integer
Default:
nullDeclared by:
containers.<name>.forwardPorts.*.hostPort¶
Source port of the external interface on host
Type: signed integer
Declared by:
containers.<name>.forwardPorts.*.protocol¶
The protocol specifier for port forwarding between host and container
Type: string
Default:
"tcp"Declared by:
containers.<name>.hostAddress¶
The IPv4 address assigned to the host interface. (Not used when hostBridge is set.)
Type: null or string
Default:
nullExample:
"10.231.136.1"Declared by:
containers.<name>.hostAddress6¶
The IPv6 address assigned to the host interface. (Not used when hostBridge is set.)
Type: null or string
Default:
nullExample:
"fc00::1"Declared by:
containers.<name>.hostBridge¶
Put the host-side of the veth-pair into the named bridge. Only one of hostAddress* or hostBridge can be given.
Type: null or string
Default:
nullExample:
"br0"Declared by:
containers.<name>.interfaces¶
The list of interfaces to be moved into the container.
Type: list of strings
Default: ``[
]``
Example:
[ "eth1" "eth2" ]Declared by:
containers.<name>.localAddress¶
The IPv4 address assigned to the interface in the container. If a hostBridge is used, this should be given with netmask to access the whole network. Otherwise the default netmask is /32 and routing is set up from localAddress to hostAddress and back.
Type: null or string
Default:
nullExample:
"10.231.136.2"Declared by:
containers.<name>.localAddress6¶
The IPv6 address assigned to the interface in the container. If a hostBridge is used, this should be given with netmask to access the whole network. Otherwise the default netmask is /128 and routing is set up from localAddress6 to hostAddress6 and back.
Type: null or string
Default:
nullExample:
"fc00::2"Declared by:
containers.<name>.macvlans¶
The list of host interfaces from which macvlans will be created. For each interface specified, a macvlan interface will be created and moved to the container.
Type: list of strings
Default: ``[
]``
Example:
[ "eth1" "eth2" ]Declared by:
containers.<name>.path¶
As an alternative to specifying, you can specify the path to the evaluated NixOS system configuration, typically a symlink to a system profile.
Type: path
Example:
"/nix/var/nix/profiles/containers/webserver"Declared by:
containers.<name>.privateNetwork¶
Whether to give the container its own private virtual Ethernet interface. The interface is called``eth0``, and is hooked up to the interface``ve-*container-name*`` on the host. If this option is not set, then the container shares the network interfaces of the host, and can bind to any port on any interface.
Type: boolean
Default:
falseDeclared by:
containers.<name>.timeoutStartSec¶
Time for the container to start. In case of a timeout, the container processes get killed. See systemd.time7 for more information about the format.
Type: string
Default:
"1min"Declared by:
containers.<name>.tmpfs¶
Mounts a set of tmpfs file systems into the container. Multiple paths can be specified. Valid items must conform to the –tmpfs argument of systemd-nspawn. See systemd-nspawn(1) for details.
Type: list of strings
Default: ``[
]``
Example:
[ "/var" ]Declared by:
docker-containers¶
Docker containers to run as systemd services.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
docker-containers.<name>.autoStart¶
When enabled, the container is automatically started on boot. If this option is set to false, the container has to be started on-demand via its service.
Type: boolean
Default:
trueDeclared by:
docker-containers.<name>.cmd¶
Commandline arguments to pass to the image’s entrypoint.
Type: list of strings
Default: ``[
]``
Example:
["--port=9000"]Declared by:
docker-containers.<name>.dependsOn¶
Define which other containers this one depends on. They will be added to both After and Requires for the unit.
Use the same name as the attribute under
services.docker-containers.Type: list of strings
Default: ``[
]``
Example:
services.docker-containers = { node1 = {}; node2 = { dependsOn = [ "node1" ]; } }Declared by:
docker-containers.<name>.entrypoint¶
Override the default entrypoint of the image.
Type: null or string
Default:
nullExample:
"/bin/my-app"Declared by:
docker-containers.<name>.environment¶
Environment variables to set for this container.
Type: attribute set of strings
Default: ``{
}``
Example:
{ DATABASE_HOST = "db.example.com"; DATABASE_PORT = "3306"; }Declared by:
docker-containers.<name>.extraDockerOptions¶
Extra options for docker run.
Type: list of strings
Default: ``[
]``
Example:
["--network=host"]Declared by:
docker-containers.<name>.image¶
Docker image to run.
Type: string
Example:
"library/hello-world"Declared by:
docker-containers.<name>.imageFile¶
Path to an image file to load instead of pulling from a registry. If defined, do not pull from registry.
You still need to set the
imageattribute, as it will be used as the image name for docker to start a container.Type: null or package
Default:
nullExample:
pkgs.dockerTools.buildDockerImage {...};Declared by:
docker-containers.<name>.log-driver¶
Logging driver for the container. The default of``”none”`` means that the container’s logs will be handled as part of the systemd unit. Setting this to``”journald”`` will result in duplicate logging, but the container’s logs will be visible to the docker logs command.
For more details and a full list of logging drivers, refer to the`Docker engine documentation <https://docs.docker.com/engine/reference/run/#logging-drivers—log-driver>`_
Type: string
Default:
"none"Declared by:
docker-containers.<name>.ports¶
Network ports to publish from the container to the outer host.
Valid formats:
<ip>:<hostPort>:<containerPort><ip>::<containerPort><hostPort>:<containerPort><containerPort>Both
hostPortand``containerPort`` can be specified as a range of ports. When specifying ranges for both, the number of container ports in the range must match the number of host ports in the range. Example:1234-1236:1234-1236/tcpWhen specifying a range for
hostPortonly, the``containerPort`` must not be a range. In this case, the container port is published somewhere within the specifiedhostPortrange. Example:1234-1236:1234/tcpRefer to the`Docker engine documentation <https://docs.docker.com/engine/reference/run/#expose-incoming-ports>`_ for full details.
Type: list of strings
Default: ``[
]``
Example:
[ "8080:9000" ]Declared by:
docker-containers.<name>.user¶
Override the username or UID (and optionally groupname or GID) used in the container.
Type: null or string
Default:
nullExample:
"nobody:nogroup"Declared by:
docker-containers.<name>.volumes¶
List of volumes to attach to this container.
Note that this is a list of
"src:dst"strings to allow forsrcto refer to``/nix/store`` paths, which would be difficult with an attribute set. There are also a variety of mount options available as a third field; please refer to the`docker engine documentation <https://docs.docker.com/engine/reference/run/#volume-shared-filesystems>`_ for details.Type: list of strings
Default: ``[
]``
Example:
[ "volume_name:/path/inside/container" "/path/on/host:/path/inside/container" ]Declared by:
docker-containers.<name>.workdir¶
Override the default working directory for the container.
Type: null or string
Default:
nullExample:
"/var/lib/hello_world"Declared by:
documentation.enable¶
Whether to install documentation of packages from into the generated system path.
See “Multiple-output packages” chapter in the nixpkgs manual for more info.
Type: boolean
Default:
trueDeclared by:
documentation.dev.enable¶
Whether to install documentation targeted at developers.
- This includes man pages targeted at developers if is set (this also includes “devman” outputs).
- This includes info pages targeted at developers if is set (this also includes “devinfo” outputs).
- This includes other pages targeted at developers if is set (this also includes “devdoc” outputs).
Type: boolean
Default:
falseDeclared by:
documentation.doc.enable¶
Whether to install documentation distributed in packages’
/share/doc. Usually plain text and/or HTML. This also includes “doc” outputs.Type: boolean
Default:
trueDeclared by:
documentation.info.enable¶
Whether to install info pages and the info command. This also includes “info” outputs.
Type: boolean
Default:
trueDeclared by:
documentation.man.enable¶
Whether to install manual pages and the man command. This also includes “man” outputs.
Type: boolean
Default:
trueDeclared by:
documentation.nixos.enable¶
Whether to install NixOS’s own documentation.
- This includes man pages like configuration.nix5 if is set.
- This includes the HTML manual and the nixos-help command if is set.
Type: boolean
Default:
trueDeclared by:
documentation.nixos.includeAllModules¶
Whether the generated NixOS’s documentation should include documentation for all the options from all the NixOS modules included in the current``configuration.nix``. Disabling this will make the manual generator to ignore options defined outside of
baseModules.Type: boolean
Default:
falseDeclared by:
dysnomia.enable¶
Whether to enable Dysnomia
Type: boolean
Default:
falseDeclared by:
dysnomia.enableAuthentication¶
Whether to publish privacy-sensitive authentication credentials
Type: boolean
Default:
falseDeclared by:
dysnomia.package¶
dysnomia.components¶
An atttribute set in which each key represents a container and each value an attribute set in which each key represents a component and each value a derivation constructing its initial state
Type: unspecified
Default: ``{
}``
Declared by:
dysnomia.containers¶
An attribute set in which each key represents a container and each value an attribute set providing its configuration properties
Type: unspecified
Default: ``{
}``
Declared by:
dysnomia.extraContainerPaths¶
A list of paths containing additional container configurations that are added to the search folders
Type: unspecified
Default: ``[
]``
Declared by:
dysnomia.extraContainerProperties¶
An attribute set providing additional container settings in addition to the default properties
Type: unspecified
Default: ``{
}``
Declared by:
dysnomia.extraModulePaths¶
A list of paths containing additional modules that are added to the search folders
Type: unspecified
Default: ``[
]``
Declared by:
dysnomia.properties¶
An attribute set in which each attribute represents a machine property. Optionally, these values can be shell substitutions.
Type: unspecified
Default: ``{
}``
Declared by:
environment.enableDebugInfo¶
Some NixOS packages provide debug symbols. However, these are not included in the system closure by default to save disk space. Enabling this option causes the debug symbols to appear in
/run/current-system/sw/lib/debug/.build-id, where tools such as gdb can find them. If you need debug symbols for a package that doesn’t provide them by default, you can enable them as follows:nixpkgs.config.packageOverrides = pkgs: { hello = pkgs.hello.overrideAttrs (oldAttrs: { separateDebugInfo = true; }); };Type: boolean
Default:
falseDeclared by:
environment.checkConfigurationOptions¶
environment.etc¶
Set of files that have to be linked in
/etc.Type: list or attribute set of submodules
Default: ``{
}``
Example:
{ example-configuration-file = { source = "/nix/store/.../etc/dir/file.conf.example"; mode = "0440"; }; "default/useradd".text = "GROUP=100 ..."; }Declared by:
environment.etc.<name?>.enable¶
Whether this /etc file should be generated. This option allows specific /etc files to be disabled.
Type: boolean
Default:
trueDeclared by:
environment.etc.<name?>.gid¶
GID of created file. Only takes affect when the file is copied (that is, the mode is not ‘symlink’).
Type: signed integer
Default:
0Declared by:
environment.etc.<name?>.group¶
Group name of created file. Only takes affect when the file is copied (that is, the mode is not ‘symlink’). Changing this option takes precedence over
gid.Type: string
Default:
"+0"Declared by:
environment.etc.<name?>.mode¶
If set to something else than
symlink, the file is copied instead of symlinked, with the given file mode.Type: string
Default:
"symlink"Example:
"0600"Declared by:
environment.etc.<name?>.source¶
environment.etc.<name?>.target¶
Name of symlink (relative to:file:/etc). Defaults to the attribute name.
Type: string
Declared by:
environment.etc.<name?>.text¶
Text of the file.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
environment.etc.<name?>.uid¶
UID of created file. Only takes affect when the file is copied (that is, the mode is not ‘symlink’).
Type: signed integer
Default:
0Declared by:
environment.etc.<name?>.user¶
User name of created file. Only takes affect when the file is copied (that is, the mode is not ‘symlink’). Changing this option takes precedence over
uid.Type: string
Default:
"+0"Declared by:
environment.extraInit¶
Shell script code called during global environment initialisation after all variables and profileVariables have been set. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.
Type: strings concatenated with “\n”
Default:
""Declared by:
environment.extraOutputsToInstall¶
List of additional package outputs to be symlinked into
/run/current-system/sw.Type: list of strings
Default: ``[
]``
Example:
[ "doc" "info" "devdoc" ]Declared by:
environment.extraSetup¶
Shell fragments to be run after the system environment has been created. This should only be used for things that need to modify the internals of the environment, e.g. generating MIME caches. The environment being built can be accessed at $out.
Type: strings concatenated with “\n”
Default:
""Declared by:
environment.freetds¶
Configure freetds database entries. Each attribute denotes a section within freetds.conf, and the value (a string) is the config content for that section. When at least one entry is configured the global environment variables FREETDSCONF, FREETDS and SYBASE will be configured to allow the programs that use freetds to find the library and config.
Type: attribute set of strings
Default: ``{
}``
Example:
{ MYDATABASE = '' host = 10.0.2.100 port = 1433 tds version = 7.2 ''; }Declared by:
environment.gnome3.excludePackages¶
Which packages gnome should exclude from the default environment
Type: list of packages
Default: ``[
]``
Example:
[ pkgs.gnome3.totem ]Declared by:
environment.homeBinInPath¶
Include ~/bin/ in $PATH.
Type: boolean
Default:
falseDeclared by:
environment.interactiveShellInit¶
Shell script code called during interactive shell initialisation. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.
Type: strings concatenated with “\n”
Default:
""Declared by:
environment.loginShellInit¶
Shell script code called during login shell initialisation. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.
Type: strings concatenated with “\n”
Default:
""Declared by:
environment.lxqt.excludePackages¶
Which LXQt packages to exclude from the default environment
Type: list of packages
Default: ``[
]``
Example:
[ pkgs.lxqt.qterminal ]Declared by:
environment.mate.excludePackages¶
Which MATE packages to exclude from the default environment
Type: list of packages
Default: ``[
]``
Example:
[ pkgs.mate.mate-terminal pkgs.mate.pluma ]Declared by:
environment.memoryAllocator.provider¶
The system-wide memory allocator.
Briefly, the system-wide memory allocator providers are:
libc: the standard allocator provided by libcgraphene-hardened: An allocator designed to mitigate memory corruption attacks, such as those caused by use-after-free bugs.jemalloc: A general purpose allocator that emphasizes fragmentation avoidance and scalable concurrency support.scudo: A user-mode allocator based on LLVM Sanitizer’s CombinedAllocator, which aims at providing additional mitigations against heap based vulnerabilities, while maintaining good performance.Warning
Selecting an alternative allocator (i.e., anything other than``libc``) may result in instability, data loss, and/or service failure.
Type: one of “libc”, “graphene-hardened”, “jemalloc”, “scudo”
Default:
"libc"Declared by:
environment.noXlibs¶
Switch off the options in the default configuration that require X11 libraries. This includes client-side font configuration and SSH forwarding of X11 authentication in. Thus, you probably do not want to enable this option if you want to run X11 programs on this machine via SSH.
Type: boolean
Default:
falseDeclared by:
environment.pantheon.excludePackages¶
Which packages pantheon should exclude from the default environment
Type: list of packages
Default: ``[
]``
Example:
[ pkgs.pantheon.elementary-camera ]Declared by:
environment.pathsToLink¶
List of directories to be symlinked in
/run/current-system/sw.Type: list of strings
Default: ``[
]``
Example:
[ "/" ]Declared by:
environment.profileRelativeEnvVars¶
Attribute set of environment variable. Each attribute maps to a list of relative paths. Each relative path is appended to the each profile of to form the content of the corresponding environment variable.
Type: attribute set of list of stringss
Example:
{ MANPATH = [ "/man" "/share/man" ] ; PATH = [ "/bin" ] ; }Declared by:
environment.profileRelativeSessionVariables¶
Attribute set of environment variable used in the global environment. These variables will be set by PAM early in the login process.
Variable substitution is available as described inpam_env.conf5.
Each attribute maps to a list of relative paths. Each relative path is appended to the each profile of to form the content of the corresponding environment variable.
Also, these variables are merged into:ref:opt-environment.profileRelativeEnvVars and it is therefore not possible to use PAM style variables such as@{HOME}.
Type: attribute set of list of stringss
Example:
{ MANPATH = [ "/man" "/share/man" ] ; PATH = [ "/bin" ] ; }Declared by:
environment.profiles¶
A list of profiles used to setup the global environment.
Type: list of strings
Default: ``[
]``
Declared by:
environment.sessionVariables¶
A set of environment variables used in the global environment. These variables will be set by PAM early in the login process.
The value of each session variable can be either a string or a list of strings. The latter is concatenated, interspersed with colon characters.
Note, due to limitations in the PAM format values may not contain the
"character.Also, these variables are merged into:ref:opt-environment.variables and it is therefore not possible to use PAM style variables such as@{HOME}.
Type: attribute set of string or list of stringss
Default: ``{
}``
Declared by:
environment.shellAliases¶
An attribute set that maps aliases (the top level attribute names in this option) to command strings or directly to build outputs. The aliases are added to all users’ shells. Aliases mapped to null are ignored.
Type: attribute set of null or string or paths
Example:
{ l = null; ll = "ls -l"; }Declared by:
environment.shellInit¶
Shell script code called during shell initialisation. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.
Type: strings concatenated with “\n”
Default:
""Declared by:
environment.shells¶
A list of permissible login shells for user accounts. No need to mention
/bin/shhere, it is placed into this list implicitly.Type: list of package or paths
Default: ``[
]``
Example:
[ pkgs.bashInteractive pkgs.zsh ]Declared by:
environment.systemPackages¶
The set of packages that appear in /run/current-system/sw. These packages are automatically available to all users, and are automatically updated every time you rebuild the system configuration. (The latter is the main difference with installing them in the default profile,:file:/nix/var/nix/profiles/default.
Type: list of packages
Default: ``[
]``
Example:
[ pkgs.firefox pkgs.thunderbird ]Declared by:
environment.unixODBCDrivers¶
Specifies Unix ODBC drivers to be registered in:file:/etc/odbcinst.ini. You may also want to add
pkgs.unixODBCto the system path to get a command line client to connect to ODBC databases.Type: list of packages
Default: ``[
]``
Example:
with pkgs.unixODBCDrivers; [ sqlite psql ]Declared by:
environment.variables¶
A set of environment variables used in the global environment. These variables will be set on shell initialisation (e.g. in /etc/profile). The value of each variable can be either a string or a list of strings. The latter is concatenated, interspersed with colon characters.
Type: attribute set of string or list of stringss
Default: ``{
}``
Example:
{ EDITOR = "nvim"; VISUAL = "nvim"; }Declared by:
fileSystems¶
The file systems to be mounted. It must include an entry for the root directory (
mountPoint = "/"). Each entry in the list is an attribute set with the following fields:mountPoint,device,``fsType`` (a file system type recognised by:command:mount; defaults to``”auto”), and ``options(the mount options passed to mount using the flag; defaults to[ "defaults" ]).Instead of specifying
device, you can also specify a volume label (label) for file systems that support it, such as ext2/ext3 (see mke2fs -L).Type: list or attribute set of submodules
Default: ``{
}``
Example:
{ "/".device = "/dev/hda1"; "/data" = { device = "/dev/hda2"; fsType = "ext3"; options = [ "data=journal" ]; }; "/bigdisk".label = "bigdisk"; }Declared by:
fileSystems.<name?>.autoFormat¶
If the device does not currently contain a filesystem (as determined by blkid, then automatically format it with the filesystem type specified in. Use with caution.
Type: boolean
Default:
falseDeclared by:
fileSystems.<name?>.autoResize¶
If set, the filesystem is grown to its maximum size before being mounted. (This is typically the size of the containing partition.) This is currently only supported for ext2/3/4 filesystems that are mounted during early boot.
Type: boolean
Default:
falseDeclared by:
fileSystems.<name?>.device¶
Location of the device.
Type: null or string (with check: non-empty)
Default:
nullExample:
"/dev/sda"Declared by:
fileSystems.<name?>.encrypted.enable¶
The block device is backed by an encrypted one, adds this device as a initrd luks entry.
Type: boolean
Default:
falseDeclared by:
fileSystems.<name?>.encrypted.blkDev¶
Location of the backing encrypted device.
Type: null or string
Default:
nullExample:
"/dev/sda1"Declared by:
fileSystems.<name?>.encrypted.keyFile¶
File system location of keyfile. This unlocks the drive after the root has been mounted to
/mnt-root.Type: null or string
Default:
nullExample:
"/mnt-root/root/.swapkey"Declared by:
fileSystems.<name?>.encrypted.label¶
Label of the unlocked encrypted device. Set
fileSystems.<name?>.deviceto/dev/mapper/<label>to mount the unlocked device.Type: null or string
Default:
nullExample:
"rootfs"Declared by:
fileSystems.<name?>.formatOptions¶
If option is set specifies extra options passed to mkfs.
Type: string
Default:
""Declared by:
fileSystems.<name?>.fsType¶
Type of the file system.
Type: string (with check: non-empty)
Default:
"auto"Example:
"ext3"Declared by:
fileSystems.<name?>.label¶
Label of the device (if any).
Type: null or string (with check: non-empty)
Default:
nullExample:
"root-partition"Declared by:
fileSystems.<name?>.mountPoint¶
Location of the mounted the file system.
Type: string (with check: non-empty)
Example:
"/mnt/usb"Declared by:
fileSystems.<name?>.neededForBoot¶
If set, this file system will be mounted in the initial ramdisk. By default, this applies to the root file system and to the file system containing:file:/nix/store.
Type: boolean
Default:
falseDeclared by:
fileSystems.<name?>.noCheck¶
Disable running fsck on this filesystem.
Type: boolean
Default:
falseDeclared by:
fileSystems.<name?>.options¶
Options used to mount the file system.
Type: list of string (with check: non-empty)s
Default:
[ "defaults" ]Example:
[ "data=journal" ]Declared by:
fonts.enableDefaultFonts¶
Enable a basic set of fonts providing several font styles and families and reasonable coverage of Unicode.
Type: boolean
Default:
falseDeclared by:
fonts.enableFontDir¶
Whether to create a directory with links to all fonts in:file:/run/current-system/sw/share/X11-fonts.
Type: unspecified
Default:
falseDeclared by:
fonts.enableGhostscriptFonts¶
Whether to add the fonts provided by Ghostscript (such as various URW fonts and the “Base-14” Postscript fonts) to the list of system fonts, making them available to X11 applications.
Type: unspecified
Default:
falseDeclared by:
fonts.fontconfig.enable¶
If enabled, a Fontconfig configuration file will be built pointing to a set of default fonts. If you don’t care about running X11 applications or any other program that uses Fontconfig, you can turn this option off and prevent a dependency on all those fonts.
Type: boolean
Default:
trueDeclared by:
fonts.fontconfig.allowBitmaps¶
Allow bitmap fonts. Set to
falseto ban all bitmap fonts.Type: boolean
Default:
trueDeclared by:
fonts.fontconfig.allowType1¶
Allow Type-1 fonts. Default is
falsebecause of poor rendering.Type: boolean
Default:
falseDeclared by:
fonts.fontconfig.antialias¶
Enable font antialiasing. At high resolution (> 200 DPI), antialiasing has no visible effect; users of such displays may want to disable this option.
Type: boolean
Default:
trueDeclared by:
fonts.fontconfig.cache32Bit¶
Generate system fonts cache for 32-bit applications.
Type: boolean
Default:
falseDeclared by:
fonts.fontconfig.defaultFonts.emoji¶
System-wide default emoji font(s). Multiple fonts may be listed in case a font does not support all emoji.
Note that fontconfig matches color emoji fonts preferentially, so if you want to use a black and white font while having a color font installed (eg. Noto Color Emoji installed alongside Noto Emoji), fontconfig will still choose the color font even when it is later in the list.
Type: list of strings
Default:
[ "Noto Color Emoji" ]Declared by:
fonts.fontconfig.defaultFonts.monospace¶
System-wide default monospace font(s). Multiple fonts may be listed in case multiple languages must be supported.
Type: list of strings
Default:
[ "DejaVu Sans Mono" ]Declared by:
fonts.fontconfig.defaultFonts.sansSerif¶
System-wide default sans serif font(s). Multiple fonts may be listed in case multiple languages must be supported.
Type: list of strings
Default:
[ "DejaVu Sans" ]Declared by:
fonts.fontconfig.defaultFonts.serif¶
System-wide default serif font(s). Multiple fonts may be listed in case multiple languages must be supported.
Type: list of strings
Default:
[ "DejaVu Serif" ]Declared by:
fonts.fontconfig.dpi¶
Force DPI setting. Setting to
0disables DPI forcing; the DPI detected for the display will be used.Type: signed integer
Default:
0Declared by:
fonts.fontconfig.hinting.enable¶
Enable font hinting. Hinting aligns glyphs to pixel boundaries to improve rendering sharpness at low resolution. At high resolution (> 200 dpi) hinting will do nothing (at best); users of such displays may want to disable this option.
Type: boolean
Default:
trueDeclared by:
fonts.fontconfig.hinting.autohint¶
Enable the autohinter in place of the default interpreter. The results are usually lower quality than correctly-hinted fonts, but better than unhinted fonts.
Type: boolean
Default:
falseDeclared by:
fonts.fontconfig.includeUserConf¶
Include the user configuration from:file:~/.config/fontconfig/fonts.conf or:file:~/.config/fontconfig/conf.d.
Type: boolean
Default:
trueDeclared by:
fonts.fontconfig.localConf¶
System-wide customization file contents, has higher priority than``defaultFonts`` settings.
Type: strings concatenated with “\n”
Default:
""Declared by:
fonts.fontconfig.penultimate.enable¶
Enable fontconfig-penultimate settings to supplement the NixOS defaults by providing per-font rendering defaults and metric aliases.
Type: boolean
Default:
falseDeclared by:
fonts.fontconfig.subpixel.lcdfilter¶
FreeType LCD filter. At high resolution (> 200 DPI), LCD filtering has no visible effect; users of such displays may want to select``none``.
Type: one of “none”, “default”, “light”, “legacy”
Default:
"default"Declared by:
fonts.fontconfig.subpixel.rgba¶
Subpixel order. The overwhelming majority of displays are``rgb`` in their normal orientation. Select``vrgb`` for mounting such a display 90 degrees clockwise from its normal orientation or
vbgrfor mounting 90 degrees counter-clockwise. Select``bgr`` in the unlikely event of mounting 180 degrees from the normal orientation. Reverse these directions in the improbable event that the display’s native subpixel order is``bgr``.Type: one of “rgb”, “bgr”, “vrgb”, “vbgr”, “none”
Default:
"rgb"Declared by:
fonts.fontconfig.useEmbeddedBitmaps¶
Use embedded bitmaps in fonts like Calibri.
Type: boolean
Default:
falseDeclared by:
fonts.fonts¶
List of primary font paths.
Type: list of paths
Default: ``[
]``
Example:
[ pkgs.dejavu_fonts ]Declared by:
gnu¶
When enabled, GNU software is chosen by default whenever a there is a choice between GNU and non-GNU software (e.g., GNU lsh vs. OpenSSH).
Type: boolean
Default:
falseDeclared by:
gtk.iconCache.enable¶
Whether to build icon theme caches for GTK applications.
Type: boolean
Default:
falseDeclared by:
hardware.enableAllFirmware¶
Turn on this option if you want to enable all the firmware.
Type: boolean
Default:
falseDeclared by:
hardware.enableRedistributableFirmware¶
Turn on this option if you want to enable all the firmware with a license allowing redistribution. (i.e. free firmware and
firmware-linux-nonfree)Type: boolean
Default:
falseDeclared by:
hardware.acpilight.enable¶
Enable acpilight. This will allow brightness control via xbacklight from users in the video group
Type: boolean
Default:
falseDeclared by:
hardware.bladeRF.enable¶
Enables udev rules for BladeRF devices. By default grants access to users in the “bladerf” group. You may want to install the libbladeRF package.
Type: boolean
Default:
falseDeclared by:
hardware.bluetooth.enable¶
Whether to enable support for Bluetooth.
Type: boolean
Default:
falseExample:
trueDeclared by:
hardware.bluetooth.package¶
Which BlueZ package to use.
Note
Use the
pkgs.bluezFullpackage to enable all bluez plugins.Type: package
Default:
"pkgs.bluez"Example:
"pkgs.bluezFull"Declared by:
hardware.bluetooth.config¶
Set configuration for system-wide bluetooth (/etc/bluetooth/main.conf).
Type: attribute set of attribute set of boolean or signed integer or stringss
Example:
{ General = { ControllerMode = "bredr"; } ; }Declared by:
hardware.bluetooth.extraConfig¶
Set additional configuration for system-wide bluetooth (/etc/bluetooth/main.conf).
Type: null or strings concatenated with “\n”
Default:
nullExample:
'' [General] ControllerMode = bredr ''Declared by:
hardware.bluetooth.powerOnBoot¶
Whether to power up the default Bluetooth controller on boot.
Type: boolean
Default:
trueDeclared by:
hardware.brillo.enable¶
Whether to enable Enable brillo in userspace. This will allow brightness control from users in the video group. .
Type: boolean
Default:
falseExample:
trueDeclared by:
hardware.bumblebee.enable¶
Enable the bumblebee daemon to manage Optimus hybrid video cards. This should power off secondary GPU until its use is requested by running an application with optirun.
Type: boolean
Default:
falseDeclared by:
hardware.bumblebee.connectDisplay¶
Set to true if you intend to connect your discrete card to a monitor. This option will set up your Nvidia card for EDID discovery and to turn on the monitor signal.
Only nvidia driver is supported so far.
Type: boolean
Default:
falseDeclared by:
hardware.bumblebee.driver¶
Set driver used by bumblebeed. Supported are nouveau and nvidia.
Type: one of “nvidia”, “nouveau”
Default:
"nvidia"Declared by:
hardware.bumblebee.group¶
Group for bumblebee socket
Type: string
Default:
"wheel"Example:
"video"Declared by:
hardware.bumblebee.pmMethod¶
Set preferred power management method for unused card.
Type: one of “auto”, “bbswitch”, “switcheroo”, “none”
Default:
"auto"Declared by:
hardware.ckb-next.enable¶
Whether to enable the Corsair keyboard/mouse driver.
Type: boolean
Default:
falseExample:
trueDeclared by:
hardware.ckb-next.package¶
The package implementing the Corsair keyboard/mouse driver.
Type: package
Default:
"pkgs.ckb-next"Declared by:
hardware.ckb-next.gid¶
Limit access to the ckb daemon to a particular group.
Type: null or signed integer
Default:
nullExample:
100Declared by:
hardware.cpu.amd.updateMicrocode¶
Update the CPU microcode for AMD processors.
Type: boolean
Default:
falseDeclared by:
hardware.cpu.intel.updateMicrocode¶
Update the CPU microcode for Intel processors.
Type: boolean
Default:
falseDeclared by:
hardware.deviceTree.enable¶
Build device tree files. These are used to describe the non-discoverable hardware of a system.
Type: boolean
Default:
falseDeclared by:
hardware.deviceTree.base¶
The package containing the base device-tree (.dtb) to boot. Contains device trees bundled with the Linux kernel by default.
Type: path
Default:
"\\${config.boot.kernelPackages.kernel}/dtbs"Example:
pkgs.deviceTree_rpiDeclared by:
hardware.deviceTree.overlays¶
A path containing device tree overlays (.dtbo) to be applied to all base device-trees.
Type: list of paths
Default: ``[
]``
Example:
["${pkgs.deviceTree_rpi.overlays}/w1-gpio.dtbo"]Declared by:
hardware.digitalbitbox.enable¶
Enables udev rules for Digital Bitbox devices.
Type: boolean
Default:
falseDeclared by:
hardware.digitalbitbox.package¶
The Digital Bitbox package to use. This can be used to install a package with udev rules that differ from the defaults.
Type: package
Default:
"pkgs.digitalbitbox"Declared by:
hardware.facetimehd.enable¶
Whether to enable facetimehd kernel module.
Type: boolean
Default:
falseExample:
trueDeclared by:
hardware.fancontrol.enable¶
Whether to enable software fan control (requires fancontrol.config).
Type: boolean
Default:
falseExample:
trueDeclared by:
hardware.fancontrol.config¶
Fancontrol configuration file content. See pwmconfig8 from the lm_sensors package.
Type: strings concatenated with “\n”
Default:
nullExample:
'' # Configuration file generated by pwmconfig INTERVAL=10 DEVPATH=hwmon3=devices/virtual/thermal/thermal_zone2 hwmon4=devices/platform/f71882fg.656 DEVNAME=hwmon3=soc_dts1 hwmon4=f71869a FCTEMPS=hwmon4/device/pwm1=hwmon3/temp1_input FCFANS= hwmon4/device/pwm1=hwmon4/device/fan1_input MINTEMP=hwmon4/device/pwm1=35 MAXTEMP=hwmon4/device/pwm1=65 MINSTART=hwmon4/device/pwm1=150 MINSTOP=hwmon4/device/pwm1=0 ''Declared by:
hardware.firmware¶
List of packages containing firmware files. Such files will be loaded automatically if the kernel asks for them (i.e., when it has detected specific hardware that requires firmware to function). If multiple packages contain firmware files with the same name, the first package in the list takes precedence. Note that you must rebuild your system if you add files to any of these directories.
Type: list of packages
Default: ``[
]``
Declared by:
hardware.ksm.enable¶
Whether to enable Kernel Same-Page Merging.
Type: boolean
Default:
falseExample:
trueDeclared by:
hardware.ksm.sleep¶
How many milliseconds ksmd should sleep between scans. Setting it to
nulluses the kernel’s default time.Type: null or signed integer
Default:
nullDeclared by:
hardware.ledger.enable¶
Whether to enable udev rules for Ledger devices.
Type: boolean
Default:
falseExample:
trueDeclared by:
hardware.logitech.enable¶
Whether to enable Logitech Devices.
Type: boolean
Default:
falseExample:
trueDeclared by:
hardware.logitech.enableGraphical¶
Enable graphical support applications.
Type: boolean
Default:
falseDeclared by:
hardware.mcelog.enable¶
Enable the Machine Check Exception logger.
Type: boolean
Default:
falseDeclared by:
hardware.mwProCapture.enable¶
Whether to enable Magewell Pro Capture family kernel module.
Type: boolean
Default:
falseExample:
trueDeclared by:
hardware.nitrokey.enable¶
Enables udev rules for Nitrokey devices. By default grants access to users in the “nitrokey” group. You may want to install the nitrokey-app package, depending on your device and needs.
Type: boolean
Default:
falseDeclared by:
hardware.nitrokey.group¶
Grant access to Nitrokey devices to users in this group.
Type: string
Default:
"nitrokey"Example:
"wheel"Declared by:
hardware.nvidia.modesetting.enable¶
Enable kernel modesetting when using the NVIDIA proprietary driver.
Enabling this fixes screen tearing when using Optimus via PRIME (see. This is not enabled by default because it is not officially supported by NVIDIA and would not work with SLI.
Type: boolean
Default:
falseDeclared by:
hardware.nvidia.optimus_prime.enable¶
Enable NVIDIA Optimus support using the NVIDIA proprietary driver via PRIME. If enabled, the NVIDIA GPU will be always on and used for all rendering, while enabling output to displays attached only to the integrated Intel GPU without a multiplexer.
Note that this option only has any effect if the “nvidia” driver is specified in , and it should preferably be the only driver there.
If this is enabled, then the bus IDs of the NVIDIA and Intel GPUs have to be specified ( and).
If you enable this, you may want to also enable kernel modesetting for the NVIDIA driver () in order to prevent tearing.
Note that this configuration will only be successful when a display manager for which the option is supported is used.
Type: boolean
Default:
falseDeclared by:
hardware.nvidia.optimus_prime.allowExternalGpu¶
Configure X to allow external NVIDIA GPUs when using optimus.
Type: boolean
Default:
falseDeclared by:
hardware.nvidia.optimus_prime.intelBusId¶
Bus ID of the Intel GPU. You can find it using lspci; for example if lspci shows the Intel GPU at “00:02.0”, set this option to “PCI:0:2:0”.
Type: string
Default:
""Example:
"PCI:0:2:0"Declared by:
hardware.nvidia.optimus_prime.nvidiaBusId¶
Bus ID of the NVIDIA GPU. You can find it using lspci; for example if lspci shows the NVIDIA GPU at “01:00.0”, set this option to “PCI:1:0:0”.
Type: string
Default:
""Example:
"PCI:1:0:0"Declared by:
hardware.nvidiaOptimus.disable¶
Completely disable the NVIDIA graphics card and use the integrated graphics processor instead.
Type: boolean
Default:
falseDeclared by:
hardware.onlykey.enable¶
hardware.opengl.enable¶
Whether to enable OpenGL drivers. This is needed to enable OpenGL support in X11 systems, as well as for Wayland compositors like sway and Weston. It is enabled by default by the corresponding modules, so you do not usually have to set it yourself, only if there is no module for your wayland compositor of choice. See services.xserver.enable and programs.sway.enable.
Type: boolean
Default:
falseDeclared by:
hardware.opengl.driSupport¶
Whether to enable accelerated OpenGL rendering through the Direct Rendering Interface (DRI).
Type: boolean
Default:
trueDeclared by:
hardware.opengl.driSupport32Bit¶
On 64-bit systems, whether to support Direct Rendering for 32-bit applications (such as Wine). This is currently only supported for the
nvidiaand``ati_unfree`` drivers, as well as``Mesa``.Type: boolean
Default:
falseDeclared by:
hardware.opengl.extraPackages¶
Additional packages to add to OpenGL drivers. This can be used to add OpenCL drivers, VA-API/VDPAU drivers etc.
Type: list of packages
Default: ``[
]``
Example:
with pkgs; [ vaapiIntel libvdpau-va-gl vaapiVdpau intel-ocl ]Declared by:
hardware.opengl.extraPackages32¶
Additional packages to add to 32-bit OpenGL drivers on 64-bit systems. Used when is set. This can be used to add OpenCL drivers, VA-API/VDPAU drivers etc.
Type: list of packages
Default: ``[
]``
Example:
with pkgs.pkgsi686Linux; [ vaapiIntel libvdpau-va-gl vaapiVdpau ]Declared by:
hardware.opengl.s3tcSupport¶
Make S3TC(S3 Texture Compression) via libtxc_dxtn available to OpenGL drivers instead of the patent-free S2TC replacement.
Using this library may require a patent license depending on your location.
Type: boolean
Default:
falseDeclared by:
hardware.openrazer.enable¶
Whether to enable OpenRazer drivers and userspace daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
hardware.openrazer.devicesOffOnScreensaver¶
Turn off the devices when the systems screensaver kicks in.
Type: boolean
Default:
trueDeclared by:
hardware.openrazer.keyStatistics¶
Collects number of keypresses per hour per key used to generate a heatmap.
Type: boolean
Default:
falseDeclared by:
hardware.openrazer.mouseBatteryNotifier¶
Mouse battery notifier.
Type: boolean
Default:
trueDeclared by:
hardware.openrazer.syncEffectsEnabled¶
Set the sync effects flag to true so any assignment of effects will work across devices.
Type: boolean
Default:
trueDeclared by:
hardware.openrazer.verboseLogging¶
Whether to enable verbose logging. Logs debug messages.
Type: boolean
Default:
falseDeclared by:
hardware.parallels.enable¶
This enables Parallels Tools for Linux guests, along with provided video, mouse and other hardware drivers.
Type: boolean
Default:
falseDeclared by:
hardware.parallels.package¶
Defines which package to use for prl-tools. Override to change the version.
Type: package
Default:
"config.boot.kernelPackages.prl-tools"Example:
config.boot.kernelPackages.prl-toolsDeclared by:
hardware.pcmcia.enable¶
Enable this option to support PCMCIA card.
Type: boolean
Default:
falseDeclared by:
hardware.pcmcia.config¶
Path to the configuration file which maps the memory, IRQs and ports used by the PCMCIA hardware.
Type: unspecified
Default:
nullDeclared by:
hardware.pcmcia.firmware¶
List of firmware used to handle specific PCMCIA card.
Type: list of paths
Default: ``[
]``
Declared by:
hardware.printers.ensureDefaultPrinter¶
Ensures the named printer is the default CUPS printer / printer queue.
Type: null or printable string without spaces, # and /
Default:
nullDeclared by:
hardware.printers.ensurePrinters¶
Will regularly ensure that the given CUPS printers are configured as declared here. If a printer’s options are manually changed afterwards, they will be overwritten eventually. This option will never delete any printer, even if removed from this list. You can check existing printers with lpstat -s and remove printers with lpadmin -x <printer-name>. Printers not listed here can still be manually configured.
Type: list of submodules
Default: ``[
]``
Declared by:
hardware.printers.ensurePrinters.*.description¶
Optional human-readable description.
Type: null or string
Default:
nullExample:
"Brother HL-5140"Declared by:
hardware.printers.ensurePrinters.*.deviceUri¶
How to reach the printer.:command:lpinfo -v shows a list of supported device URIs and schemes.
Type: string
Example:
[ "ipp://printserver.local/printers/BrotherHL_Workroom" "usb://HP/DESKJET%20940C?serial=CN16E6C364BH" ]Declared by:
hardware.printers.ensurePrinters.*.location¶
Optional human-readable location.
Type: null or string
Default:
nullExample:
"Workroom"Declared by:
hardware.printers.ensurePrinters.*.model¶
Location of the ppd driver file for the printer.:command:lpinfo -m shows a list of supported models.
Type: string
Example:
gutenprint.${lib.version.majorMinor (lib.getVersion pkgs.cups)}://brother-hl-5140/expertDeclared by:
hardware.printers.ensurePrinters.*.name¶
Name of the printer / printer queue. May contain any printable characters except “/”, “#”, and space.
Type: printable string without spaces, # and /
Example:
"BrotherHL_Workroom"Declared by:
hardware.printers.ensurePrinters.*.ppdOptions¶
Sets PPD options for the printer.:command:lpoptions [-p printername] -l shows suported PPD options for the given printer.
Type: attribute set of strings
Default: ``{
}``
Example:
{ Duplex = "DuplexNoTumble"; PageSize = "A4"; }Declared by:
hardware.pulseaudio.enable¶
Whether to enable the PulseAudio sound server.
Type: boolean
Default:
falseDeclared by:
hardware.pulseaudio.package¶
The PulseAudio derivation to use. This can be used to enable features (such as JACK support, Bluetooth) via the``pulseaudioFull`` package.
Type: package
Default:
"pkgs.pulseaudio"Example:
pkgs.pulseaudioFullDeclared by:
hardware.pulseaudio.configFile¶
The path to the default configuration options the PulseAudio server should use. By default, the “default.pa” configuration from the PulseAudio distribution is used.
Type: null or path
Declared by:
hardware.pulseaudio.daemon.config¶
Config of the pulse daemon. See
man pulse-daemon.conf.Type: attribute set of unspecifieds
Default: ``{
}``
Example:
{ realtime-scheduling = "yes"; }Declared by:
hardware.pulseaudio.daemon.logLevel¶
The log level that the system-wide pulseaudio daemon should use, if activated.
Type: string
Default:
"notice"Declared by:
hardware.pulseaudio.extraClientConf¶
Extra configuration appended to pulse/client.conf file.
Type: strings concatenated with “\n”
Default:
""Declared by:
hardware.pulseaudio.extraConfig¶
Literal string to append to
configFileand the config file generated by the pulseaudio module.Type: strings concatenated with “\n”
Default:
""Declared by:
hardware.pulseaudio.extraModules¶
Extra pulseaudio modules to use. This is intended for out-of-tree pulseaudio modules like extra bluetooth codecs.
Extra modules take precedence over built-in pulseaudio modules.
Type: list of packages
Default: ``[
]``
Example:
[ pkgs.pulseaudio-modules-bt ]Declared by:
hardware.pulseaudio.support32Bit¶
Whether to include the 32-bit pulseaudio libraries in the system or not. This is only useful on 64-bit systems and currently limited to x86_64-linux.
Type: boolean
Default:
falseDeclared by:
hardware.pulseaudio.systemWide¶
If false, a PulseAudio server is launched automatically for each user that tries to use the sound system. The server runs with user privileges. If true, one system-wide PulseAudio server is launched on boot, running as the user “pulse”, and only users in the “audio” group will have access to the server. Please read the PulseAudio documentation for more details.
Don’t enable this option unless you know what you are doing.
Type: boolean
Default:
falseDeclared by:
hardware.pulseaudio.tcp.enable¶
Whether to enable tcp streaming support.
Type: boolean
Default:
falseExample:
trueDeclared by:
hardware.pulseaudio.tcp.anonymousClients.allowAll¶
Whether to enable all anonymous clients to stream to the server.
Type: boolean
Default:
falseExample:
trueDeclared by:
hardware.pulseaudio.tcp.anonymousClients.allowedIpRanges¶
A list of IP subnets that are allowed to stream to the server.
Type: list of strings
Default: ``[
]``
Example:
[ "127.0.0.1" "192.168.1.0/24" ]Declared by:
hardware.pulseaudio.zeroconf.discovery.enable¶
Whether to enable discovery of pulseaudio sinks in the local network.
Type: boolean
Default:
falseExample:
trueDeclared by:
hardware.pulseaudio.zeroconf.publish.enable¶
Whether to enable publishing the pulseaudio sink in the local network.
Type: boolean
Default:
falseExample:
trueDeclared by:
hardware.raid.HPSmartArray.enable¶
Whether to enable HP Smart Array kernel modules and CLI utility.
Type: boolean
Default:
falseExample:
trueDeclared by:
hardware.sane.enable¶
Enable support for SANE scanners.
Note
Users in the “scanner” group will gain access to the scanner, or the “lp” group if it’s also a printer.
Type: boolean
Default:
falseDeclared by:
hardware.sane.brscan4.enable¶
When enabled, will automatically register the “brscan4” sane backend and bring configuration files to their expected location.
Type: boolean
Default:
falseExample:
trueDeclared by:
hardware.sane.brscan4.netDevices¶
The list of network devices that will be registered against the brscan4 sane backend.
Type: list or attribute set of submodules
Default: ``{
}``
Example:
{ office1 = { ip = "192.168.1.2"; model = "MFC-7860DW"; } ; office2 = { model = "MFC-7860DW"; nodename = "BRW0080927AFBCE"; } ; }Declared by:
hardware.sane.brscan4.netDevices.<name?>.ip¶
The ip address of the device. If undefined, you will have to provide a nodename.
Type: null or string
Default:
nullExample:
192.168.1.2Declared by:
hardware.sane.brscan4.netDevices.<name?>.model¶
The model of the network device.
Type: string
Example:
MFC-7860DWDeclared by:
hardware.sane.brscan4.netDevices.<name?>.name¶
The friendly name you give to the network device. If undefined, the name of attribute will be used.
Type: string
Example:
office1Declared by:
hardware.sane.brscan4.netDevices.<name?>.nodename¶
The node name of the device. If undefined, you will have to provide an ip.
Type: null or string
Default:
nullExample:
BRW0080927AFBCEDeclared by:
hardware.sane.dsseries.enable¶
When enabled, will automatically register the “dsseries” SANE backend.
This supports the Brother DSmobile scanner series, including the DS-620, DS-720D, DS-820W, and DS-920DW scanners.
Type: boolean
Default:
falseExample:
trueDeclared by:
hardware.sane.extraBackends¶
Packages providing extra SANE backends to enable.
Note
The example contains the package for HP scanners.
Type: list of paths
Default: ``[
]``
Example:
[ pkgs.hplipWithPlugin ]Declared by:
hardware.sane.netConf¶
Network hosts that should be probed for remote scanners.
Type: strings concatenated with “\n”
Default:
""Example:
"192.168.0.16"Declared by:
hardware.sane.snapshot¶
Use a development snapshot of SANE scanner drivers.
Type: boolean
Default:
falseDeclared by:
hardware.sensor.iio.enable¶
Enable this option to support IIO sensors.
Type: boolean
Default:
falseDeclared by:
hardware.steam-hardware.enable¶
Enable udev rules for Steam hardware such as the Steam Controller, other supported controllers and the HTC Vive
Type: boolean
Default:
falseDeclared by:
hardware.trackpoint.enable¶
Enable sensitivity and speed configuration for trackpoints.
Type: boolean
Default:
falseDeclared by:
hardware.trackpoint.device¶
The device name of the trackpoint. You can check with xinput. Some newer devices (example x1c6) use “TPPS/2 Elan TrackPoint”.
Type: string
Default:
"TPPS/2 IBM TrackPoint"Declared by:
hardware.trackpoint.emulateWheel¶
Enable scrolling while holding the middle mouse button.
Type: boolean
Default:
falseDeclared by:
hardware.trackpoint.fakeButtons¶
Switch to “bare” PS/2 mouse support in case Trackpoint buttons are not recognized properly. This can happen for example on models like the L430, T450, T450s, on which the Trackpoint buttons are actually a part of the Synaptics touchpad.
Type: boolean
Default:
falseDeclared by:
hardware.trackpoint.sensitivity¶
Configure the trackpoint sensitivity. By default, the kernel configures 128.
Type: signed integer
Default:
128Example:
255Declared by:
hardware.trackpoint.speed¶
Configure the trackpoint speed. By default, the kernel configures 97.
Type: signed integer
Default:
97Example:
255Declared by:
hardware.tuxedo-keyboard.enable¶
Whether to enable Enables the tuxedo-keyboard driver.
To configure the driver, pass the options to the configuration. There are several parameters you can change. It’s best to check at the source code description which options are supported. You can find all the supported parameters at: ` <https://github.com/tuxedocomputers/tuxedo-keyboard#kernelparam>`_
In order to use the
customlighting with the maximumg brightness and a color of0xff0a0aone would put pass like this:boot.kernelParams = [ "tuxedo_keyboard.mode=0" "tuxedo_keyboard.brightness=255" "tuxedo_keyboard.color_left=0xff0a0a" ];.
Type: boolean
Default:
falseExample:
trueDeclared by:
hardware.u2f.enable¶
Enable U2F hardware support.
Type: boolean
Default:
falseDeclared by:
hardware.usbWwan.enable¶
Enable this option to support USB WWAN adapters.
Type: boolean
Default:
falseDeclared by:
i18n.defaultLocale¶
The default locale. It determines the language for program messages, the format for dates and times, sort order, and so on. It also determines the character set, such as UTF-8.
Type: string
Default:
"en_US.UTF-8"Example:
"nl_NL.UTF-8"Declared by:
i18n.extraLocaleSettings¶
A set of additional system-wide locale settings other than``LANG`` which can be configured with.
Type: attribute set of strings
Default: ``{
}``
Example:
{ LC_MESSAGES = "en_US.UTF-8"; LC_TIME = "de_DE.UTF-8"; }Declared by:
i18n.glibcLocales¶
Customized pkg.glibcLocales package.
Changing this option can disable handling of i18n.defaultLocale and supportedLocale.
Type: path
Default:
*(build of glibc-locales-2.30)*Example:
pkgs.glibcLocalesDeclared by:
i18n.inputMethod.enabled¶
Select the enabled input method. Input methods is a software to input symbols that are not available on standard input devices.
Input methods are specially used to input Chinese, Japanese and Korean characters.
Currently the following input methods are available in NixOS:
- ibus: The intelligent input bus, extra input engines can be added using
i18n.inputMethod.ibus.engines.- fcitx: A customizable lightweight input method, extra input engines can be added using
i18n.inputMethod.fcitx.engines.- nabi: A Korean input method based on XIM. Nabi doesn’t support Qt 5.
- uim: The universal input method, is a library with a XIM bridge. uim mainly support Chinese, Japanese and Korean.
Type: null or one of “ibus”, “fcitx”, “nabi”, “uim”
Default:
nullExample:
"fcitx"Declared by:
i18n.inputMethod.fcitx.engines¶
Enabled Fcitx engines. Available engines are:
anthy,chewing,cloudpinyin,hangul,libpinyin,m17n,mozc,rime,skk,table-extra,table-other,unikey.Type: list of packages
Default: ``[
]``
Example:
with pkgs.fcitx-engines; [ mozc hangul ]Declared by:
i18n.inputMethod.ibus.engines¶
Enabled IBus engines. Available engines are:
anthy,hangul,kkc,libpinyin,m17n,mozc,table,table-chinese,table-others,typing-booster,typing-booster-unwrapped,uniemoji.Type: list of packages
Default: ``[
]``
Example:
with pkgs.ibus-engines; [ mozc hangul ]Declared by:
i18n.inputMethod.ibus.panel¶
Replace the IBus panel with another panel.
Type: null or path
Default:
nullExample:
''${pkgs.plasma5.plasma-desktop}/lib/libexec/kimpanel-ibus-panelDeclared by:
i18n.inputMethod.uim.toolbar¶
selected UIM toolbar.
Type: one of “gtk”, “gtk3”, “gtk-systray”, “gtk3-systray”, “qt4”
Default:
"gtk"Example:
"gtk-systray"Declared by:
i18n.supportedLocales¶
List of locales that the system should support. The value``”all”`` means that all locales supported by Glibc will be installed. A full list of supported locales can be found at ` <https://sourceware.org/git/?p=glibc.git;a=blob;f=localedata/SUPPORTED>`_.
Type: list of strings
Default:
[ "all" ]Example:
[ "en_US.UTF-8/UTF-8" "nl_NL.UTF-8/UTF-8" "nl_NL/ISO-8859-1" ]Declared by:
jobs.<name>.enable¶
If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g.
serial-getty@ttyS0) from being started. Note thatenable=truedoes not make a unit start by default at boot; if you want that, see``wantedBy``.Type: boolean
Default:
trueDeclared by:
jobs.<name>.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of strings
Default: ``[
]``
Declared by:
jobs.<name>.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of strings
Default: ``[
]``
Declared by:
jobs.<name>.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of strings
Default: ``[
]``
Declared by:
jobs.<name>.confinement.enable¶
If set, all the required runtime store paths for this service are bind-mounted into a
tmpfs-based chroot2.Type: boolean
Default:
falseDeclared by:
jobs.<name>.confinement.packages¶
Additional packages or strings with context to add to the closure of the chroot. By default, this includes all the packages from the, , , , and options. If you want to have all the dependencies of this systemd unit, you can use.
Note
The store paths listed in are*not* included in the closure as well as paths from other options except those listed above.
Type: list of string or packages
Default: ``[
]``
Declared by:
jobs.<name>.confinement.binSh¶
The program to make available as
/bin/shinside the chroot. If this is set tonull, no:file:/bin/sh is provided at all.This is useful for some applications, which for example use thesystem3 library function to execute commands.
Type: null or path
Default:
"config.environment.binsh"Example:
${pkgs.dash}/bin/dashDeclared by:
jobs.<name>.confinement.fullUnit¶
Whether to include the full closure of the systemd unit file into the chroot, instead of just the dependencies for the executables.
Warning
While it may be tempting to just enable this option to make things work quickly, please be aware that this might add paths to the closure of the chroot that you didn’t anticipate. It’s better to use to explicitly add additional store paths to the chroot.
Type: boolean
Default:
falseDeclared by:
jobs.<name>.confinement.mode¶
The value
full-apivfs(the default) sets up private/dev,/proc,/sysand/tmpfile systems in a separate user name space.If this is set to
chroot-only, only the file system name space is set up along with the call to chroot2.Note
This doesn’t cover network namespaces and is solely for file system level isolation.
Type: one of “full-apivfs”, “chroot-only”
Default:
"full-apivfs"Declared by:
jobs.<name>.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of strings
Default: ``[
]``
Declared by:
jobs.<name>.description¶
Description of this unit used in systemd messages and progress indicators.
Type: string
Default:
""Declared by:
jobs.<name>.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of strings
Default: ``[
]``
Declared by:
jobs.<name>.environment¶
Environment variables passed to the service’s processes.
Type: attribute set of null or string or path or packages
Default: ``{
}``
Example:
{ LANG = "nl_NL.UTF-8"; PATH = "/foo/bar/bin"; }Declared by:
jobs.<name>.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of strings
Default: ``[
]``
Declared by:
jobs.<name>.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of strings
Default: ``[
]``
Declared by:
jobs.<name>.path¶
Packages added to the service’s PATH environment variable. Both the
binandsbinsubdirectories of each package are added.Type: unspecified
Default: ``[
]``
Declared by:
jobs.<name>.postStart¶
Shell commands executed after the service’s main process is started.
Type: strings concatenated with “\n”
Default:
""Declared by:
jobs.<name>.postStop¶
Shell commands executed after the service’s main process has exited.
Type: strings concatenated with “\n”
Default:
""Declared by:
jobs.<name>.preStart¶
Shell commands executed before the service’s main process is started.
Type: strings concatenated with “\n”
Default:
""Declared by:
jobs.<name>.preStop¶
Shell commands executed to stop the service.
Type: strings concatenated with “\n”
Default:
""Declared by:
jobs.<name>.reload¶
Shell commands executed when the service’s main process is reloaded.
Type: strings concatenated with “\n”
Default:
""Declared by:
jobs.<name>.reloadIfChanged¶
Whether the service should be reloaded during a NixOS configuration switch if its definition has changed. If enabled, the value of is ignored.
Type: boolean
Default:
falseDeclared by:
jobs.<name>.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit. The discussion under
wantedByapplies here as well: inverse.requiressymlinks are established.Type: list of strings
Default: ``[
]``
Declared by:
jobs.<name>.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of strings
Default: ``[
]``
Declared by:
jobs.<name>.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of strings
Default: ``[
]``
Declared by:
jobs.<name>.restartIfChanged¶
Whether the service should be restarted during a NixOS configuration switch if its definition has changed.
Type: boolean
Default:
trueDeclared by:
jobs.<name>.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecifieds
Default: ``[
]``
Declared by:
jobs.<name>.script¶
Shell commands executed as the service’s main process.
Type: strings concatenated with “\n”
Default:
""Declared by:
jobs.<name>.scriptArgs¶
Arguments passed to the main process script.
Type: string
Default:
""Declared by:
jobs.<name>.serviceConfig¶
Each attribute in this set specifies an option in the``[Service]`` section of the unit. Seesystemd.service5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ RestartSec = 5; StartLimitInterval = 10; }Declared by:
jobs.<name>.startAt¶
Automatically start this unit at the given date/time, which must be in the format described insystemd.time7. This is equivalent to adding a corresponding timer unit with set to the value given here.
Type: string or list of strings
Default: ``[
]``
Example:
"Sun 14:00:00"Declared by:
jobs.<name>.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than burst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
jobs.<name>.stopIfChanged¶
If set, a changed unit is restarted by calling:command:systemctl stop in the old configuration, then systemctl start in the new one. Otherwise, it is restarted in a single step using:command:systemctl restart in the new configuration. The latter is less correct because it runs the``ExecStop`` commands from the new configuration.
Type: boolean
Default:
trueDeclared by:
jobs.<name>.unitConfig¶
Each attribute in this set specifies an option in the``[Unit]`` section of the unit. Seesystemd.unit5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ RequiresMountsFor = "/data"; }Declared by:
jobs.<name>.wantedBy¶
Units that want (i.e. depend on) this unit. The standard way to make a unit start by default at boot is to set this option to
[ "multi-user.target" ]. That’s despite the fact that the systemd.unit(5) manpage says this option goes in the[Install]section that controls the behaviour ofsystemctl enable. Since such a process is stateful and thus contrary to the design of NixOS, setting this option instead causes the equivalent inverse.wantssymlink to be present, establishing the same desired relationship in a stateless way.Type: list of strings
Default: ``[
]``
Declared by:
jobs.<name>.wants¶
Start the specified units when this unit is started.
Type: list of strings
Default: ``[
]``
Declared by:
krb5.enable¶
Whether to enable building krb5.conf, configuration file for Kerberos V.
Type: boolean
Default:
falseExample:
trueDeclared by:
krb5.appdefaults¶
Settings used by some Kerberos V5 applications.
Type: attribute set or strings concatenated with “\n”
Default: ``{
}``
Example:
{ pam = { debug = false; ticket_lifetime = 36000; renew_lifetime = 36000; max_timeout = 30; timeout_shift = 2; initial_timeout = 1; }; };Declared by:
krb5.capaths¶
Authentication paths for non-hierarchical cross-realm authentication.
Type: attribute set or strings concatenated with “\n”
Default: ``{
}``
Example:
{ "ATHENA.MIT.EDU" = { "EXAMPLE.COM" = "."; }; "EXAMPLE.COM" = { "ATHENA.MIT.EDU" = "."; }; };Declared by:
krb5.config¶
Verbatim
krb5.confconfiguration. Note that this is mutually exclusive with configuration via``libdefaults``,realms,``domain_realm``,capaths,``appdefaults``,pluginsand``extraConfig`` configuration options. Consult``man krb5.conf`` for documentation.Type: null or strings concatenated with “\n”
Default:
nullExample:
'' [libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { admin_server = kerberos.example.com kdc = kerberos.example.com default_principal_flags = +preauth } [domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM [logging] kdc = SYSLOG:NOTICE admin_server = SYSLOG:NOTICE default = SYSLOG:NOTICE ''Declared by:
krb5.defaultRealm¶
DEPRECATED, please use``krb5.libdefaults.default_realm``.
Type: null or string
Default:
nullExample:
"ATHENA.MIT.EDU"Declared by:
krb5.domainRealm¶
DEPRECATED, please create a map of server hostnames to Kerberos realms in
krb5.domain_realm.Type: null or string
Default:
nullExample:
"athena.mit.edu"Declared by:
krb5.domain_realm¶
Map of server hostnames to Kerberos realms.
Type: attribute set or strings concatenated with “\n”
Default: ``{
}``
Example:
{ "example.com" = "EXAMPLE.COM"; ".example.com" = "EXAMPLE.COM"; };Declared by:
krb5.extraConfig¶
These lines go to the end of
krb5.confverbatim.``krb5.conf`` may include any of the relations that are valid forkdc.conf(seeman kdc.conf), but it is not a recommended practice.Type: null or strings concatenated with “\n”
Default:
nullExample:
'' [logging] kdc = SYSLOG:NOTICE admin_server = SYSLOG:NOTICE default = SYSLOG:NOTICE ''Declared by:
krb5.kdc¶
DEPRECATED, please pass a
kdcattribute to a realm inkrb5.realms.Type: null or string
Default:
nullExample:
"kerberos.mit.edu"Declared by:
krb5.kerberos¶
The Kerberos implementation that will be present in``environment.systemPackages`` after enabling this service.
Type: package
Default:
"pkgs.krb5Full"Example:
pkgs.heimdalFullDeclared by:
krb5.kerberosAdminServer¶
DEPRECATED, please pass an
admin_serverattribute to a realm inkrb5.realms.Type: null or string
Default:
nullExample:
"kerberos.mit.edu"Declared by:
krb5.libdefaults¶
Settings used by the Kerberos V5 library.
Type: attribute set or strings concatenated with “\n”
Default: ``{
}``
Example:
{ default_realm = "ATHENA.MIT.EDU"; };Declared by:
krb5.plugins¶
Controls plugin module registration.
Type: attribute set or strings concatenated with “\n”
Default: ``{
}``
Example:
{ ccselect = { disable = "k5identity"; }; };Declared by:
krb5.realms¶
Realm-specific contact information and settings.
Type: attribute set or strings concatenated with “\n”
Default: ``{
}``
Example:
{ "ATHENA.MIT.EDU" = { admin_server = "athena.mit.edu"; kdc = "athena.mit.edu"; }; };Declared by:
lib¶
This option allows modules to define helper functions, constants, etc.
Type: attribute set of attribute sets
Default: ``{
}``
Declared by:
location.latitude¶
Your current latitude, between``-90.0`` and
90.0. Must be provided along with longitude.Type: floating point number
Declared by:
location.longitude¶
Your current longitude, between between
-180.0and180.0. Must be provided along with latitude.Type: floating point number
Declared by:
location.provider¶
The location provider to use for determining your location. If set to``manual`` you must also provide latitude/longitude.
Type: one of “manual”, “geoclue2”
Default:
"manual"Declared by:
nesting.children¶
nesting.clone¶
Additional configurations to build based on the current configuration which then has a lower priority.
To switch to a cloned configuration (e.g.
child-1) at runtime, run# sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration testType: unspecified
Default: ``[
]``
Declared by:
networking.enableB43Firmware¶
Turn on this option if you want firmware for the NICs supported by the b43 module.
Type: boolean
Default:
falseDeclared by:
networking.enableIPv6¶
Whether to enable support for IPv6.
Type: boolean
Default:
trueDeclared by:
networking.enableIntel2200BGFirmware¶
Turn on this option if you want firmware for the Intel PRO/Wireless 2200BG to be loaded automatically. This is required if you want to use this device.
Type: boolean
Default:
falseDeclared by:
networking.bonds¶
This option allows you to define bond devices that aggregate multiple, underlying networking interfaces together. The value of this option is an attribute set. Each attribute specifies a bond, with the attribute name specifying the name of the bond’s network interface
Type: attribute set of submodules
Default: ``{
}``
Example:
*Declared by:*
networking.bonds.<name>.driverOptions¶
Options for the bonding driver. Documentation can be found in` <https://www.kernel.org/doc/Documentation/networking/bonding.txt>`_
Type: attribute set of strings
Default: ``{
}``
Example:
*Declared by:*
networking.bonds.<name>.interfaces¶
The interfaces to bond together
Type: list of strings
Example:
[ "enp4s0f0" "enp4s0f1" "wlan0" ]Declared by:
networking.bonds.<name>.lacp_rate¶
DEPRECATED, use `driverOptions`. Option specifying the rate in which we’ll ask our link partner to transmit LACPDU packets in 802.3ad mode.
Type: null or string
Default:
nullExample:
"fast"Declared by:
networking.bonds.<name>.miimon¶
DEPRECATED, use `driverOptions`. Miimon is the number of millisecond in between each round of polling by the device driver for failed links. By default polling is not enabled and the driver is trusted to properly detect and handle failure scenarios.
Type: null or signed integer
Default:
nullExample:
100Declared by:
networking.bonds.<name>.mode¶
DEPRECATED, use `driverOptions`. The mode which the bond will be running. The default mode for the bonding driver is balance-rr, optimizing for throughput. More information about valid modes can be found at https://www.kernel.org/doc/Documentation/networking/bonding.txt
Type: null or string
Default:
nullExample:
"active-backup"Declared by:
networking.bonds.<name>.xmit_hash_policy¶
DEPRECATED, use `driverOptions`. Selects the transmit hash policy to use for slave selection in balance-xor, 802.3ad, and tlb modes.
Type: null or string
Default:
nullExample:
"layer2+3"Declared by:
networking.bridges¶
This option allows you to define Ethernet bridge devices that connect physical networks together. The value of this option is an attribute set. Each attribute specifies a bridge, with the attribute name specifying the name of the bridge’s network interface.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ br0 = { interfaces = [ "eth0" "eth1" ] ; } ; br1 = { interfaces = [ "eth2" "wlan0" ] ; } ; }Declared by:
networking.bridges.<name>.interfaces¶
The physical network interfaces connected by the bridge.
Type: list of strings
Example:
[ "eth0" "eth1" ]Declared by:
networking.bridges.<name>.rstp¶
Whether the bridge interface should enable rstp.
Type: boolean
Default:
falseDeclared by:
networking.defaultGateway¶
The default gateway. It can be left empty if it is auto-detected through DHCP. It can be specified as a string or an option set along with a network interface.
Type: null or submodule or string convertible to it
Default:
nullExample:
{ address = "131.211.84.1"; interface = "enp3s0"; }Declared by:
networking.defaultGateway.address¶
The default gateway address.
Type: string
Declared by:
networking.defaultGateway.interface¶
The default gateway interface.
Type: null or string
Default:
nullExample:
"enp0s3"Declared by:
networking.defaultGateway.metric¶
The default gateway metric/preference.
Type: null or signed integer
Default:
nullExample:
42Declared by:
networking.defaultGateway6¶
The default ipv6 gateway. It can be left empty if it is auto-detected through DHCP. It can be specified as a string or an option set along with a network interface.
Type: null or submodule or string convertible to it
Default:
nullExample:
{ address = "2001:4d0:1e04:895::1"; interface = "enp3s0"; }Declared by:
networking.defaultGateway6.address¶
The default gateway address.
Type: string
Declared by:
networking.defaultGateway6.interface¶
The default gateway interface.
Type: null or string
Default:
nullExample:
"enp0s3"Declared by:
networking.defaultGateway6.metric¶
The default gateway metric/preference.
Type: null or signed integer
Default:
nullExample:
42Declared by:
networking.defaultGatewayWindowSize¶
The window size of the default gateway. It limits maximal data bursts that TCP peers are allowed to send to us.
Type: null or signed integer
Default:
nullExample:
524288Declared by:
networking.dhcpcd.enable¶
Whether to enable dhcpcd for device configuration. This is mainly to explicitly disable dhcpcd (for example when using networkd).
Type: boolean
Default:
trueDeclared by:
networking.dhcpcd.allowInterfaces¶
Enable the DHCP client for any interface whose name matches any of the shell glob patterns in this list. Any interface not explicitly matched by this pattern will be denied. This pattern only applies when non-null.
Type: null or list of strings
Default:
nullDeclared by:
networking.dhcpcd.denyInterfaces¶
Disable the DHCP client for any interface whose name matches any of the shell glob patterns in this list. The purpose of this option is to blacklist virtual interfaces such as those created by Xen, libvirt, LXC, etc.
Type: list of strings
Default: ``[
]``
Declared by:
networking.dhcpcd.extraConfig¶
Literal string to append to the config file generated for dhcpcd.
Type: strings concatenated with “\n”
Default:
""Declared by:
networking.dhcpcd.persistent¶
Whenever to leave interfaces configured on dhcpcd daemon shutdown. Set to true if you have your root or store mounted over the network or this machine accepts SSH connections through DHCP interfaces and clients should be notified when it shuts down.
Type: boolean
Default:
falseDeclared by:
networking.dhcpcd.runHook¶
Shell code that will be run after all other hooks. See `man dhcpcd-run-hooks` for details on what is possible.
Type: strings concatenated with “\n”
Default:
""Example:
"if \[[ \\$reason =~ BOUND ]]; then echo \\$interface: Routers are \\$new_routers - were \\$old_routers; fi"Declared by:
networking.dhcpcd.wait¶
This option specifies when the dhcpcd service will fork to background. If set to “background”, dhcpcd will fork to background immediately. If set to “ipv4” or “ipv6”, dhcpcd will wait for the corresponding IP address to be assigned. If set to “any”, dhcpcd will wait for any type (IPv4 or IPv6) to be assigned. If set to “both”, dhcpcd will wait for both an IPv4 and an IPv6 address before forking. The option “if-carrier-up” is equivalent to “any” if either ethernet is plugged nor WiFi is powered, and to “background” otherwise.
Type: one of “background”, “any”, “ipv4”, “ipv6”, “both”, “if-carrier-up”
Default:
"any"Declared by:
networking.domain¶
The domain. It can be left empty if it is auto-detected through DHCP.
Type: null or string
Default:
nullExample:
"home"Declared by:
networking.extraHosts¶
Additional verbatim entries to be appended to
/etc/hosts.Type: strings concatenated with “\n”
Default:
""Example:
"192.168.0.1 lanlocalhost"Declared by:
networking.firewall.enable¶
Whether to enable the firewall. This is a simple stateful firewall that blocks connection attempts to unauthorised TCP or UDP ports on this machine. It does not affect packet forwarding.
Type: boolean
Default:
trueDeclared by:
networking.firewall.package¶
The iptables package to use for running the firewall service.”
Type: package
Default:
"pkgs.iptables"Example:
pkgs.iptables-nftables-compatDeclared by:
networking.firewall.allowPing¶
Whether to respond to incoming ICMPv4 echo requests (“pings”). ICMPv6 pings are always allowed because the larger address space of IPv6 makes network scanning much less effective.
Type: boolean
Default:
trueDeclared by:
networking.firewall.allowedTCPPortRanges¶
networking.firewall.allowedTCPPorts¶
List of TCP ports on which incoming connections are accepted.
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)s
Default: ``[
]``
Example:
[ 22 80 ]Declared by:
networking.firewall.allowedUDPPortRanges¶
networking.firewall.allowedUDPPorts¶
List of open UDP ports.
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)s
Default: ``[
]``
Example:
[ 53 ]Declared by:
networking.firewall.autoLoadConntrackHelpers¶
Whether to auto-load connection-tracking helpers. See the description at networking.firewall.connectionTrackingModules
(needs kernel 3.5+)
Type: boolean
Default:
falseDeclared by:
networking.firewall.checkReversePath¶
Performs a reverse path filter test on a packet. If a reply to the packet would not be sent via the same interface that the packet arrived on, it is refused.
If using asymmetric routing or other complicated routing, set this option to loose mode or disable it and setup your own counter-measures.
This option can be either true (or “strict”), “loose” (only drop the packet if the source address is not reachable via any interface) or false. Defaults to the value of kernelHasRPFilter.
(needs kernel 3.3+)
Type: boolean or one of “strict”, “loose”
Default:
trueExample:
"loose"Declared by:
networking.firewall.connectionTrackingModules¶
List of connection-tracking helpers that are auto-loaded. The complete list of possible values is given in the example.
As helpers can pose as a security risk, it is advised to set this to an empty list and disable the setting networking.firewall.autoLoadConntrackHelpers unless you know what you are doing. Connection tracking is disabled by default.
Loading of helpers is recommended to be done through the CT target. More info: https://home.regit.org/netfilter-en/secure-use-of-helpers/
Type: list of strings
Default: ``[
]``
Example:
[ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]Declared by:
networking.firewall.extraCommands¶
Additional shell commands executed as part of the firewall initialisation script. These are executed just before the final “reject” firewall rule is added, so they can be used to allow packets that would otherwise be refused.
Type: strings concatenated with “\n”
Default:
""Example:
"iptables -A INPUT -p icmp -j ACCEPT"Declared by:
networking.firewall.extraPackages¶
Additional packages to be included in the environment of the system as well as the path of networking.firewall.extraCommands.
Type: list of packages
Default: ``[
]``
Example:
[ pkgs.ipset ]Declared by:
networking.firewall.extraStopCommands¶
Additional shell commands executed as part of the firewall shutdown script. These are executed just after the removal of the NixOS input rule, or if the service enters a failed state.
Type: strings concatenated with “\n”
Default:
""Example:
"iptables -P INPUT ACCEPT"Declared by:
networking.firewall.interfaces¶
networking.firewall.interfaces.<name>.allowedTCPPortRanges¶
networking.firewall.interfaces.<name>.allowedTCPPorts¶
List of TCP ports on which incoming connections are accepted.
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)s
Default: ``[
]``
Example:
[ 22 80 ]Declared by:
networking.firewall.interfaces.<name>.allowedUDPPortRanges¶
networking.firewall.interfaces.<name>.allowedUDPPorts¶
List of open UDP ports.
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)s
Default: ``[
]``
Example:
[ 53 ]Declared by:
networking.firewall.logRefusedConnections¶
Whether to log rejected or dropped incoming connections.
Type: boolean
Default:
trueDeclared by:
networking.firewall.logRefusedPackets¶
Whether to log all rejected or dropped incoming packets. This tends to give a lot of log messages, so it’s mostly useful for debugging.
Type: boolean
Default:
falseDeclared by:
networking.firewall.logRefusedUnicastsOnly¶
If and this option are enabled, then only log packets specifically directed at this machine, i.e., not broadcasts or multicasts.
Type: boolean
Default:
trueDeclared by:
networking.firewall.logReversePathDrops¶
Logs dropped packets failing the reverse path filter test if the option networking.firewall.checkReversePath is enabled.
Type: boolean
Default:
falseDeclared by:
networking.firewall.pingLimit¶
If pings are allowed, this allows setting rate limits on them. If non-null, this option should be in the form of flags like “–limit 1/minute –limit-burst 5”
Type: null or strings concatenated with ” “
Default:
nullExample:
"--limit 1/minute --limit-burst 5"Declared by:
networking.firewall.rejectPackets¶
If set, refused packets are rejected rather than dropped (ignored). This means that an ICMP “port unreachable” error message is sent back to the client (or a TCP RST packet in case of an existing connection). Rejecting packets makes port scanning somewhat easier.
Type: boolean
Default:
falseDeclared by:
networking.firewall.trustedInterfaces¶
Traffic coming in from these interfaces will be accepted unconditionally. Traffic from the loopback (lo) interface will always be accepted.
Type: list of strings
Default: ``[
]``
Example:
[ "enp0s2" ]Declared by:
networking.hostId¶
The 32-bit host ID of the machine, formatted as 8 hexadecimal characters.
You should try to make this ID unique among your machines. You can generate a random 32-bit ID using the following commands:
head -c 8 /etc/machine-id(this derives it from the machine-id that systemd generates) or
head -c4 /dev/urandom | od -A none -t x4Type: null or string
Default:
nullExample:
"4e98920d"Declared by:
networking.hostName¶
The name of the machine. Leave it empty if you want to obtain it from a DHCP server (if using DHCP).
Type: string
Default:
"nixos"Declared by:
networking.hosts¶
Locally defined maps of hostnames to IP addresses.
Type: attribute set of list of stringss
Example:
{ "127.0.0.1" = [ "foo.bar.baz" ]; "192.168.0.2" = [ "fileserver.local" "nameserver.local" ]; };Declared by:
networking.interfaces¶
networking.interfaces.<name?>.ip4.*.address¶
IPv4 address of the interface. Leave empty to configure the interface using DHCP.
Type: string
Declared by:
networking.interfaces.<name?>.ip4.*.prefixLength¶
Subnet mask of the interface, specified as the number of bits in the prefix (
24).Type: signed integer
Declared by:
networking.interfaces.<name?>.ip6.*.address¶
IPv6 address of the interface. Leave empty to configure the interface using DHCP.
Type: string
Declared by:
networking.interfaces.<name?>.ip6.*.prefixLength¶
Subnet mask of the interface, specified as the number of bits in the prefix (
64).Type: signed integer
Declared by:
networking.interfaces.<name?>.ipv4.addresses¶
networking.interfaces.<name?>.ipv4.addresses.*.address¶
IPv4 address of the interface. Leave empty to configure the interface using DHCP.
Type: string
Declared by:
networking.interfaces.<name?>.ipv4.addresses.*.prefixLength¶
Subnet mask of the interface, specified as the number of bits in the prefix (
24).Type: signed integer
Declared by:
networking.interfaces.<name?>.ipv4.routes¶
networking.interfaces.<name?>.ipv4.routes.*.address¶
IPv4 address of the network.
Type: string
Declared by:
networking.interfaces.<name?>.ipv4.routes.*.options¶
Other route options. See the symbol
OPTIONSin theip-route(8)manual page for the details.Type: attribute set of strings
Default: ``{
}``
Example:
{ mtu = "1492"; window = "524288"; }Declared by:
networking.interfaces.<name?>.ipv4.routes.*.prefixLength¶
Subnet mask of the network, specified as the number of bits in the prefix (
24).Type: signed integer
Declared by:
networking.interfaces.<name?>.ipv4.routes.*.via¶
IPv4 address of the next hop.
Type: null or string
Default:
nullDeclared by:
networking.interfaces.<name?>.ipv6.addresses¶
networking.interfaces.<name?>.ipv6.addresses.*.address¶
IPv6 address of the interface. Leave empty to configure the interface using DHCP.
Type: string
Declared by:
networking.interfaces.<name?>.ipv6.addresses.*.prefixLength¶
Subnet mask of the interface, specified as the number of bits in the prefix (
64).Type: signed integer
Declared by:
networking.interfaces.<name?>.ipv6.routes¶
networking.interfaces.<name?>.ipv6.routes.*.address¶
IPv6 address of the network.
Type: string
Declared by:
networking.interfaces.<name?>.ipv6.routes.*.options¶
Other route options. See the symbol
OPTIONSin theip-route(8)manual page for the details.Type: attribute set of strings
Default: ``{
}``
Example:
{ mtu = "1492"; window = "524288"; }Declared by:
networking.interfaces.<name?>.ipv6.routes.*.prefixLength¶
Subnet mask of the network, specified as the number of bits in the prefix (
64).Type: signed integer
Declared by:
networking.interfaces.<name?>.ipv6.routes.*.via¶
IPv6 address of the next hop.
Type: null or string
Default:
nullDeclared by:
networking.interfaces.<name?>.macAddress¶
MAC address of the interface. Leave empty to use the default.
Type: null or string
Default:
nullExample:
"00:11:22:33:44:55"Declared by:
networking.interfaces.<name?>.mtu¶
MTU size for packets leaving the interface. Leave empty to use the default.
Type: null or signed integer
Default:
nullExample:
9000Declared by:
networking.interfaces.<name?>.name¶
Name of the interface.
Type: string
Example:
"eth0"Declared by:
networking.interfaces.<name?>.proxyARP¶
Turn on proxy_arp for this device (and proxy_ndp for ipv6). This is mainly useful for creating pseudo-bridges between a real interface and a virtual network such as VPN or a virtual machine for interfaces that don’t support real bridging (most wlan interfaces). As ARP proxying acts slightly above the link-layer, below-ip traffic isn’t bridged, so things like DHCP won’t work. The advantage above using NAT lies in the fact that no IP addresses are shared, so all hosts are reachable/routeable.
WARNING: turns on ip-routing, so if you have multiple interfaces, you should think of the consequence and setup firewall rules to limit this.
Type: boolean
Default:
falseDeclared by:
networking.interfaces.<name?>.tempAddress¶
When IPv6 is enabled with SLAAC, this option controls the use of temporary address (aka privacy extensions). This is used to reduce tracking. The three possible values are:
"default"to generate temporary addresses and use them by default;"enabled"to generate temporary addresses but keep using the standard EUI-64 ones by default;"disabled"to completely disable temporary addresses.Type: one of “default”, “enabled”, “disabled”
Default:
if cfg.enableIPv6 then "default" else "disabled"Declared by:
networking.interfaces.<name?>.useDHCP¶
Whether this interface should be configured with dhcp. Null implies the old behavior which depends on whether ip addresses are specified or not.
Type: null or boolean
Default:
nullDeclared by:
networking.interfaces.<name?>.virtual¶
Whether this interface is virtual and should be created by tunctl. This is mainly useful for creating bridges between a host and a virtual network such as VPN or a virtual machine.
Type: boolean
Default:
falseDeclared by:
networking.interfaces.<name?>.virtualOwner¶
In case of a virtual device, the user who owns it.
Type: string
Default:
"root"Declared by:
networking.interfaces.<name?>.virtualType¶
The type of interface to create. The default is TUN for an interface name starting with “tun”, otherwise TAP.
Type: one of “tun”, “tap”
Default:
if hasPrefix "tun" name then "tun" else "tap"Declared by:
networking.iproute2.enable¶
Whether to enable copy IP route configuration files.
Type: boolean
Default:
falseExample:
trueDeclared by:
networking.iproute2.rttablesExtraConfig¶
Verbatim lines to add to /etc/iproute2/rt_tables
Type: strings concatenated with “\n”
Default:
""Declared by:
networking.localCommands¶
Shell commands to be executed at the end of the``network-setup`` systemd service. Note that if you are using DHCP to obtain the network configuration, interfaces may not be fully configured yet.
Type: strings concatenated with “\n”
Default:
""Example:
"text=anything; echo You can put \\$text here."Declared by:
networking.macvlans¶
This option allows you to define macvlan interfaces which should be automatically created.
Type: attribute set of submodules
Default: ``{
}``
Example:
*Declared by:*
networking.macvlans.<name>.interface¶
The interface the macvlan will transmit packets through.
Type: string
Example:
"enp4s0"Declared by:
networking.macvlans.<name>.mode¶
The mode of the macvlan device.
Type: null or string
Default:
nullExample:
"vepa"Declared by:
networking.nameservers¶
The list of nameservers. It can be left empty if it is auto-detected through DHCP.
Type: list of strings
Default: ``[
]``
Example:
[ "130.161.158.4" "130.161.33.17" ]Declared by:
networking.nat.enable¶
Whether to enable Network Address Translation (NAT).
Type: boolean
Default:
falseDeclared by:
networking.nat.dmzHost¶
The local IP address to which all traffic that does not match any forwarding rule is forwarded.
Type: null or string
Default:
nullExample:
"10.0.0.1"Declared by:
networking.nat.externalIP¶
The public IP address to which packets from the local network are to be rewritten. If this is left empty, the IP address associated with the external interface will be used.
Type: null or string
Default:
nullExample:
"203.0.113.123"Declared by:
networking.nat.externalInterface¶
The name of the external network interface.
Type: null or string
Default:
nullExample:
"eth1"Declared by:
networking.nat.extraCommands¶
Additional shell commands executed as part of the nat initialisation script.
Type: strings concatenated with “\n”
Default:
""Example:
"iptables -A INPUT -p icmp -j ACCEPT"Declared by:
networking.nat.extraStopCommands¶
Additional shell commands executed as part of the nat teardown script.
Type: strings concatenated with “\n”
Default:
""Example:
"iptables -D INPUT -p icmp -j ACCEPT \|| true"Declared by:
networking.nat.forwardPorts¶
networking.nat.forwardPorts.*.destination¶
Forward connection to destination ip:port; to specify a port range, use ip:start-end
Type: string
Example:
"10.0.0.1:80"Declared by:
networking.nat.forwardPorts.*.loopbackIPs¶
Public IPs for NAT reflection; for connections to `loopbackip:sourcePort’ from the host itself and from other hosts behind NAT
Type: list of strings
Default: ``[
]``
Example:
[ "55.1.2.3" ]Declared by:
networking.nat.forwardPorts.*.proto¶
Protocol of forwarded connection
Type: string
Default:
"tcp"Example:
"udp"Declared by:
networking.nat.forwardPorts.*.sourcePort¶
Source port of the external interface; to specify a port range, use a string with a colon (e.g. “60000:61000”)
Type: signed integer or string matching the pattern [[:digit:]]+:[[:digit:]]+
Example:
8080Declared by:
networking.nat.internalIPs¶
The IP address ranges for which to perform NAT. Packets coming from these addresses (on any interface) and destined for the external interface will be rewritten.
Type: list of strings
Default: ``[
]``
Example:
[ "192.168.1.0/24" ]Declared by:
networking.nat.internalInterfaces¶
The interfaces for which to perform NAT. Packets coming from these interface and destined for the external interface will be rewritten.
Type: list of strings
Default: ``[
]``
Example:
[ "eth0" ]Declared by:
networking.networkmanager.enable¶
Whether to use NetworkManager to obtain an IP address and other configuration for all network interfaces that are not manually configured. If enabled, a group
networkmanagerwill be created. Add all users that should have permission to change network settings to this group.Type: boolean
Default:
falseDeclared by:
networking.networkmanager.enableStrongSwan¶
Enable the StrongSwan plugin.
If you enable this option the``networkmanager_strongswan`` plugin will be added to the option so you don’t need to to that yourself.
Type: boolean
Default:
falseDeclared by:
networking.networkmanager.packages¶
Extra packages that provide NetworkManager plugins.
Type: list of packages
Default: ``[
]``
Declared by:
networking.networkmanager.appendNameservers¶
A list of name servers that should be appended to the ones configured in NetworkManager or received by DHCP.
Type: list of strings
Default: ``[
]``
Declared by:
networking.networkmanager.dhcp¶
Which program (or internal library) should be used for DHCP.
Type: one of “dhclient”, “dhcpcd”, “internal”
Default:
"internal"Declared by:
networking.networkmanager.dispatcherScripts¶
A list of scripts which will be executed in response to network events.
Type: list of submodules
Default: ``[
]``
Example:
[ { source = pkgs.writeText "upHook" '' if [ "$2" != "up" ]; then logger "exit: event $2 != up" exit fi # coreutils and iproute are in PATH too logger "Device $DEVICE_IFACE coming up" ''; type = "basic"; } ]Declared by:
networking.networkmanager.dispatcherScripts.*.source¶
Path to the hook script.
Type: path
Declared by:
networking.networkmanager.dispatcherScripts.*.type¶
Dispatcher hook type. Look up the hooks described at`https://developer.gnome.org/NetworkManager/stable/NetworkManager.html <https://developer.gnome.org/NetworkManager/stable/NetworkManager.html>`_ and choose the type depending on the output folder. You should then filter the event type (e.g., “up”/”down”) from within your script.
Type: one of “basic”, “pre-down”, “pre-up”
Default:
"basic"Declared by:
networking.networkmanager.dns¶
Set the DNS (
resolv.conf) processing mode.A description of these modes can be found in the main section of`https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html <https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html>`_ or inNetworkManager.conf5.
Type: one of “default”, “dnsmasq”, “unbound”, “systemd-resolved”, “none”
Default:
"default"Declared by:
networking.networkmanager.ethernet.macAddress¶
Set the MAC address of the interface.
“XX:XX:XX:XX:XX:XX”
MAC address of the interface
"permanent"Use the permanent MAC address of the device
"preserve"Don’t change the MAC address of the device upon activation
"random"Generate a randomized value upon each connect
"stable"Generate a stable, hashed MAC addressType: string or one of “permanent”, “preserve”, “random”, “stable”
Default:
"preserve"Example:
"00:11:22:33:44:55"Declared by:
networking.networkmanager.extraConfig¶
Configuration appended to the generated NetworkManager.conf. Refer to`https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html <https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html>`_ orNetworkManager.conf5 for more information.
Type: strings concatenated with “\n”
Default:
""Declared by:
networking.networkmanager.insertNameservers¶
A list of name servers that should be inserted before the ones configured in NetworkManager or received by DHCP.
Type: list of strings
Default: ``[
]``
Declared by:
networking.networkmanager.logLevel¶
Set the default logging verbosity level.
Type: one of “OFF”, “ERR”, “WARN”, “INFO”, “DEBUG”, “TRACE”
Default:
"WARN"Declared by:
networking.networkmanager.unmanaged¶
List of interfaces that will not be managed by NetworkManager. Interface name can be specified here, but if you need more fidelity, refer to`https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html#device-spec <https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html#device-spec>`_ or the “Device List Format” Appendix ofNetworkManager.conf5.
Type: list of strings
Default: ``[
]``
Declared by:
networking.networkmanager.wifi.backend¶
Specify the Wi-Fi backend used for the device. Currently supported are or (experimental).
Type: one of “wpa_supplicant”, “iwd”
Default:
"wpa_supplicant"Declared by:
networking.networkmanager.wifi.macAddress¶
Set the MAC address of the interface.
“XX:XX:XX:XX:XX:XX”
MAC address of the interface
"permanent"Use the permanent MAC address of the device
"preserve"Don’t change the MAC address of the device upon activation
"random"Generate a randomized value upon each connect
"stable"Generate a stable, hashed MAC addressType: string or one of “permanent”, “preserve”, “random”, “stable”
Default:
"preserve"Example:
"00:11:22:33:44:55"Declared by:
networking.networkmanager.wifi.powersave¶
Whether to enable Wi-Fi power saving.
Type: null or boolean
Default:
nullDeclared by:
networking.networkmanager.wifi.scanRandMacAddress¶
Whether to enable MAC address randomization of a Wi-Fi device during scanning.
Type: boolean
Default:
trueDeclared by:
networking.nftables.enable¶
Whether to enable nftables. nftables is a Linux-based packet filtering framework intended to replace frameworks like iptables.
This conflicts with the standard networking firewall, so make sure to disable it before using nftables.
Note that if you have Docker enabled you will not be able to use nftables without intervention. Docker uses iptables internally to setup NAT for containers. This module disables the ip_tables kernel module, however Docker automatically loads the module. Please see [1] for more information.
There are other programs that use iptables internally too, such as libvirt.
[1]: https://github.com/NixOS/nixpkgs/issues/24318#issuecomment-289216273
Type: boolean
Default:
falseDeclared by:
networking.nftables.ruleset¶
The ruleset to be used with nftables. Should be in a format that can be loaded using “/bin/nft -f”. The ruleset is updated atomically.
Type: strings concatenated with “\n”
Example:
'' # Check out https://wiki.nftables.org/ for better documentation. # Table for both IPv4 and IPv6. table inet filter { # Block all incomming connections traffic except SSH and "ping". chain input { type filter hook input priority 0; # accept any localhost traffic iifname lo accept # accept traffic originated from us ct state {established, related} accept # ICMP # routers may also want: mld-listener-query, nd-router-solicit ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept # allow "ping" ip6 nexthdr icmp icmpv6 type echo-request accept ip protocol icmp icmp type echo-request accept # accept SSH connections (required for a server) tcp dport 22 accept # count and drop any other traffic counter drop } # Allow all outgoing connections. chain output { type filter hook output priority 0; accept } chain forward { type filter hook forward priority 0; accept } } ''Declared by:
networking.nftables.rulesetFile¶
The ruleset file to be used with nftables. Should be in a format that can be loaded using “nft -f”. The ruleset is updated atomically.
Type: path
Default:
*(build of nftables-rules)*Declared by:
networking.proxy.allProxy¶
This option specifies the all_proxy environment variable.
Type: null or string
Default:
nullExample:
"http://127.0.0.1:3128"Declared by:
networking.proxy.default¶
This option specifies the default value for httpProxy, httpsProxy, ftpProxy and rsyncProxy.
Type: null or string
Default:
nullExample:
"http://127.0.0.1:3128"Declared by:
networking.proxy.ftpProxy¶
This option specifies the ftp_proxy environment variable.
Type: null or string
Default:
nullExample:
"http://127.0.0.1:3128"Declared by:
networking.proxy.httpProxy¶
This option specifies the http_proxy environment variable.
Type: null or string
Default:
nullExample:
"http://127.0.0.1:3128"Declared by:
networking.proxy.httpsProxy¶
This option specifies the https_proxy environment variable.
Type: null or string
Default:
nullExample:
"http://127.0.0.1:3128"Declared by:
networking.proxy.noProxy¶
This option specifies the no_proxy environment variable. If a default proxy is used and noProxy is null, then noProxy will be set to 127.0.0.1,localhost.
Type: null or string
Default:
nullExample:
"127.0.0.1,localhost,.localdomain"Declared by:
networking.proxy.rsyncProxy¶
This option specifies the rsync_proxy environment variable.
Type: null or string
Default:
nullExample:
"http://127.0.0.1:3128"Declared by:
networking.resolvconf.dnsExtensionMechanism¶
Enable the edns0 option in
resolv.conf. With that option set, glibc supports use of the extension mechanisms for DNS (EDNS) specified in RFC 2671. The most popular user of that feature is DNSSEC, which does not work without it.Type: boolean
Default:
trueDeclared by:
networking.resolvconf.dnsSingleRequest¶
Recent versions of glibc will issue both ipv4 (A) and ipv6 (AAAA) address queries at the same time, from the same port. Sometimes upstream routers will systemically drop the ipv4 queries. The symptom of this problem is that ‘getent hosts example.com’ only returns ipv6 (or perhaps only ipv4) addresses. The workaround for this is to specify the option ‘single-request’ in /etc/resolv.conf. This option enables that.
Type: boolean
Default:
falseDeclared by:
networking.resolvconf.extraConfig¶
Extra configuration to append to
resolvconf.conf.Type: strings concatenated with “\n”
Default:
""Example:
"libc=NO"Declared by:
networking.resolvconf.extraOptions¶
Set the options in
/etc/resolv.conf.Type: list of strings
Default: ``[
]``
Example:
[ "ndots:1" "rotate" ]Declared by:
networking.resolvconf.useLocalResolver¶
Use local DNS server for resolving.
Type: boolean
Default:
falseDeclared by:
networking.rxe.enable¶
Whether to enable RDMA over converged ethernet.
Type: boolean
Default:
falseExample:
trueDeclared by:
networking.rxe.interfaces¶
Enable RDMA on the listed interfaces. The corresponding virtual RDMA interfaces will be named rxe0 … rxeN where the ordering will be as they are named in the list. UDP port 4791 must be open on the respective ethernet interfaces.
Type: list of strings
Default: ``[
]``
Example:
[ "eth0" ]Declared by:
networking.search¶
The list of search paths used when resolving domain names.
Type: list of strings
Default: ``[
]``
Example:
[ "example.com" "local.domain" ]Declared by:
networking.sits¶
This option allows you to define 6-to-4 interfaces which should be automatically created.
Type: attribute set of submodules
Default: ``{
}``
Example:
*Declared by:*
networking.sits.<name>.dev¶
The underlying network device on which the tunnel resides.
Type: null or string
Default:
nullExample:
"enp4s0f0"Declared by:
networking.sits.<name>.local¶
The address of the local endpoint which the remote side should send packets to.
Type: null or string
Default:
nullExample:
"10.0.0.22"Declared by:
networking.sits.<name>.remote¶
The address of the remote endpoint to forward traffic over.
Type: null or string
Default:
nullExample:
"10.0.0.1"Declared by:
networking.sits.<name>.ttl¶
The time-to-live of the connection to the remote tunnel endpoint.
Type: null or signed integer
Default:
nullExample:
255Declared by:
networking.supplicant¶
Interfaces for which to start wpa_supplicant. The supplicant is used to scan for and associate with wireless networks, or to authenticate with 802.1x capable network switches.
The value of this option is an attribute set. Each attribute configures a:command:wpa_supplicant service, where the attribute name specifies the name of the interface that wpa_supplicant operates on. The attribute name can be a space separated list of interfaces. The attribute names
WLAN,LANandDBUShave a special meaning.WLANandLANare configurations for universal wpa_supplicant service that is started for each WLAN interface or for each LAN interface, respectively.``DBUS`` defines a device-unrelated wpa_supplicant service that can be accessed throughD-Bus.Type: attribute set of submodules
Default: ``{
}``
Example:
{ "wlan0 wlan1" = { configFile.path = "/etc/wpa_supplicant.conf"; userControlled.group = "network"; extraConf = '' ap_scan=1 p2p_disabled=1 ''; extraCmdArgs = "-u -W"; bridge = "br0"; }; }Declared by:
networking.supplicant.<name>.bridge¶
Name of the bridge interface that wpa_supplicant should listen at.
Type: string
Default:
""Declared by:
networking.supplicant.<name>.configFile.path¶
External
wpa_supplicant.confconfiguration file. The configuration options defined declaratively withinnetworking.supplicanthave precedence over options defined inconfigFile.Type: null or path
Default:
nullExample:
/etc/wpa_supplicant.confDeclared by:
networking.supplicant.<name>.configFile.writable¶
Whether the configuration file at
configFile.pathshould be written to by``wpa_supplicant``.Type: boolean
Default:
falseDeclared by:
networking.supplicant.<name>.driver¶
Force a specific wpa_supplicant driver.
Type: null or string
Default:
"nl80211,wext"Declared by:
networking.supplicant.<name>.extraCmdArgs¶
Command line arguments to add when executing
wpa_supplicant.Type: string
Default:
""Example:
"-e/run/wpa_supplicant/entropy.bin"Declared by:
networking.supplicant.<name>.extraConf¶
Configuration options for
wpa_supplicant.conf. Options defined here have precedence over options inconfigFile. NOTE: Do not write sensitive data intoextraConfas it will be world-readable in thenix-store. For sensitive information use theconfigFileinstead.Type: strings concatenated with “\n”
Default:
""Example:
'' ap_scan=1 device_name=My-NixOS-Device device_type=1-0050F204-1 driver_param=use_p2p_group_interface=1 disable_scan_offload=1 p2p_listen_reg_class=81 p2p_listen_channel=1 p2p_oper_reg_class=81 p2p_oper_channel=1 manufacturer=NixOS model_name=NixOS_Unstable model_number=2015 ''Declared by:
networking.supplicant.<name>.userControlled.enable¶
Allow normal users to control wpa_supplicant through wpa_gui or wpa_cli. This is useful for laptop users that switch networks a lot and don’t want to depend on a large package such as NetworkManager just to pick nearby access points.
Type: boolean
Default:
falseDeclared by:
networking.supplicant.<name>.userControlled.group¶
Members of this group can control wpa_supplicant.
Type: string
Default:
"wheel"Example:
"network"Declared by:
networking.supplicant.<name>.userControlled.socketDir¶
Directory of sockets for controlling wpa_supplicant.
Type: string
Default:
"/run/wpa_supplicant"Declared by:
networking.tcpcrypt.enable¶
Whether to enable opportunistic TCP encryption. If the other end speaks Tcpcrypt, then your traffic will be encrypted; otherwise it will be sent in clear text. Thus, Tcpcrypt alone provides no guarantees – it is best effort. If, however, a Tcpcrypt connection is successful and any attackers that exist are passive, then Tcpcrypt guarantees privacy.
Type: unspecified
Default:
falseDeclared by:
networking.timeServers¶
The set of NTP servers from which to synchronise.
Type: unspecified
Default:
[ "0.nixos.pool.ntp.org" "1.nixos.pool.ntp.org" "2.nixos.pool.ntp.org" "3.nixos.pool.ntp.org" ]Declared by:
networking.useDHCP¶
Whether to use DHCP to obtain an IP address and other configuration for all network interfaces that are not manually configured.
Using this option is highly discouraged and also incompatible with. Please use instead and set this to false.
Type: boolean
Default:
trueDeclared by:
networking.useHostResolvConf¶
In containers, whether to use the:file:resolv.conf supplied by the host.
Type: boolean
Default:
falseDeclared by:
networking.useNetworkd¶
Whether we should use networkd as the network configuration backend or the legacy script based system. Note that this option is experimental, enable at your own risk.
Type: boolean
Default:
falseDeclared by:
networking.usePredictableInterfaceNames¶
Whether to assign predictable names to network interfaces. If enabled, interfaces are assigned names that contain topology information (e.g.
wlp3s0) and thus should be stable across reboots. If disabled, names depend on the order in which interfaces are discovered by the kernel, which may change randomly across reboots; for instance, you may find``eth0`` andeth1flipping unpredictably.Type: boolean
Default:
trueDeclared by:
networking.vlans¶
This option allows you to define vlan devices that tag packets on top of a physical interface. The value of this option is an attribute set. Each attribute specifies a vlan, with the name specifying the name of the vlan interface.
Type: attribute set of submodules
Default: ``{
}``
Example:
*Declared by:*
networking.vlans.<name>.id¶
The vlan identifier
Type: signed integer
Example:
1Declared by:
networking.vlans.<name>.interface¶
The interface the vlan will transmit packets through.
Type: string
Example:
"enp4s0"Declared by:
networking.vswitches¶
This option allows you to define Open vSwitches that connect physical networks together. The value of this option is an attribute set. Each attribute specifies a vswitch, with the attribute name specifying the name of the vswitch’s network interface.
Type: attribute set of submodules
Default: ``{
}``
Example: ``{ vs0 = { interfaces = { eth0 = {
} ; lo1 = { type = “internal”; } ; } ; } ; vs1 = { interfaces = [
{ name = “eth2”; }
{ name = “lo2”; type = “internal”; }
}``
Declared by:
networking.vswitches.<name>.controllers¶
Specify the controller targets. For the allowed options see
man 8 ovs-vsctl.Type: list of strings
Default: ``[
]``
Example:
[ "ptcp:6653:\[::1]" ]Declared by:
networking.vswitches.<name>.extraOvsctlCmds¶
Commands to manipulate the Open vSwitch database. Every line executed with
ovs-vsctl. All commands are bundled together with the operations for adding the interfaces into one atomic operation.Type: strings concatenated with “\n”
Default:
""Example:
'' set-fail-mode <switch_name> secure set Bridge <switch_name> stp_enable=true ''Declared by:
networking.vswitches.<name>.interfaces¶
The physical network interfaces connected by the vSwitch.
Type: list or attribute set of submodules
Example:
[ "eth0" "eth1" ]Declared by:
networking.vswitches.<name>.interfaces.<name?>.name¶
Name of the interface
Type: string
Example:
"eth0"Declared by:
networking.vswitches.<name>.interfaces.<name?>.type¶
Openvswitch type to assign to interface
Type: null or string
Default:
nullExample:
"internal"Declared by:
networking.vswitches.<name>.interfaces.<name?>.vlan¶
Vlan tag to apply to interface
Type: null or signed integer
Default:
nullExample:
10Declared by:
networking.vswitches.<name>.openFlowRules¶
OpenFlow rules to insert into the Open vSwitch. All
openFlowRulesare loaded withovs-ofctlwithin one atomic operation.Type: strings concatenated with “\n”
Default:
""Example:
'' actions=normal ''Declared by:
networking.vswitches.<name>.openFlowVersion¶
Version of OpenFlow protocol to use when communicating with the switch internally (e.g. with
openFlowRules).Type: string
Default:
"OpenFlow13"Declared by:
networking.vswitches.<name>.supportedOpenFlowVersions¶
Supported versions to enable on this switch.
Type: list of strings
Default:
[ "OpenFlow13" ]Example:
[ "OpenFlow10" "OpenFlow13" "OpenFlow14" ]Declared by:
networking.wg-quick.interfaces¶
Wireguard interfaces.
Type: attribute set of submodules
Default: ``{
}``
Example: ``{ wg0 = { address = [ “192.168.20.4/24” ] ; peers = [
{ allowedIPs = [ “192.168.20.1/32” ] ; endpoint = “demo.wireguard.io:12913”; publicKey = “xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=”; }
] ; privateKey = “yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=”; } ; }``
Declared by:
networking.wg-quick.interfaces.<name>.address¶
The IP addresses of the interface.
Type: list of strings
Default: ``[
]``
Example:
[ "192.168.2.1/24" ]Declared by:
networking.wg-quick.interfaces.<name>.dns¶
The IP addresses of DNS servers to configure.
Type: list of strings
Default: ``[
]``
Example:
[ "192.168.2.2" ]Declared by:
networking.wg-quick.interfaces.<name>.listenPort¶
16-bit port for listening. Optional; if not specified, automatically generated based on interface name.
Type: null or signed integer
Default:
nullExample:
51820Declared by:
networking.wg-quick.interfaces.<name>.mtu¶
If not specified, the MTU is automatically determined from the endpoint addresses or the system default route, which is usually a sane choice. However, to manually specify an MTU to override this automatic discovery, this value may be specified explicitly.
Type: null or signed integer
Default:
nullExample:
1248Declared by:
networking.wg-quick.interfaces.<name>.peers¶
networking.wg-quick.interfaces.<name>.peers.*.allowedIPs¶
List of IP (v4 or v6) addresses with CIDR masks from which this peer is allowed to send incoming traffic and to which outgoing traffic for this peer is directed. The catch-all 0.0.0.0/0 may be specified for matching all IPv4 addresses, and ::/0 may be specified for matching all IPv6 addresses.
Type: list of strings
Example:
[ "10.192.122.3/32" "10.192.124.1/24" ]Declared by:
networking.wg-quick.interfaces.<name>.peers.*.endpoint¶
Endpoint IP or hostname of the peer, followed by a colon, and then a port number of the peer.
Type: null or string
Default:
nullExample:
"demo.wireguard.io:12913"Declared by:
networking.wg-quick.interfaces.<name>.peers.*.persistentKeepalive¶
This is optional and is by default off, because most users will not need it. It represents, in seconds, between 1 and 65535 inclusive, how often to send an authenticated empty packet to the peer, for the purpose of keeping a stateful firewall or NAT mapping valid persistently. For example, if the interface very rarely sends traffic, but it might at anytime receive traffic from a peer, and it is behind NAT, the interface might benefit from having a persistent keepalive interval of 25 seconds; however, most users will not need this.
Type: null or signed integer
Default:
nullExample:
25Declared by:
networking.wg-quick.interfaces.<name>.peers.*.publicKey¶
The base64 public key the peer.
Type: string
Example:
"xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg="Declared by:
networking.wg-quick.interfaces.<name>.postDown¶
Command called after the interface is taken down.
Type: strings concatenated with “\n” or list of strings convertible to it
Default:
""Example:
${pkgs.iproute}/bin/ip netns del fooDeclared by:
networking.wg-quick.interfaces.<name>.postUp¶
Commands called after the interface setup.
Type: strings concatenated with “\n” or list of strings convertible to it
Default:
""Example:
${pkgs.iproute}/bin/ip netns add fooDeclared by:
networking.wg-quick.interfaces.<name>.preDown¶
Command called before the interface is taken down.
Type: strings concatenated with “\n” or list of strings convertible to it
Default:
""Example:
${pkgs.iproute}/bin/ip netns del fooDeclared by:
networking.wg-quick.interfaces.<name>.preUp¶
Commands called at the start of the interface setup.
Type: strings concatenated with “\n” or list of strings convertible to it
Default:
""Example:
${pkgs.iproute}/bin/ip netns add fooDeclared by:
networking.wg-quick.interfaces.<name>.privateKey¶
Base64 private key generated by wg genkey.
Warning: Consider using privateKeyFile instead if you do not want to store the key in the world-readable Nix store.
Type: null or string
Default:
nullExample:
"yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk="Declared by:
networking.wg-quick.interfaces.<name>.privateKeyFile¶
Private key file as generated by wg genkey.
Type: null or string
Default:
nullExample:
"/private/wireguard_key"Declared by:
networking.wg-quick.interfaces.<name>.table¶
The kernel routing table to add this interface’s associated routes to. Setting this is useful for e.g. policy routing (“ip rule”) or virtual routing and forwarding (“ip vrf”). Both numeric table IDs and table names (/etc/rt_tables) can be used. Defaults to “main”.
Type: null or string
Default:
nullExample:
"main"Declared by:
networking.wicd.enable¶
Whether to start wicd. Wired and wireless network configurations can then be managed by wicd-client.
Type: unspecified
Default:
falseDeclared by:
networking.wireguard.enable¶
Whether to enable WireGuard.
Type: boolean
Default:
falseExample:
trueDeclared by:
networking.wireguard.interfaces¶
WireGuard interfaces.
Type: attribute set of submodules
Default: ``{
}``
Example: ``{ wg0 = { ips = [ “192.168.20.4/24” ] ; peers = [
{ allowedIPs = [ “192.168.20.1/32” ] ; endpoint = “demo.wireguard.io:12913”; publicKey = “xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=”; }
] ; privateKey = “yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=”; } ; }``
Declared by:
networking.wireguard.interfaces.<name>.allowedIPsAsRoutes¶
Determines whether to add allowed IPs as routes or not.
Type: boolean
Default:
trueExample:
falseDeclared by:
networking.wireguard.interfaces.<name>.generatePrivateKeyFile¶
Automatically generate a private key with:command:wg genkey, at the privateKeyFile location.
Type: boolean
Default:
falseDeclared by:
networking.wireguard.interfaces.<name>.interfaceNamespace¶
The pre-existing network namespace the WireGuard interface is moved to. The special value
initmeans the init namespace. Whennull, the interface is not moved. See documentation.Type: null or string
Default:
nullExample:
"init"Declared by:
networking.wireguard.interfaces.<name>.ips¶
The IP addresses of the interface.
Type: list of strings
Default: ``[
]``
Example:
[ "192.168.2.1/24" ]Declared by:
networking.wireguard.interfaces.<name>.listenPort¶
16-bit port for listening. Optional; if not specified, automatically generated based on interface name.
Type: null or signed integer
Default:
nullExample:
51820Declared by:
networking.wireguard.interfaces.<name>.peers¶
networking.wireguard.interfaces.<name>.peers.*.allowedIPs¶
List of IP (v4 or v6) addresses with CIDR masks from which this peer is allowed to send incoming traffic and to which outgoing traffic for this peer is directed. The catch-all 0.0.0.0/0 may be specified for matching all IPv4 addresses, and ::/0 may be specified for matching all IPv6 addresses.
Type: list of strings
Example:
[ "10.192.122.3/32" "10.192.124.1/24" ]Declared by:
networking.wireguard.interfaces.<name>.peers.*.endpoint¶
Endpoint IP or hostname of the peer, followed by a colon, and then a port number of the peer.
Type: null or string
Default:
nullExample:
"demo.wireguard.io:12913"Declared by:
networking.wireguard.interfaces.<name>.peers.*.persistentKeepalive¶
This is optional and is by default off, because most users will not need it. It represents, in seconds, between 1 and 65535 inclusive, how often to send an authenticated empty packet to the peer, for the purpose of keeping a stateful firewall or NAT mapping valid persistently. For example, if the interface very rarely sends traffic, but it might at anytime receive traffic from a peer, and it is behind NAT, the interface might benefit from having a persistent keepalive interval of 25 seconds; however, most users will not need this.
Type: null or signed integer
Default:
nullExample:
25Declared by:
networking.wireguard.interfaces.<name>.peers.*.publicKey¶
The base64 public key of the peer.
Type: string
Example:
"xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg="Declared by:
networking.wireguard.interfaces.<name>.postSetup¶
Commands called at the end of the interface setup.
Type: strings concatenated with “\n” or list of strings convertible to it
Default:
""Example:
printf "nameserver 10.200.100.1" | ${pkgs.openresolv}/bin/resolvconf -a wg0 -m 0Declared by:
networking.wireguard.interfaces.<name>.postShutdown¶
Commands called after shutting down the interface.
Type: strings concatenated with “\n” or list of strings convertible to it
Default:
""Example:
${pkgs.openresolv}/bin/resolvconf -d wg0Declared by:
networking.wireguard.interfaces.<name>.preSetup¶
Commands called at the start of the interface setup.
Type: strings concatenated with “\n” or list of strings convertible to it
Default:
""Example:
${pkgs.iproute}/bin/ip netns add fooDeclared by:
networking.wireguard.interfaces.<name>.privateKey¶
Base64 private key generated by wg genkey.
Warning: Consider using privateKeyFile instead if you do not want to store the key in the world-readable Nix store.
Type: null or string
Default:
nullExample:
"yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk="Declared by:
networking.wireguard.interfaces.<name>.privateKeyFile¶
Private key file as generated by wg genkey.
Type: null or string
Default:
nullExample:
"/private/wireguard_key"Declared by:
networking.wireguard.interfaces.<name>.socketNamespace¶
The pre-existing network namespace in which the WireGuard interface is created, and which retains the socket even if the interface is moved via . When
null, the interface is created in the init namespace. See documentation.Type: null or string
Default:
nullExample:
"container"Declared by:
networking.wireguard.interfaces.<name>.table¶
The kernel routing table to add this interface’s associated routes to. Setting this is useful for e.g. policy routing (“ip rule”) or virtual routing and forwarding (“ip vrf”). Both numeric table IDs and table names (/etc/rt_tables) can be used. Defaults to “main”.
Type: string
Default:
"main"Declared by:
networking.wireless.enable¶
Whether to enable wpa_supplicant.
Type: boolean
Default:
falseExample:
trueDeclared by:
networking.wireless.driver¶
Force a specific wpa_supplicant driver.
Type: string
Default:
"nl80211,wext"Declared by:
networking.wireless.extraConfig¶
Extra lines appended to the configuration file. Seewpa_supplicant.conf5 for available options.
Type: string
Default:
""Example:
'' p2p_disabled=1 ''Declared by:
networking.wireless.interfaces¶
The interfaces wpa_supplicant will use. If empty, it will automatically use all wireless interfaces.
Type: list of strings
Default: ``[
]``
Example:
[ "wlan0" "wlan1" ]Declared by:
networking.wireless.iwd.enable¶
Whether to enable iwd.
Type: boolean
Default:
falseExample:
trueDeclared by:
networking.wireless.networks¶
The network definitions to automatically connect to when wpa_supplicant is running. If this parameter is left empty wpa_supplicant will use /etc/wpa_supplicant.conf as the configuration file.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ echelon = { # SSID with no spaces or special characters psk = "abcdefgh"; }; "echelon's AP" = { # SSID with spaces and/or special characters psk = "ijklmnop"; }; "free.wifi" = {}; # Public wireless network }Declared by:
networking.wireless.networks.<name>.auth¶
Use this option to configure advanced authentication methods like EAP. Seewpa_supplicant.conf5 for example configurations.
Mutually exclusive with
pskandpskRaw.Type: null or string
Default:
nullExample:
'' key_mgmt=WPA-EAP eap=PEAP identity="user@example.com" password="secret" ''Declared by:
networking.wireless.networks.<name>.extraConfig¶
Extra configuration lines appended to the network block. Seewpa_supplicant.conf5 for available options.
Type: string
Default:
""Example:
'' bssid_blacklist=02:11:22:33:44:55 02:22:aa:44:55:66 ''Declared by:
networking.wireless.networks.<name>.priority¶
By default, all networks will get same priority group (0). If some of the networks are more desirable, this field can be used to change the order in which wpa_supplicant goes through the networks when selecting a BSS. The priority groups will be iterated in decreasing priority (i.e., the larger the priority value, the sooner the network is matched against the scan results). Within each priority group, networks will be selected based on security policy, signal strength, etc.
Type: null or signed integer
Default:
nullDeclared by:
networking.wireless.networks.<name>.psk¶
The network’s pre-shared key in plaintext defaulting to being a network without any authentication.
Be aware that these will be written to the nix store in plaintext!
Mutually exclusive with
pskRaw.Type: null or string
Default:
nullDeclared by:
networking.wireless.networks.<name>.pskRaw¶
The network’s pre-shared key in hex defaulting to being a network without any authentication.
Mutually exclusive with
psk.Type: null or string
Default:
nullDeclared by:
networking.wireless.userControlled.enable¶
Allow normal users to control wpa_supplicant through wpa_gui or wpa_cli. This is useful for laptop users that switch networks a lot and don’t want to depend on a large package such as NetworkManager just to pick nearby access points.
When using a declarative network specification you cannot persist any settings via wpa_gui or wpa_cli.
Type: boolean
Default:
falseDeclared by:
networking.wireless.userControlled.group¶
Members of this group can control wpa_supplicant.
Type: string
Default:
"wheel"Example:
"network"Declared by:
networking.wlanInterfaces¶
Creating multiple WLAN interfaces on top of one physical WLAN device (NIC).
The name of the WLAN interface corresponds to the name of the attribute. A NIC is referenced by the persistent device name of the WLAN interface that``udev`` assigns to a NIC by default. If a NIC supports multiple WLAN interfaces, then the one NIC can be used as``device`` for multiple WLAN interfaces. If a NIC is used for creating WLAN interfaces, then the default WLAN interface with a persistent device name form
udevis not created. A WLAN interface with the persistent name assigned fromudevwould have to be created explicitly.Type: attribute set of submodules
Default: ``{
}``
Example:
*Declared by:*
networking.wlanInterfaces.<name>.device¶
The name of the underlying hardware WLAN device as assigned by
udev.Type: string
Example:
"wlp6s0"Declared by:
networking.wlanInterfaces.<name>.flags¶
Flags for interface of type
monitor.Type: null or one of “none”, “fcsfail”, “control”, “otherbss”, “cook”, “active”
Default:
nullExample:
"control"Declared by:
networking.wlanInterfaces.<name>.fourAddr¶
Whether to enable
4-address modewith typemanaged.Type: null or boolean
Default:
nullDeclared by:
networking.wlanInterfaces.<name>.mac¶
MAC address to use for the device. If
null, then the MAC of the underlying hardware WLAN device is used.INFO: Locally administered MAC addresses are of the form:
- x2:xx:xx:xx:xx:xx
- x6:xx:xx:xx:xx:xx
- xA:xx:xx:xx:xx:xx
- xE:xx:xx:xx:xx:xx
Type: null or string
Default:
nullExample:
"02:00:00:00:00:01"Declared by:
networking.wlanInterfaces.<name>.meshID¶
MeshID of interface with type
mesh.Type: null or string
Default:
nullDeclared by:
networking.wlanInterfaces.<name>.type¶
The type of the WLAN interface. The type has to be supported by the underlying hardware of the device.
Type: one of “managed”, “ibss”, “monitor”, “mesh”, “wds”
Default:
"managed"Example:
"ibss"Declared by:
nix.package¶
This option specifies the Nix package instance to use throughout the system.
Type: package
Default:
"pkgs.nix"Declared by:
nix.allowedUsers¶
A list of names of users (separated by whitespace) that are allowed to connect to the Nix daemon. As with, you can specify groups by prefixing them with
@. Also, you can allow all users by specifying*. The default is*. Note that trusted users are always allowed to connect.Type: list of strings
Default:
[ "\*" ]Example:
[ "@wheel" "@builders" "alice" "bob" ]Declared by:
nix.autoOptimiseStore¶
If set to true, Nix automatically detects files in the store that have identical contents, and replaces them with hard links to a single copy. This saves disk space. If set to false (the default), you can still run nix-store –optimise to get rid of duplicate files.
Type: boolean
Default:
falseExample:
trueDeclared by:
nix.binaryCachePublicKeys¶
List of public keys used to sign binary caches. If is enabled, then Nix will use a binary from a binary cache if and only if it is signed by any of the keys listed here. By default, only the key forcache.nixos.org is included.
Type: list of strings
Example:
[ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]Declared by:
nix.binaryCaches¶
List of binary cache URLs used to obtain pre-built binaries of Nix packages.
By default https://cache.nixos.org/ is added, to override it use
lib.mkForce \[].Type: list of strings
Declared by:
nix.buildCores¶
This option defines the maximum number of concurrent tasks during one build. It affects, e.g., -j option for make. The special value 0 means that the builder should use all available CPU cores in the system. Some builds may become non-deterministic with this option; use with care! Packages will only be affected if enableParallelBuilding is set for them.
Type: signed integer
Default:
0Example:
64Declared by:
nix.buildMachines¶
This option lists the machines to be used if distributed builds are enabled (see). Nix will perform derivations on those machines via SSH by copying the inputs to the Nix store on the remote machine, starting the build, then copying the output back to the local Nix store. Each element of the list should be an attribute set containing the machine’s host name (
hostname), the user name to be used for the SSH connection (sshUser), the Nix system type (system, e.g.,``”i686-linux”), the maximum number of jobs to be run in parallel on that machine (``maxJobs), the path to the SSH private key to be used to connect (sshKey), a list of supported features of the machine (supportedFeatures) and a list of mandatory features of the machine (mandatoryFeatures). The SSH private key should not have a passphrase, and the corresponding public key should be added to:file:~ on the remote machine.Type: list of attribute sets
Default: ``[
]``
Example:
[ { hostName = "voila.labs.cs.uu.nl"; sshUser = "nix"; sshKey = "/root/.ssh/id_buildfarm"; system = "powerpc-darwin"; maxJobs = 1; } { hostName = "linux64.example.org"; sshUser = "buildfarm"; sshKey = "/root/.ssh/id_buildfarm"; system = "x86_64-linux"; maxJobs = 2; speedFactor = 2; supportedFeatures = [ "kvm" ]; mandatoryFeatures = [ "perf" ]; } ]Declared by:
nix.checkConfig¶
If enabled (the default), checks that Nix can parse the generated nix.conf.
Type: boolean
Default:
trueDeclared by:
nix.daemonIONiceLevel¶
Nix daemon process I/O priority. This priority propagates to build processes. 0 is the default Unix process I/O priority, 7 is the lowest.
Type: signed integer
Default:
0Declared by:
nix.daemonNiceLevel¶
Nix daemon process priority. This priority propagates to build processes. 0 is the default Unix process priority, 19 is the lowest.
Type: signed integer
Default:
0Declared by:
nix.distributedBuilds¶
Whether to distribute builds to the machines listed in.
Type: boolean
Default:
falseDeclared by:
nix.extraOptions¶
Additional text appended to
nix.conf.Type: strings concatenated with “\n”
Default:
""Example:
'' keep-outputs = true keep-derivations = true ''Declared by:
nix.gc.automatic¶
Automatically run the garbage collector at a specific time.
Type: boolean
Default:
falseDeclared by:
nix.gc.dates¶
Specification (in the format described bysystemd.time7) of the time at which the garbage collector will run.
Type: string
Default:
"03:15"Declared by:
nix.gc.options¶
Options given to
nix-collect-garbagewhen the garbage collector is run automatically.Type: string
Default:
""Example:
"--max-freed \\$((64 * 1024**3))"Declared by:
nix.maxJobs¶
This option defines the maximum number of jobs that Nix will try to build in parallel. The default is 1. You should generally set it to the total number of logical cores in your system (e.g., 16 for two CPUs with 4 cores each and hyper-threading).
Type: signed integer or one of “auto”
Default:
1Example:
64Declared by:
nix.nixPath¶
The default Nix expression search path, used by the Nix evaluator to look up paths enclosed in angle brackets (e.g.
<nixpkgs>).Type: list of strings
Default:
[ "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos" "nixos-config=/etc/nixos/configuration.nix" "/nix/var/nix/profiles/per-user/root/channels" ]Declared by:
nix.nrBuildUsers¶
Number of
nixblduser accounts created to perform secure concurrent builds. If you receive an error message saying that “all build users are currently in use”, you should increase this value.Type: signed integer
Declared by:
nix.optimise.automatic¶
Automatically run the nix store optimiser at a specific time.
Type: boolean
Default:
falseDeclared by:
nix.optimise.dates¶
Specification (in the format described bysystemd.time7) of the time at which the optimiser will run.
Type: list of strings
Default:
[ "03:45" ]Declared by:
nix.readOnlyStore¶
If set, NixOS will enforce the immutability of the Nix store by making
/nix/storea read-only bind mount. Nix will automatically make the store writable when needed.Type: boolean
Default:
trueDeclared by:
nix.requireSignedBinaryCaches¶
If enabled (the default), Nix will only download binaries from binary caches if they are cryptographically signed with any of the keys listed in. If disabled, signatures are neither required nor checked, so it’s strongly recommended that you use only trustworthy caches and https to prevent man-in-the-middle attacks.
Type: boolean
Default:
trueDeclared by:
nix.sandboxPaths¶
Directories from the host filesystem to be included in the sandbox.
Type: list of strings
Default: ``[
]``
Example:
[ "/dev" "/proc" ]Declared by:
nix.sshServe.enable¶
Whether to enable serving the Nix store as a remote store via SSH.
Type: boolean
Default:
falseDeclared by:
nix.sshServe.keys¶
A list of SSH public keys allowed to access the binary cache via SSH.
Type: list of strings
Default: ``[
]``
Example:
[ "ssh-dss AAAAB3NzaC1k... alice@example.org" ]Declared by:
nix.sshServe.protocol¶
The specific Nix-over-SSH protocol to use.
Type: one of “ssh”, “ssh-ng”
Default:
"ssh"Declared by:
nix.systemFeatures¶
The supported features of a machine
Type: list of strings
Example:
[ "kvm" "big-parallel" "gccarch-skylake" ]Declared by:
nix.trustedBinaryCaches¶
List of binary cache URLs that non-root users can use (in addition to those specified using) by passing``–option binary-caches`` to Nix commands.
Type: list of strings
Default: ``[
]``
Example:
[ "http://hydra.nixos.org/" ]Declared by:
nix.trustedUsers¶
A list of names of users that have additional rights when connecting to the Nix daemon, such as the ability to specify additional binary caches, or to import unsigned NARs. You can also specify groups by prefixing them with``@``; for instance,``@wheel`` means all users in the wheel group.
Type: list of strings
Default:
[ "root" ]Example:
[ "root" "alice" "@wheel" ]Declared by:
nix.useSandbox¶
If set, Nix will perform builds in a sandboxed environment that it will set up automatically for each build. This prevents impurities in builds by disallowing access to dependencies outside of the Nix store by using network and mount namespaces in a chroot environment. This is enabled by default even though it has a possible performance impact due to the initial setup time of a sandbox for each build. It doesn’t affect derivation hashes, so changing this option will not trigger a rebuild of packages.
Type: boolean or one of “relaxed”
Default:
trueDeclared by:
nixops.enableDeprecatedAutoLuks¶
Whether to enable Enable the deprecated NixOps AutoLuks module.
Type: boolean
Default:
falseExample:
trueDeclared by:
nixpkgs.config¶
The configuration of the Nix Packages collection. (For details, see the Nixpkgs documentation.) It allows you to set package configuration options.
Ignored when nixpkgs.pkgs is set.
Type: nixpkgs config
Default: ``{
}``
Example:
{ allowBroken = true; allowUnfree = true; }Declared by:
nixpkgs.crossSystem¶
Specifies the platform for which NixOS should be built. Specify this only if it is different fromnixpkgs.localSystem, the platform*on* which NixOS should be built. In other words, specify this to cross-compile NixOS. Otherwise it should be set as null, the default. See its description in the Nixpkgs manual for more details.
Ignored when nixpkgs.pkgs is set.
Type: null or attribute set
Default:
(import "${nixos}/../lib").lib.systems.examples.aarch64-multiplatformExample:
{ config = "aarch64-unknown-linux-gnu"; system = "aarch64-linux"; }Declared by:
nixpkgs.localSystem¶
Specifies the platform on which NixOS should be built. Whennixpkgs.crossSystem is unset, it also specifies the platform for which NixOS should be built. If this option is unset, it defaults to the platform type of the machine where evaluation happens. Specifying this option is useful when doing distributed multi-platform deployment, or when building virtual machines. See its description in the Nixpkgs manual for more details.
Ignored when nixpkgs.pkgs is set.
Type: attribute set
Default:
(import "${nixos}/../lib").lib.systems.examples.aarch64-multiplatformExample:
{ config = "aarch64-unknown-linux-gnu"; system = "aarch64-linux"; }Declared by:
nixpkgs.overlays¶
List of overlays to use with the Nix Packages collection. (For details, see the Nixpkgs documentation.) It allows you to override packages globally. Each function in the list takes as an argument the original Nixpkgs. The first argument should be used for finding dependencies, and the second should be used for overriding recipes.
If nixpkgs.pkgs is set, overlays specified here will be applied after the overlays that were already present in nixpkgs.pkgs.
Type: list of nixpkgs overlays
Default: ``[
]``
Example:
[ (self: super: { openssh = super.openssh.override { hpnSupport = true; kerberos = self.libkrb5; }; }) ]Declared by:
nixpkgs.pkgs¶
If set, the pkgs argument to all NixOS modules is the value of this option, extended with nixpkgs.overlays, if that is also set. Either nixpkgs.crossSystem ornixpkgs.localSystem will be used in an assertion to check that the NixOS and Nixpkgs architectures match. Any other options in nixpkgs.*, notably config, will be ignored.
If unset, the pkgs argument to all NixOS modules is determined as shown in the default value for this option.
The default value imports the Nixpkgs source files relative to the location of this NixOS module, because NixOS and Nixpkgs are distributed together for consistency, so the nixos in the default value is in fact a relative path. The config, overlays,localSystem, and crossSystem come from this option’s siblings.
This option can be used by applications like NixOps to increase the performance of evaluation, or to create packages that depend on a container that should be built with the exact same evaluation of Nixpkgs, for example. Applications like this should set their default value using lib.mkDefault, so user-provided configuration can override it without usinglib.
Note that using a distinct version of Nixpkgs with NixOS may be an unexpected source of problems. Use this option with care.
Type: An evaluation of Nixpkgs; the top level attribute set of packages
Default:
import "${nixos}/.." { inherit (cfg) config overlays localSystem crossSystem; }Example:
import <nixpkgs> {}Declared by:
nixpkgs.system¶
Specifies the Nix platform type on which NixOS should be built. It is better to specify nixpkgs.localSystem instead.
{ nixpkgs.system = ..; }is the same as
{ nixpkgs.localSystem.system = ..; }See nixpkgs.localSystem for more information.
Ignored when nixpkgs.localSystem is set. Ignored when nixpkgs.pkgs is set.
Type: string
Example:
"i686-linux"Declared by:
power.ups.enable¶
Enables support for Power Devices, such as Uninterruptible Power Supplies, Power Distribution Units and Solar Controllers.
Type: boolean
Default:
falseDeclared by:
power.ups.maxStartDelay¶
This can be set as a global variable above your first UPS definition and it can also be set in a UPS section. This value controls how long upsdrvctl will wait for the driver to finish starting. This keeps your system from getting stuck due to a broken driver or UPS.
Type: signed integer
Default:
45Declared by:
power.ups.mode¶
The MODE determines which part of the NUT is to be started, and which configuration files must be modified.
The values of MODE can be:
- none: NUT is not configured, or use the Integrated Power
Management, or use some external system to startup NUT components. So nothing is to be started.
- standalone: This mode address a local only configuration, with 1
UPS protecting the local system. This implies to start the 3 NUT layers (driver, upsd and upsmon) and the matching configuration files. This mode can also address UPS redundancy.
- netserver: same as for the standalone configuration, but also
need some more ACLs and possibly a specific LISTEN directive in upsd.conf. Since this MODE is opened to the network, a special care should be applied to security concerns.
- netclient: this mode only requires upsmon.
Type: string
Default:
"standalone"Declared by:
power.ups.schedulerRules¶
File which contains the rules to handle UPS events.
Type: string
Example:
"/etc/nixos/upssched.conf"Declared by:
power.ups.ups¶
This is where you configure all the UPSes that this system will be monitoring directly. These are usually attached to serial ports, but USB devices are also supported.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
power.ups.ups.<name>.description¶
Description of the UPS.
Type: string
Default:
""Declared by:
power.ups.ups.<name>.directives¶
power.ups.ups.<name>.driver¶
Specify the program to run to talk to this UPS. apcsmart, bestups, and sec are some examples.
Type: string
Declared by:
power.ups.ups.<name>.maxStartDelay¶
This can be set as a global variable above your first UPS definition and it can also be set in a UPS section. This value controls how long upsdrvctl will wait for the driver to finish starting. This keeps your system from getting stuck due to a broken driver or UPS.
Type: null or signed integer
Default:
nullDeclared by:
power.ups.ups.<name>.port¶
The serial port to which your UPS is connected. /dev/ttyS0 is usually the first port on Linux boxes, for example.
Type: string
Declared by:
power.ups.ups.<name>.shutdownOrder¶
When you have multiple UPSes on your system, you usually need to turn them off in a certain order. upsdrvctl shuts down all the 0s, then the 1s, 2s, and so on. To exclude a UPS from the shutdown sequence, set this to -1.
Type: signed integer
Default:
0Declared by:
power.ups.ups.<name>.summary¶
Lines which would be added inside ups.conf for handling this UPS.
Type: strings concatenated with “\n”
Default:
""Declared by:
powerManagement.enable¶
Whether to enable power management. This includes support for suspend-to-RAM and powersave features on laptops.
Type: boolean
Default:
trueDeclared by:
powerManagement.cpuFreqGovernor¶
Configure the governor used to regulate the frequence of the available CPUs. By default, the kernel configures the performance governor, although this may be overwritten in your hardware-configuration.nix file.
Often used values: “ondemand”, “powersave”, “performance”
Type: null or string
Default:
nullExample:
"ondemand"Declared by:
powerManagement.cpufreq.max¶
The maximum frequency the CPU will use. Defaults to the maximum possible.
Type: null or unsigned integer, meaning >=0
Default:
nullExample:
2200000Declared by:
powerManagement.cpufreq.min¶
The minimum frequency the CPU will use.
Type: null or unsigned integer, meaning >=0
Default:
nullExample:
800000Declared by:
powerManagement.powerDownCommands¶
Commands executed when the machine powers down. That is, they’re executed both when the system shuts down and when it goes to suspend or hibernation.
Type: strings concatenated with “\n”
Default:
""Example:
"${pkgs.hdparm}/sbin/hdparm -B 255 /dev/sda"Declared by:
powerManagement.powerUpCommands¶
Commands executed when the machine powers up. That is, they’re executed both when the system first boots and when it resumes from suspend or hibernation.
Type: strings concatenated with “\n”
Default:
""Example:
"${pkgs.hdparm}/sbin/hdparm -B 255 /dev/sda"Declared by:
powerManagement.powertop.enable¶
Whether to enable powertop auto tuning on startup.
Type: boolean
Default:
falseExample:
trueDeclared by:
powerManagement.resumeCommands¶
Commands executed after the system resumes from suspend-to-RAM.
Type: strings concatenated with “\n”
Default:
""Declared by:
powerManagement.scsiLinkPolicy¶
SCSI link power management policy. The kernel default is “max_performance”.
“med_power_with_dipm” is supported by kernel versions 4.15 and newer.
Type: null or one of “min_power”, “max_performance”, “medium_power”, “med_power_with_dipm”
Default:
nullDeclared by:
programs.adb.enable¶
Whether to configure system to use Android Debug Bridge (adb). To grant access to a user, it must be part of adbusers group:users.users.alice.extraGroups = [“adbusers”];
Type: boolean
Default:
falseDeclared by:
programs.atop.settings¶
Parameters to be written to
/etc/atoprc.Type: attribute set
Default: ``{
}``
Example:
{ flags = "a1f"; interval = 5; }Declared by:
programs.autojump.enable¶
Whether to enable autojump.
Type: boolean
Default:
falseDeclared by:
programs.bandwhich.enable¶
Whether to add bandwhich to the global environment and configure a setcap wrapper for it.
Type: boolean
Default:
falseDeclared by:
programs.bash.enableCompletion¶
Enable Bash completion for all interactive bash shells.
Type: boolean
Default:
trueDeclared by:
programs.bash.enableLsColors¶
Enable extra colors in directory listings.
Type: boolean
Default:
trueDeclared by:
programs.bash.interactiveShellInit¶
Shell script code called during interactive bash shell initialisation.
Type: strings concatenated with “\n”
Default:
""Declared by:
programs.bash.loginShellInit¶
Shell script code called during login bash shell initialisation.
Type: strings concatenated with “\n”
Default:
""Declared by:
programs.bash.promptInit¶
Shell script code used to initialise the bash prompt.
Type: strings concatenated with “\n”
Default:
'' # Provide a nice prompt if the terminal supports it. if [ "$TERM" != "dumb" -o -n "$INSIDE_EMACS" ]; then PROMPT_COLOR="1;31m" let $UID && PROMPT_COLOR="1;32m" if [ -n "$INSIDE_EMACS" -o "$TERM" == "eterm" -o "$TERM" == "eterm-color" ]; then # Emacs term mode doesn't support xterm title escape sequence (\e]0;) PS1="\n\[\033[$PROMPT_COLOR\][\u@\h:\w]\\$\[\033[0m\] " else PS1="\n\[\033[$PROMPT_COLOR\][\[\e]0;\u@\h: \w\a\]\u@\h:\w]\\$\[\033[0m\] " fi if test "$TERM" = "xterm"; then PS1="\[\033]2;\h:\u:\w\007\]$PS1" fi fi ''Declared by:
programs.bash.shellAliases¶
Set of aliases for bash shell, which overrides . See for an option format description.
Type: attribute set of null or string or paths
Default: ``{
}``
Declared by:
programs.bash.shellInit¶
Shell script code called during bash shell initialisation.
Type: strings concatenated with “\n”
Default:
""Declared by:
programs.bash.vteIntegration¶
Whether to enable Bash integration for VTE terminals. This allows it to preserve the current directory of the shell across terminals.
Type: boolean
Default:
falseDeclared by:
programs.bash-my-aws.enable¶
Whether to enable bash-my-aws.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.bcc.enable¶
Whether to enable bcc.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.browserpass.enable¶
Whether to enable Browserpass native messaging host.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.captive-browser.enable¶
Whether to enable captive browser.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.captive-browser.package¶
Which package to use for captive-browser
Type: package
Default:
"pkgs.captive-browser"Declared by:
programs.captive-browser.bindInterface¶
Binds captive-browser to the network interface declared in``cfg.interface``. This can be used to avoid collisions with private subnets.
Type: boolean
Default:
trueDeclared by:
programs.captive-browser.browser¶
The shell (/bin/sh) command executed once the proxy starts. When browser exits, the proxy exits. An extra env var PROXY is available.
Here, we use a separate Chrome instance in Incognito mode, so that it can run (and be waited for) alongside the default one, and that it maintains no state across runs. To configure this browser open a normal window in it, settings will be preserved.
@volth: chromium is to open a plain HTTP (not HTTPS nor redirect to HTTPS!) website. upstream uses http://example.com but I have seen captive portals whose DNS server resolves “example.com” to 127.0.0.1
Type: string
Default:
''''${pkgs.chromium}/bin/chromium --user-data-dir=$HOME/.chromium-captive --proxy-server="socks5://$PROXY" --host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE localhost" --no-first-run --new-window --incognito http://cache.nixos.org/''Declared by:
programs.captive-browser.dhcp-dns¶
The shell (/bin/sh) command executed to obtain the DHCP DNS server address. The first match of an IPv4 regex is used. IPv4 only, because let’s be real, it’s a captive portal.
Type: string
Declared by:
programs.captive-browser.interface¶
your public network interface (wlp3s0, wlan0, eth0, …)
Type: string
Declared by:
programs.captive-browser.socks5-addr¶
the listen address for the SOCKS5 proxy server
Type: string
Default:
"localhost:1666"Declared by:
programs.ccache.enable¶
Whether to enable CCache.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.ccache.packageNames¶
Nix top-level packages to be compiled using CCache
Type: list of strings
Default: ``[
]``
Example:
[ "wxGTK30" "qt48" "ffmpeg_3_3" "libav_all" ]Declared by:
programs.ccache.cacheDir¶
CCache directory
Type: path
Default:
"/var/cache/ccache"Declared by:
programs.cdemu.enable¶
cdemu for members of.
Type: unspecified
Default:
falseDeclared by:
programs.cdemu.group¶
Group that users must be in to use cdemu.
Type: unspecified
Default:
"cdrom"Declared by:
programs.cdemu.gui¶
Whether to install the cdemu GUI (gCDEmu).
Type: unspecified
Default:
trueDeclared by:
programs.cdemu.image-analyzer¶
Whether to install the image analyzer.
Type: unspecified
Default:
trueDeclared by:
programs.chromium.enable¶
Whether to enable chromium policies.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.chromium.defaultSearchProviderSearchURL¶
Chromium default search provider url.
Type: null or string
Default:
nullExample:
"https://encrypted.google.com/search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}"Declared by:
programs.chromium.defaultSearchProviderSuggestURL¶
Chromium default search provider url for suggestions.
Type: null or string
Default:
nullExample:
"https://encrypted.google.com/complete/search?output=chrome&q={searchTerms}"Declared by:
programs.chromium.extensions¶
List of chromium extensions to install. For list of plugins ids see id in url of extensions on`chrome web store <https://chrome.google.com/webstore/category/extensions>`_ page.
Type: list of strings
Default: ``[
]``
Example:
[ "chlffgpmiacpedhhbkiomidkjlcfhogd" # pushbullet "mbniclmhobmnbdlbpiphghaielnnpgdp" # lightshot "gcbommkclmclpchllfjekcdonpmejbdp" # https everywhere "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin ]Declared by:
programs.chromium.extraOpts¶
Extra chromium policy options, see`https://www.chromium.org/administrators/policy-list-3 <https://www.chromium.org/administrators/policy-list-3>`_ for a list of avalible options
Type: attribute set
Default: ``{
}``
Declared by:
programs.chromium.homepageLocation¶
Chromium default homepage
Type: null or string
Default:
nullExample:
"https://nixos.org"Declared by:
programs.command-not-found.enable¶
Whether interactive shells should show which Nix package (if any) provides a missing command.
Type: boolean
Default:
trueDeclared by:
programs.command-not-found.dbPath¶
Absolute path to programs.sqlite.
By default this file will be provided by your channel (nixexprs.tar.xz).
Type: path
Default:
"/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite"Declared by:
programs.criu.enable¶
Install criu along with necessary kernel options.
Type: unspecified
Default:
falseDeclared by:
programs.dconf.enable¶
Whether to enable dconf.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.digitalbitbox.enable¶
Installs the Digital Bitbox application and enables the complementary hardware module.
Type: boolean
Default:
falseDeclared by:
programs.digitalbitbox.package¶
The Digital Bitbox package to use. This can be used to install a package with udev rules that differ from the defaults.
Type: package
Default:
"pkgs.digitalbitbox"Declared by:
programs.dmrconfig.enable¶
Whether to configure system to enable use of dmrconfig. This enables the required udev rules and installs the program.
Type: boolean
Default:
falseRelated packages:
pkgs.dmrconfig (dmrconfig-1.1): Configuration utility for DMR radios.DMRconfig is a utility for programming digital radios via USB programming cable.Declared by:
programs.dmrconfig.package¶
dmrconfig derivation to use
Type: package
Default:
"pkgs.dmrconfig"Declared by:
programs.evince.enable¶
Whether to enable Evince, the GNOME document viewer.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.file-roller.enable¶
Whether to enable File Roller, an archive manager for GNOME.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.firejail.enable¶
Whether to enable firejail.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.firejail.wrappedBinaries¶
Wrap the binaries in firejail and place them in the global path.
You will get file collisions if you put the actual application binary in the global environment and applications started via .desktop files are not wrapped if they specify the absolute path to the binary.
Type: attribute set
Default: ``{
}``
Declared by:
programs.fish.enable¶
Whether to configure fish as an interactive shell.
Type: boolean
Default:
falseDeclared by:
programs.fish.interactiveShellInit¶
Shell script code called during interactive fish shell initialisation.
Type: strings concatenated with “\n”
Default:
""Declared by:
programs.fish.loginShellInit¶
Shell script code called during fish login shell initialisation.
Type: strings concatenated with “\n”
Default:
""Declared by:
programs.fish.promptInit¶
Shell script code used to initialise fish prompt.
Type: strings concatenated with “\n”
Default:
""Declared by:
programs.fish.shellAliases¶
Set of aliases for fish shell, which overrides . See for an option format description.
Type: attribute set of null or string or paths
Default: ``{
}``
Declared by:
programs.fish.shellInit¶
Shell script code called during fish shell initialisation.
Type: strings concatenated with “\n”
Default:
""Declared by:
programs.fish.vendor.completions.enable¶
Whether fish should use completion files provided by other packages.
Type: boolean
Default:
trueDeclared by:
programs.fish.vendor.config.enable¶
Whether fish should source configuration snippets provided by other packages.
Type: boolean
Default:
trueDeclared by:
programs.fish.vendor.functions.enable¶
Whether fish should autoload fish functions provided by other packages.
Type: boolean
Default:
trueDeclared by:
programs.fuse.mountMax¶
Set the maximum number of FUSE mounts allowed to non-root users.
Type: integer between 0 and 32767 (both inclusive)
Default:
1000Declared by:
programs.fuse.userAllowOther¶
Allow non-root users to specify the allow_other or allow_root mount options, see mount.fuse3(8).
Type: boolean
Default:
falseDeclared by:
programs.geary.enable¶
Whether to enable Geary, a Mail client for GNOME 3.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.gnome-disks.enable¶
Whether to enable GNOME Disks daemon, a program designed to be a UDisks2 graphical front-end.
Type: boolean
Default:
falseDeclared by:
programs.gnome-documents.enable¶
Whether to enable GNOME Documents, a document manager application for GNOME.
Type: boolean
Default:
falseDeclared by:
programs.gnome-terminal.enable¶
Whether to enable GNOME Terminal.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.gnupg.package¶
The gpg package that should be used.
Type: package
Default:
"pkgs.gnupg"Declared by:
programs.gnupg.agent.enable¶
Enables GnuPG agent with socket-activation for every user session.
Type: boolean
Default:
falseDeclared by:
programs.gnupg.agent.enableBrowserSocket¶
Enable browser socket for GnuPG agent.
Type: boolean
Default:
falseDeclared by:
programs.gnupg.agent.enableExtraSocket¶
Enable extra socket for GnuPG agent.
Type: boolean
Default:
falseDeclared by:
programs.gnupg.agent.enableSSHSupport¶
Enable SSH agent support in GnuPG agent. Also sets SSH_AUTH_SOCK environment variable correctly. This will disable socket-activation and thus always start a GnuPG agent per user session.
Type: boolean
Default:
falseDeclared by:
programs.gnupg.agent.pinentryFlavor¶
Which pinentry interface to use. If not null, the path to the pinentry binary will be passed to gpg-agent via commandline and thus overrides the pinentry option in gpg-agent.conf in the user’s home directory. If not set at all, it’ll pick an appropriate flavor depending on the system configuration (qt flavor for lxqt and plasma5, gtk2 for xfce 4.12, gnome3 on all other systems with X enabled, ncurses otherwise).
Type: null or one of “curses”, “tty”, “gtk2”, “qt”, “gnome3”, “emacs”
Example:
"gnome3"Declared by:
programs.gnupg.dirmngr.enable¶
Enables GnuPG network certificate management daemon with socket-activation for every user session.
Type: boolean
Default:
falseDeclared by:
programs.gpaste.enable¶
Whether to enable GPaste, a clipboard manager.
Type: boolean
Default:
falseDeclared by:
programs.gphoto2.enable¶
Whether to configure system to use gphoto2. To grant digital camera access to a user, the user must be part of the camera group:users.users.alice.extraGroups = [“camera”];
Type: boolean
Default:
falseDeclared by:
programs.iftop.enable¶
Whether to enable iftop + setcap wrapper.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.iotop.enable¶
Whether to enable iotop + setcap wrapper.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.java.enable¶
Install and setup the Java development kit.
Note
This adds JAVA_HOME to the global environment, by sourcing the jdk’s setup-hook on shell init. It is equivalent to starting a shell through ‘nix-shell -p jdk’, or roughly the following system-wide configuration:
environment.variables.JAVA_HOME = ${pkgs.jdk.home}/lib/openjdk; environment.systemPackages = [ pkgs.jdk ];Type: boolean
Default:
falseExample:
trueDeclared by:
programs.java.package¶
Java package to install. Typical values are pkgs.jdk or pkgs.jre.
Type: package
Default:
"pkgs.jdk"Declared by:
programs.kbdlight.enable¶
Whether to enable kbdlight.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.less.enable¶
Whether to enable less.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.less.clearDefaultCommands¶
Clear all default commands. You should remember to set the quit key. Otherwise you will not be able to leave less without killing it.
Type: boolean
Default:
falseDeclared by:
programs.less.commands¶
Defines new command keys.
Type: attribute set of strings
Default: ``{
}``
Example:
{ h = ''noaction 5\\e(''; l = ''noaction 5\\e)''; }Declared by:
programs.less.configFile¶
Path to lesskey configuration file.
takes precedence over ,, , and.
Type: null or path
Default:
nullExample:
$${pkgs.my-configs}/lesskeyDeclared by:
programs.less.envVariables¶
Defines environment variables.
Type: attribute set of strings
Default: ``{
}``
Example:
{ LESS = "--quit-if-one-screen"; }Declared by:
programs.less.lessclose¶
When less closes a file opened in such a way, it will call another program, called the input postprocessor, which may perform any desired clean-up action (such as deleting the replacement file created by LESSOPEN).
Type: null or string
Default:
nullDeclared by:
programs.less.lessopen¶
Before less opens a file, it first gives your input preprocessor a chance to modify the way the contents of the file are displayed.
Type: null or string
Default:
"\|\\${pkgs.lesspipe}/bin/lesspipe.sh %s"Declared by:
programs.less.lineEditingKeys¶
Defines new line-editing keys.
Type: attribute set of strings
Default: ``{
}``
Example:
{ e = "abort"; }Declared by:
programs.liboping.enable¶
Whether to enable liboping.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.light.enable¶
Whether to install Light backlight control command and udev rules granting access to members of the “video” group.
Type: boolean
Default:
falseDeclared by:
programs.mininet.enable¶
Whether to enable Mininet.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.mosh.enable¶
Whether to enable mosh. Note, this will open ports in your firewall!
Type: boolean
Default:
falseDeclared by:
programs.mosh.withUtempter¶
Whether to enable libutempter for mosh. This is required so that mosh can write to /var/run/utmp (which can be queried with `who` to display currently connected user sessions). Note, this will add a guid wrapper for the group utmp!
Type: boolean
Default:
trueDeclared by:
programs.mtr.enable¶
Whether to add mtr to the global environment and configure a setcap wrapper for it.
Type: boolean
Default:
falseDeclared by:
programs.mtr.package¶
The package to use.
Type: package
Default:
*(build of mtr-0.93)*Declared by:
programs.nano.nanorc¶
The system-wide nano configuration. See nanorc5.
Type: strings concatenated with “\n”
Default:
""Example:
'' set nowrap set tabstospaces set tabsize 2 ''Declared by:
programs.nano.syntaxHighlight¶
Whether to enable syntax highlight for various languages.
Type: boolean
Default:
trueDeclared by:
programs.nm-applet.enable¶
Whether to enable nm-applet.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.npm.enable¶
Whether to enable npm global config.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.npm.npmrc¶
The system-wide npm configuration. See ` <https://docs.npmjs.com/misc/config>`_.
Type: strings concatenated with “\n”
Default:
'' prefix = ''${HOME}/.npm ''Example:
'' prefix = ''${HOME}/.npm https-proxy=proxy.example.com init-license=MIT init-author-url=http://npmjs.org color=true ''Declared by:
programs.plotinus.enable¶
Whether to enable the Plotinus GTK 3 plugin. Plotinus provides a popup (triggered by Ctrl-Shift-P) to search the menus of a compatible application.
Type: boolean
Default:
falseDeclared by:
programs.qt5ct.enable¶
Whether to enable the Qt5 Configuration Tool (qt5ct), a program that allows users to configure Qt5 settings (theme, font, icons, etc.) under desktop environments or window manager without Qt integration.
Official home page: https://sourceforge.net/projects/qt5ct/
Type: boolean
Default:
falseDeclared by:
programs.screen.screenrc¶
The contents of /etc/screenrc file.
Type: strings concatenated with “\n”
Default:
""Declared by:
programs.seahorse.enable¶
Whether to enable Seahorse, a GNOME application for managing encryption keys and passwords in the GNOME Keyring.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.sedutil.enable¶
Whether to enable sedutil.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.singularity.enable¶
Whether to enable Singularity.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.slock.enable¶
Whether to install slock screen locker with setuid wrapper.
Type: boolean
Default:
falseDeclared by:
programs.spacefm.enable¶
Whether to install SpaceFM and create
/etc/spacefm/spacefm.conf.Type: boolean
Default:
falseDeclared by:
programs.spacefm.settings¶
The system-wide spacefm configuration. Parameters to be written to
/etc/spacefm/spacefm.conf. Refer to the relevant entry in the SpaceFM manual.Type: attribute set
Default:
{ graphical_su = "\\${pkgs.gksu}/bin/gksu"; terminal_su = "\\${pkgs.sudo}/bin/sudo"; tmp_dir = "/tmp"; }Example:
{ tmp_dir = "/tmp"; terminal_su = "${pkgs.sudo}/bin/sudo"; graphical_su = "${pkgs.gksu}/bin/gksu"; }Declared by:
programs.ssh.package¶
The package used for the openssh client and daemon.
Type: package
Default:
"pkgs.openssh"Declared by:
programs.ssh.agentPKCS11Whitelist¶
A pattern-list of acceptable paths for PKCS#11 shared libraries that may be used with the -s option to ssh-add.
Type: null or string
Default:
nullExample:
"\\${pkgs.opensc}/lib/opensc-pkcs11.so"Declared by:
programs.ssh.agentTimeout¶
How long to keep the private keys in memory. Use null to keep them forever.
Type: null or string
Default:
nullExample:
"1h"Declared by:
programs.ssh.askPassword¶
Program used by SSH to ask for passwords.
Type: string
Default:
"\\${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"Declared by:
programs.ssh.extraConfig¶
Extra configuration text prepended to
ssh_config. Other generated options will be added after a Host * pattern. See ssh_config5 for help.Type: strings concatenated with “\n”
Default:
""Declared by:
programs.ssh.forwardX11¶
Whether to request X11 forwarding on outgoing connections by default. This is useful for running graphical programs on the remote machine and have them display to your local X11 server. Historically, this value has depended on the value used by the local sshd daemon, but there really isn’t a relation between the two. Note: there are some security risks to forwarding an X11 connection. NixOS’s X server is built with the SECURITY extension, which prevents some obvious attacks. To enable or disable forwarding on a per-connection basis, see the -X and -x options to ssh. The -Y option to ssh enables trusted forwarding, which bypasses the SECURITY extension.
Type: boolean
Default:
falseDeclared by:
programs.ssh.hostKeyAlgorithms¶
Specifies the host key algorithms that the client wants to use in order of preference.
Type: list of strings
Default:
[ "+ssh-dss" ]Example:
[ "ssh-ed25519" "ssh-rsa" ]Declared by:
programs.ssh.knownHosts¶
The set of system-wide known SSH hosts.
Type: list or attribute set of submodules
Default: ``{
}``
Example:
{ myhost = { hostNames = [ "myhost" "myhost.mydomain.com" "10.10.1.4" ]; publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub; }; myhost2 = { hostNames = [ "myhost2" ]; publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub; }; }Declared by:
programs.ssh.knownHosts.<name?>.certAuthority¶
This public key is an SSH certificate authority, rather than an individual host’s key.
Type: boolean
Default:
falseDeclared by:
programs.ssh.knownHosts.<name?>.hostNames¶
A list of host names and/or IP numbers used for accessing the host’s ssh service.
Type: list of strings
Default: ``[
]``
Declared by:
programs.ssh.knownHosts.<name?>.publicKey¶
The public key data for the host. You can fetch a public key from a running SSH server with the ssh-keyscan command. The public key should not include any host names, only the key type and the key itself.
Type: null or string
Default:
nullExample:
"ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg=="Declared by:
programs.ssh.knownHosts.<name?>.publicKeyFile¶
The path to the public key file for the host. The public key file is read at build time and saved in the Nix store. You can fetch a public key file from a running SSH server with the ssh-keyscan command. The content of the file should follow the same format as described for the
publicKeyoption.Type: null or path
Default:
nullDeclared by:
programs.ssh.pubkeyAcceptedKeyTypes¶
Specifies the key types that will be used for public key authentication.
Type: list of strings
Default:
[ "+ssh-dss" ]Example:
[ "ssh-ed25519" "ssh-rsa" ]Declared by:
programs.ssh.setXAuthLocation¶
Whether to set the path to xauth for X11-forwarded connections. This causes a dependency on X11 packages.
Type: boolean
Declared by:
programs.ssh.startAgent¶
Whether to start the OpenSSH agent when you log in. The OpenSSH agent remembers private keys for you so that you don’t have to type in passphrases every time you make an SSH connection. Use:command:ssh-add to add a key to the agent.
Type: boolean
Default:
falseDeclared by:
programs.sway.enable¶
Whether to enable Sway, the i3-compatible tiling Wayland compositor. You can manually launch Sway by executing “exec sway” on a TTY. Copy /etc/sway/config to ~/.config/sway/config to modify the default configuration. See https://github.com/swaywm/sway/wiki and “man 5 sway” for more information. Please have a look at the “extraSessionCommands” example for running programs natively under Wayland.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.sway.extraOptions¶
Command line arguments passed to launch Sway. Please DO NOT report issues if you use an unsupported GPU (proprietary drivers).
Type: list of strings
Default: ``[
]``
Example:
[ "--verbose" "--debug" "--unsupported-gpu" "--my-next-gpu-wont-be-nvidia" ]Declared by:
programs.sway.extraPackages¶
Extra packages to be installed system wide.
Type: list of packages
Default:
with pkgs; [ swaylock swayidle xwayland rxvt-unicode dmenu ];Example:
with pkgs; [ xwayland i3status i3status-rust termite rofi light ]Declared by:
programs.sway.extraSessionCommands¶
Shell commands executed just before Sway is started.
Type: strings concatenated with “\n”
Default:
""Example:
'' export SDL_VIDEODRIVER=wayland # needs qt5.qtwayland in systemPackages export QT_QPA_PLATFORM=wayland export QT_WAYLAND_DISABLE_WINDOWDECORATION="1" # Fix for some Java AWT applications (e.g. Android Studio), # use this if they aren't displayed properly: export _JAVA_AWT_WM_NONREPARENTING=1 ''Declared by:
programs.sway.wrapperFeatures¶
Attribute set of features to enable in the wrapper.
Type: submodule
Default: ``{
}``
Example:
{ gtk = true; }Declared by:
programs.sway.wrapperFeatures.base¶
Whether to make use of the base wrapper to execute extra session commands and prepend a dbus-run-session to the sway command.
Type: boolean
Default:
trueExample:
falseDeclared by:
programs.sway.wrapperFeatures.gtk¶
Whether to make use of the wrapGAppsHook wrapper to execute sway with required environment variables for GTK applications.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.sysdig.enable¶
Whether to enable sysdig.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.system-config-printer.enable¶
Whether to enable system-config-printer, a Graphical user interface for CUPS administration.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.systemtap.enable¶
Install systemtap along with necessary kernel options.
Type: unspecified
Default:
falseDeclared by:
programs.thefuck.enable¶
Whether to enable thefuck.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.thefuck.alias¶
thefuck needs an alias to be configured. The default value is `fuck`, but you can use anything else as well.
Type: string
Default:
"fuck"Declared by:
programs.tmux.enable¶
Whenever to configure tmux system-wide.
Type: boolean
Default:
falseRelated packages:
pkgs.tmux (tmux-3.0a): Terminal multiplexer.tmux is intended to be a modern, BSD-licensed alternative to programs such as GNU screen. Major features include: * A powerful, consistent, well-documented and easily scriptable command interface. * A window may be split horizontally and vertically into panes. * Panes can be freely moved and resized, or arranged into preset layouts. * Support for UTF-8 and 256-colour terminals. * Copy and paste with multiple buffers. * Interactive menus to select windows, sessions or clients. * Change the current window by searching for text in the target. * Terminal locking, manually or after a timeout. * A clean, easily extended, BSD-licensed codebase, under active development.Declared by:
programs.tmux.aggressiveResize¶
Resize the window to the size of the smallest session for which it is the current window.
Type: boolean
Default:
falseDeclared by:
programs.tmux.baseIndex¶
Base index for windows and panes.
Type: signed integer
Default:
0Example:
1Declared by:
programs.tmux.clock24¶
Use 24 hour clock.
Type: boolean
Default:
falseDeclared by:
programs.tmux.escapeTime¶
Time in milliseconds for which tmux waits after an escape is input.
Type: signed integer
Default:
500Example:
0Declared by:
programs.tmux.extraConfig¶
Additional contents of /etc/tmux.conf
Type: strings concatenated with “\n”
Default:
""Declared by:
programs.tmux.historyLimit¶
Maximum number of lines held in window history.
Type: signed integer
Default:
2000Example:
5000Declared by:
programs.tmux.keyMode¶
VI or Emacs style shortcuts.
Type: one of “emacs”, “vi”
Default:
"emacs"Example:
"vi"Declared by:
programs.tmux.newSession¶
Automatically spawn a session if trying to attach and none are running.
Type: boolean
Default:
falseDeclared by:
programs.tmux.resizeAmount¶
Number of lines/columns when resizing.
Type: signed integer
Default:
5Example:
10Declared by:
programs.tmux.reverseSplit¶
Reverse the window split shortcuts.
Type: boolean
Default:
falseDeclared by:
programs.tmux.secureSocket¶
Store tmux socket under /run, which is more secure than /tmp, but as a downside it doesn’t survive user logout.
Type: boolean
Default:
trueDeclared by:
programs.tmux.shortcut¶
Ctrl following by this key is used as the main shortcut.
Type: string
Default:
"b"Example:
"a"Declared by:
programs.tmux.terminal¶
Set the $TERM variable.
Type: string
Default:
"screen"Example:
"screen-256color"Declared by:
programs.traceroute.enable¶
Whether to configure a setcap wrapper for traceroute.
Type: boolean
Default:
falseDeclared by:
programs.tsmClient.enable¶
Whether to enable IBM Spectrum Protect (Tivoli Storage Manager, TSM) client command line applications with a client system-options file “dsm.sys” .
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.tsmClient.package¶
The TSM client derivation to be added to the system environment. It will called with
.overrideto add paths to the client system-options file.Type: package
Default:
"pkgs.tsm-client"Example:
pkgs.tsm-client-withGuiDeclared by:
programs.tsmClient.defaultServername¶
If multiple server stanzas are declared with, this option may be used to name a default server stanza that IBM TSM uses in the absence of a user-defined
dsm.optfile. This option translates to a``defaultserver`` configuration line.Type: null or string matching the pattern .{1,64}
Default:
nullExample:
"mainTsmServer"Declared by:
programs.tsmClient.dsmSysText¶
This configuration key contains the effective text of the client system-options file “dsm.sys”. It should not be changed, but may be used to feed the configuration into other TSM-depending packages used on the system.
Type: strings concatenated with “\n” (read only)
Declared by:
programs.tsmClient.servers¶
Server definitions (“stanzas”) for the client system-options file.
Type: list or attribute set of submodules
Default: ``{
}``
Example:
{ mainTsmServer = { extraConfig = { compression = "yes"; } ; node = "MY-TSM-NODE"; server = "tsmserver.company.com"; } ; }Declared by:
programs.tsmClient.servers.<name?>.extraConfig¶
Additional key-value pairs for the server stanza. Values must be strings, or
nullfor the key not to be used in the stanza (e.g. to overrule values generated by other options).Type: attribute set of null or strings
Default: ``{
}``
Example:
{ compression = "yes"; passwordaccess = null; }Declared by:
programs.tsmClient.servers.<name?>.genPasswd¶
Whether to enable automatic client password generation. This option influences the``passwordaccess`` directive in
dsm.sys. The password will be stored in the directory given by the option .*Caution*: If this option is enabled and the server forces to renew the password (e.g. on first connection), a random password will be generated and stored .Type: boolean
Default:
falseExample:
trueDeclared by:
programs.tsmClient.servers.<name?>.includeExclude¶
include.*and``exclude.*`` directives to be used when sending files to the IBM TSM server. The lines will be written into a file that the``inclexcl`` directive indsm.syspoints to.Type: strings concatenated with “\n”
Default:
""Example:
'' exclude.dir /nix/store include.encrypt /home/.../* ''Declared by:
programs.tsmClient.servers.<name?>.name¶
Local name of the IBM TSM server, must be uncapitalized and no longer than 64 chars. The value will be used for the``server`` directive in
dsm.sys.Type: string matching the pattern .{1,64}
Example:
"mainTsmServer"Declared by:
programs.tsmClient.servers.<name?>.node¶
Target node name on the IBM TSM server. The value will be used for the``nodename`` directive in
dsm.sys.Type: string matching the pattern .+
Example:
"MY-TSM-NODE"Declared by:
programs.tsmClient.servers.<name?>.passwdDir¶
Directory that holds the TSM node’s password information. The value will be used for the``passworddir`` directive in
dsm.sys.Type: path
Example:
"/home/alice/tsm-password"Declared by:
programs.tsmClient.servers.<name?>.port¶
TCP port of the IBM TSM server. The value will be used for the``tcpport`` directive in
dsm.sys. TSM does not support ports above 32767.Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
1500Declared by:
programs.tsmClient.servers.<name?>.server¶
Host/domain name or IP address of the IBM TSM server. The value will be used for the``tcpserveraddress`` directive in
dsm.sys.Type: string matching the pattern .+
Example:
"tsmserver.company.com"Declared by:
programs.tsmClient.servers.<name?>.text¶
Additional text lines for the server stanza. This option can be used if certion configuration keys must be used multiple times or ordered in a certain way as the option can’t control the order of lines in the resulting stanza. Note that the
serverline at the beginning of the stanza is not part of this option’s value.Type: strings concatenated with “\n”
Example:
lib.modules.mkAfter "compression no"Declared by:
programs.tsmClient.wrappedPackage¶
The TSM client derivation, wrapped with the path to the client system-options file “dsm.sys”. This option is to provide the effective derivation for other modules that want to call TSM executables.
Type: package (read only)
Declared by:
programs.udevil.enable¶
Whether to enable udevil.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.usbtop.enable¶
Whether to enable usbtop and required kernel module.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.vim.defaultEditor¶
When enabled, installs vim and configures vim to be the default editor using the EDITOR environment variable.
Type: boolean
Default:
falseDeclared by:
programs.wavemon.enable¶
Whether to add wavemon to the global environment and configure a setcap wrapper for it.
Type: boolean
Default:
falseDeclared by:
programs.waybar.enable¶
Whether to enable waybar.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.wireshark.enable¶
Whether to add Wireshark to the global environment and configure a setcap wrapper for ‘dumpcap’ for users in the ‘wireshark’ group.
Type: boolean
Default:
falseDeclared by:
programs.wireshark.package¶
Which Wireshark package to install in the global environment.
Type: package
Default:
"pkgs.wireshark-cli"Declared by:
programs.x2goserver.enable¶
Enables the x2goserver module. NOTE: This will create a good amount of symlinks in `/usr/local/bin`
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.x2goserver.nxagentDefaultOptions¶
List of default nx agent options.
Type: list of strings
Default:
[ "-extension GLX" "-nolisten tcp" ]Example:
[ "-extension GLX" "-nolisten tcp" ]Declared by:
programs.x2goserver.settings¶
x2goserver.conf ini configuration as nix attributes. See `x2goserver.conf(5)` for details
Type: attribute set of attribute sets
Default: ``{
}``
Example:
superenicer = { "enable" = "yes"; "idle-nice-level" = 19; }; telekinesis = { "enable" = "no"; };Declared by:
programs.x2goserver.superenicer.enable¶
Enables the SupeReNicer code in x2gocleansessions, this will renice suspended sessions to nice level 19 and renice them to level 0 if the session becomes marked as running again
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.xfs_quota.projects¶
Setup of xfs_quota projects. Make sure the filesystem is mounted with the pquota option.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ projname = { id = 50; path = "/xfsprojects/projname"; sizeHardLimit = "50g"; } ; }Declared by:
programs.xfs_quota.projects.<name>.fileSystem¶
XFS filesystem hosting the xfs_quota project.
Type: string
Default:
"/"Declared by:
programs.xfs_quota.projects.<name>.id¶
programs.xfs_quota.projects.<name>.path¶
programs.xfs_quota.projects.<name>.sizeHardLimit¶
Hard limit of the project size.
Type: null or string
Default:
nullExample:
"50g"Declared by:
programs.xfs_quota.projects.<name>.sizeSoftLimit¶
Soft limit of the project size
Type: null or string
Default:
nullExample:
"30g"Declared by:
programs.xonsh.enable¶
Whether to configure xonsh as an interactive shell.
Type: boolean
Default:
falseDeclared by:
programs.xonsh.package¶
xonsh package to use.
Type: package
Default:
*(build of xonsh-0.9.13)*Example:
pkgs.xonsh.override { configFile = "/path/to/xonshrc"; }Declared by:
programs.xonsh.config¶
Control file to customize your shell behavior.
Type: strings concatenated with “\n”
Default:
""Declared by:
programs.xss-lock.enable¶
Whether to enable xss-lock.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.xss-lock.extraOptions¶
Additional command-line arguments to pass to:command:xss-lock.
Type: list of strings
Default: ``[
]``
Example:
[ "--ignore-sleep" ]Declared by:
programs.xss-lock.lockerCommand¶
Locker to be used with xsslock
Type: strings concatenated with ” “
Default:
"\\${pkgs.i3lock}/bin/i3lock"Example:
${pkgs.i3lock-fancy}/bin/i3lock-fancyDeclared by:
programs.yabar.enable¶
Whether to enable yabar.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.yabar.package¶
The package which contains the `yabar` binary.
Nixpkgs provides the `yabar` and `yabar-unstable` derivations since 18.03, so it’s possible to choose.
Type: package
Default:
*(build of yabar-unstable-2018-01-18)*Example:
pkgs.yabarDeclared by:
programs.yabar.bars¶
List of bars that should be rendered by yabar.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
programs.yabar.bars.<name>.extra¶
An attribute set which contains further attributes of a bar.
Type: attribute set of strings
Default: ``{
}``
Declared by:
programs.yabar.bars.<name>.font¶
The font that will be used to draw the status bar.
Type: string
Default:
"sans bold 9"Example:
"Droid Sans, FontAwesome Bold 9"Declared by:
programs.yabar.bars.<name>.indicators¶
Indicators that should be rendered by yabar.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
programs.yabar.bars.<name>.indicators.<name>.align¶
Whether to align the indicator at the left or right of the bar.
Type: one of “left”, “center”, “right”
Default:
"left"Example:
"right"Declared by:
programs.yabar.bars.<name>.indicators.<name>.exec¶
The type of the indicator to be executed.
Type: string
Example:
"YABAR_DATE"Declared by:
programs.yabar.bars.<name>.indicators.<name>.extra¶
An attribute set which contains further attributes of a indicator.
Type: attribute set of string or signed integers
Default: ``{
}``
Declared by:
programs.yabar.bars.<name>.position¶
The position where the bar will be rendered.
Type: one of “top”, “bottom”
Default:
"top"Example:
"bottom"Declared by:
programs.zmap.enable¶
Whether to enable ZMap.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.zsh.enable¶
Whether to configure zsh as an interactive shell. To enable zsh for a particular user, use the option for that user. To enable zsh system-wide use the option.
Type: boolean
Default:
falseDeclared by:
programs.zsh.enableCompletion¶
Enable zsh completion for all interactive zsh shells.
Type: boolean
Default:
trueDeclared by:
programs.zsh.enableGlobalCompInit¶
Enable execution of compinit call for all interactive zsh shells.
This option can be disabled if the user wants to extend its``fpath`` and a custom
compinitcall in the local config is required.Type: boolean
Default:
trueDeclared by:
programs.zsh.autosuggestions.enable¶
Whether to enable zsh-autosuggestions.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.zsh.autosuggestions.extraConfig¶
Attribute set with additional configuration values
Type: attribute set of strings
Default: ``{
}``
Example:
{ "ZSH_AUTOSUGGEST_BUFFER_MAX_SIZE" = "20"; }Declared by:
programs.zsh.autosuggestions.highlightStyle¶
Highlight style for suggestions ({fore,back}ground color)
Type: string
Default:
"fg=8"Example:
"fg=cyan"Declared by:
programs.zsh.autosuggestions.strategy¶
Set ZSH_AUTOSUGGEST_STRATEGY to choose the strategy for generating suggestions. There are currently two to choose from:
- history: Chooses the most recent match.
- match_prev_cmd: Chooses the most recent match whose preceding history item matches
the most recently executed command (more info). Note that this strategy won’t work as expected with ZSH options that don’t preserve the history order such as HIST_IGNORE_ALL_DUPS or HIST_EXPIRE_DUPS_FIRST.
Type: one of “history”, “match_prev_cmd”
Default:
"history"Declared by:
programs.zsh.histFile¶
Change history file.
Type: string
Default:
"\\$HOME/.zsh_history"Declared by:
programs.zsh.histSize¶
Change history size.
Type: signed integer
Default:
2000Declared by:
programs.zsh.interactiveShellInit¶
Shell script code called during interactive zsh shell initialisation.
Type: strings concatenated with “\n”
Default:
""Declared by:
programs.zsh.loginShellInit¶
Shell script code called during zsh login shell initialisation.
Type: strings concatenated with “\n”
Default:
""Declared by:
programs.zsh.ohMyZsh.enable¶
Enable oh-my-zsh.
Type: unspecified
Default:
falseDeclared by:
programs.zsh.ohMyZsh.package¶
Package to install for `oh-my-zsh` usage.
Type: package
Default:
"pkgs.oh-my-zsh"Declared by:
programs.zsh.ohMyZsh.cacheDir¶
Cache directory to be used by `oh-my-zsh`. Without this option it would default to the read-only nix store.
Type: string
Default:
"\\$HOME/.cache/oh-my-zsh"Declared by:
programs.zsh.ohMyZsh.custom¶
Path to a custom oh-my-zsh package to override config of oh-my-zsh. (Can’t be used along with `customPkgs`).
Type: null or string
Default:
nullDeclared by:
programs.zsh.ohMyZsh.customPkgs¶
List of custom packages that should be loaded into `oh-my-zsh`.
Type: list of packages
Default: ``[
]``
Declared by:
programs.zsh.ohMyZsh.plugins¶
programs.zsh.ohMyZsh.theme¶
Name of the theme to be used by oh-my-zsh.
Type: string
Default:
""Declared by:
programs.zsh.promptInit¶
Shell script code used to initialise the zsh prompt.
Type: strings concatenated with “\n”
Default:
'' # Note that to manually override this in ~/.zshrc you should run `prompt off` # before setting your PS1 and etc. Otherwise this will likely to interact with # your ~/.zshrc configuration in unexpected ways as the default prompt sets # a lot of different prompt variables. autoload -U promptinit && promptinit && prompt walters && setopt prompt_sp ''Declared by:
programs.zsh.setOptions¶
Configure zsh options. Seezshoptions1.
Type: list of strings
Default:
[ "HIST_IGNORE_DUPS" "SHARE_HISTORY" "HIST_FCNTL_LOCK" ]Example:
[ "EXTENDED_HISTORY" "RM_STAR_WAIT" ]Declared by:
programs.zsh.shellAliases¶
Set of aliases for zsh shell, which overrides . See for an option format description.
Type: attribute set of null or string or paths
Default: ``{
}``
Declared by:
programs.zsh.shellInit¶
Shell script code called during zsh shell initialisation.
Type: strings concatenated with “\n”
Default:
""Declared by:
programs.zsh.syntaxHighlighting.enable¶
Whether to enable zsh-syntax-highlighting.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.zsh.syntaxHighlighting.highlighters¶
Specifies the highlighters to be used by zsh-syntax-highlighting.
The following defined options can be found here: https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters.md
Type: list of one of “main”, “brackets”, “pattern”, “cursor”, “root”, “line”s
Default:
[ "main" ]Declared by:
programs.zsh.syntaxHighlighting.patterns¶
Specifies custom patterns to be highlighted by zsh-syntax-highlighting.
Please refer to the docs for more information about the usage: https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters/pattern.md
Type: attribute set of strings
Default: ``{
}``
Example:
{ "rm -rf *" = "fg=white,bold,bg=red"; }Declared by:
programs.zsh.syntaxHighlighting.styles¶
Specifies custom styles to be highlighted by zsh-syntax-highlighting.
Please refer to the docs for more information about the usage: https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters/main.md
Type: attribute set of strings
Default: ``{
}``
Example:
{ "alias" = "fg=magenta,bold"; }Declared by:
programs.zsh.vteIntegration¶
Whether to enable Zsh integration for VTE terminals. This allows it to preserve the current directory of the shell across terminals.
Type: boolean
Default:
falseDeclared by:
programs.zsh.zsh-autoenv.enable¶
Whether to enable zsh-autoenv.
Type: boolean
Default:
falseExample:
trueDeclared by:
programs.zsh.zsh-autoenv.package¶
Package to install for `zsh-autoenv` usage.
Type: package
Default:
"pkgs.zsh-autoenv"Declared by:
qt5.enable¶
Whether to enable Qt5 theming configuration.
Type: boolean
Default:
falseExample:
trueDeclared by:
qt5.platformTheme¶
Selects the platform theme to use for Qt5 applications.
The options are
gtkUse GTK theme with qtstyleplugins
gnomeUse GNOME theme with qgnomeplatformType: one of “gtk2”, “gnome”
Example:
"gnome"Related packages:
pkgs.qgnomeplatform (qgnomeplatform-0.6.0): QPlatformTheme for a better Qt application inclusion in GNOME.pkgs.libsForQt5.qtstyleplugins (qtstyleplugins-2017-03-11): Additional style plugins for Qt5, including BB10, GTK, Cleanlooks, Motif, Plastique.Declared by:
qt5.style¶
Selects the style to use for Qt5 applications.
The options are
adwaitaUse Adwaita Qt style with adwaita
cleanlooks,gtk2,motif,plastiqueUse styles from qtstylepluginsType: one of “adwaita”, “cleanlooks”, “gtk2”, “motif”, “plastique”
Example:
"adwaita"Related packages:
pkgs.adwaita-qt (adwaita-qt-1.1.1): A style to bend Qt applications to look like they belong into GNOME Shell.pkgs.libsForQt5.qtstyleplugins (qtstyleplugins-2017-03-11): Additional style plugins for Qt5, including BB10, GTK, Cleanlooks, Motif, Plastique.Declared by:
security.acme.acceptTerms¶
Accept the CA’s terms of service. The default provier is Let’s Encrypt, you can find their ToS at https://letsencrypt.org/repository/
Type: boolean
Default:
falseDeclared by:
security.acme.certs¶
Attribute set of certificates to get signed and renewed. Creates``acme-${cert}.{service,timer}`` systemd units for each certificate defined here. Other services can add dependencies to those units if they rely on the certificates being present, or trigger restarts of the service if certificates get renewed.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ "example.com" = { webroot = "/var/www/challenges/"; email = "foo@example.com"; extraDomains = { "www.example.com" = null; "foo.example.com" = "/var/www/foo/"; }; }; "bar.example.com" = { webroot = "/var/www/challenges/"; email = "bar@example.com"; }; }Declared by:
security.acme.certs.<name>.allowKeysForGroup¶
Give read permissions to the specified group () to read SSL private certificates.
Type: boolean
Default:
falseDeclared by:
security.acme.certs.<name>.credentialsFile¶
Path to an EnvironmentFile for the cert’s service containing any required and optional environment variables for your selected dnsProvider. To find out what values you need to set, consult the documentation at https://go-acme.github.io/lego/dns/ for the corresponding dnsProvider.
Type: path
Example:
"/var/src/secrets/example.org-route53-api-token"Declared by:
security.acme.certs.<name>.directory¶
Directory where certificate and other state is stored.
Type: string (read only)
Default:
"/var/lib/acme/‹name›"Declared by:
security.acme.certs.<name>.dnsPropagationCheck¶
Toggles lego DNS propagation check, which is used alongside DNS-01 challenge to ensure the DNS entries required are available.
Type: boolean
Default:
trueDeclared by:
security.acme.certs.<name>.dnsProvider¶
DNS Challenge provider. For a list of supported providers, see the “code” field of the DNS providers listed at https://go-acme.github.io/lego/dns/.
Type: null or string
Default:
nullExample:
"route53"Declared by:
security.acme.certs.<name>.domain¶
Domain to fetch certificate for (defaults to the entry name)
Type: string
Default:
"‹name›"Declared by:
security.acme.certs.<name>.email¶
Contact email address for the CA to be able to reach you.
Type: null or string
Default:
nullDeclared by:
security.acme.certs.<name>.extraDomains¶
A list of extra domain names, which are included in the one certificate to be issued, with their own server roots if needed.
Type: attribute set of null or strings
Default: ``{
}``
Example:
{ "example.org" = "/srv/http/nginx"; "mydomain.org" = null; }Declared by:
security.acme.certs.<name>.group¶
Group running the ACME client.
Type: string
Default:
"root"Declared by:
security.acme.certs.<name>.keyType¶
Key type to use for private keys. For an up to date list of supported values check the –key-type option at https://go-acme.github.io/lego/usage/cli/#usage.
Type: string
Default:
"ec384"Declared by:
security.acme.certs.<name>.postRun¶
Commands to run after new certificates go live. Typically the web server and other servers using certificates need to be reloaded.
Executed in the same directory with the new certificate.
Type: strings concatenated with “\n”
Default:
""Example:
"systemctl reload nginx.service"Declared by:
security.acme.certs.<name>.server¶
ACME Directory Resource URI. Defaults to let’s encrypt production endpoint, https://acme-v02.api.letsencrypt.org/directory, if unset.
Type: null or string
Default:
nullDeclared by:
security.acme.certs.<name>.user¶
User running the ACME client.
Type: string
Default:
"root"Declared by:
security.acme.certs.<name>.webroot¶
Where the webroot of the HTTP vhost is located.:file:.well-known/acme-challenge/ directory will be created below the webroot if it doesn’t exist.``http://example.org/.well-known/acme-challenge/`` must also be available (notice unencrypted HTTP).
Type: null or string
Default:
nullExample:
"/var/lib/acme/acme-challenges"Declared by:
security.acme.email¶
Contact email address for the CA to be able to reach you.
Type: null or string
Default:
nullDeclared by:
security.acme.preliminarySelfsigned¶
Whether a preliminary self-signed certificate should be generated before doing ACME requests. This can be useful when certificates are required in a webserver, but ACME needs the webserver to make its requests.
With preliminary self-signed certificate the webserver can be started and can later reload the correct ACME certificates.
Type: boolean
Default:
trueDeclared by:
security.acme.renewInterval¶
Systemd calendar expression when to check for renewal. Seesystemd.time7.
Type: string
Default:
"weekly"Declared by:
security.acme.server¶
ACME Directory Resource URI. Defaults to let’s encrypt production endpoint,``https://acme-v02.api.letsencrypt.org/directory``, if unset.
Type: null or string
Default:
nullDeclared by:
security.acme.validMinDays¶
Minimum remaining validity before renewal in days.
Type: signed integer
Default:
30Declared by:
security.allowSimultaneousMultithreading¶
Whether to allow SMT/hyperthreading. Disabling SMT means that only physical CPU cores will be usable at runtime, potentially at significant performance cost.
The primary motivation for disabling SMT is to mitigate the risk of leaking data between threads running on the same CPU core (due to e.g., shared caches). This attack vector is unproven.
Disabling SMT is a supplement to the L1 data cache flushing mitigation (see security.virtualisation.flushL1DataCache) versus malicious VM guests (SMT could “bring back” previously flushed data).
Type: boolean
Default:
trueDeclared by:
security.allowUserNamespaces¶
Whether to allow creation of user namespaces.
The motivation for disabling user namespaces is the potential presence of code paths where the kernel’s permission checking logic fails to account for namespacing, instead permitting a namespaced process to act outside the namespace with the same privileges as it would have inside it. This is particularly damaging in the common case of running as root within the namespace.
When user namespace creation is disallowed, attempting to create a user namespace fails with “no space left on device” (ENOSPC). root may re-enable user namespace creation at runtime.
Type: boolean
Default:
trueDeclared by:
security.apparmor.enable¶
Enable the AppArmor Mandatory Access Control system.
Type: boolean
Default:
falseDeclared by:
security.apparmor.packages¶
List of packages to be added to apparmor’s include path
Type: list of packages
Default: ``[
]``
Declared by:
security.apparmor.confineSUIDApplications¶
Install AppArmor profiles for commonly-used SUID application to mitigate potential privilege escalation attacks due to bugs in such applications.
Currently available profiles: ping
Type: unspecified
Default:
trueDeclared by:
security.apparmor.profiles¶
security.audit.enable¶
Whether to enable the Linux audit system. The special `lock’ value can be used to enable auditing and prevent disabling it until a restart. Be careful about locking this, as it will prevent you from changing your audit configuration until you restart. If possible, test your configuration using build-vm beforehand.
Type: one of <bool>, <bool>, “lock”
Default:
falseDeclared by:
security.audit.backlogLimit¶
The maximum number of outstanding audit buffers allowed; exceeding this is considered a failure and handled in a manner specified by failureMode.
Type: signed integer
Default:
64Declared by:
security.audit.failureMode¶
How to handle critical errors in the auditing system
Type: one of “silent”, “printk”, “panic”
Default:
"printk"Declared by:
security.audit.rateLimit¶
The maximum messages per second permitted before triggering a failure as specified by failureMode. Setting it to zero disables the limit.
Type: signed integer
Default:
0Declared by:
security.audit.rules¶
The ordered audit rules, with each string appearing as one line of the audit.rules file.
Type: list of strings
Default: ``[
]``
Example:
[ "-a exit,always -F arch=b64 -S execve" ]Declared by:
security.auditd.enable¶
Whether to enable the Linux Audit daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
security.chromiumSuidSandbox.enable¶
Whether to install the Chromium SUID sandbox which is an executable that Chromium may use in order to achieve sandboxing.
If you get the error “The SUID sandbox helper binary was found, but is not configured correctly.”, turning this on might help.
Also, if the URL chrome://sandbox tells you that “You are not adequately sandboxed!”, turning this on might resolve the issue.
Type: boolean
Default:
falseDeclared by:
security.dhparams.enable¶
Whether to generate new DH params and clean up old DH params.
Type: boolean
Default:
falseDeclared by:
security.dhparams.defaultBitSize¶
This allows to override the default bit size for all of the Diffie-Hellman parameters set in.
Type: integer of at least 16 bits
Default:
2048Declared by:
security.dhparams.params¶
Diffie-Hellman parameters to generate.
The value is the size (in bits) of the DH params to generate. The generated DH params path can be found in``config.security.dhparams.params.*name*.path``.
Note
The name of the DH params is taken as being the name of the service it serves and the params will be generated before the said service is started.
Warning
If you are removing all dhparams from this list, you have to leave for at least one activation in order to have them be cleaned up. This also means if you rollback to a version without any dhparams the existing ones won’t be cleaned up. Of course this only applies if is``true``.
Note
It’s recommended to not set a specific bit size here, so that users can easily override this by setting.
Type: attribute set of submodule or signed integer convertible to its
Default: ``{
}``
Example:
{ nginx.bits = 3072; }Declared by:
security.dhparams.params.<name>.bits¶
The bit size for the prime that is used during a Diffie-Hellman key exchange.
Type: integer of at least 16 bits
Default:
2048Declared by:
security.dhparams.params.<name>.path¶
The resulting path of the generated Diffie-Hellman parameters file for other services to reference. This could be either a store path or a file inside the directory specified by.
Type: path (read only)
Declared by:
security.dhparams.path¶
Path to the directory in which Diffie-Hellman parameters will be stored. This only is relevant if is``true``.
Type: string
Default:
"/var/lib/dhparams"Declared by:
security.dhparams.stateful¶
Whether generation of Diffie-Hellman parameters should be stateful or not. If this is enabled, PEM-encoded files for Diffie-Hellman parameters are placed in the directory specified by. Otherwise the files are created within the Nix store.
Note
If this is
falsethe resulting store path will be non-deterministic and will be rebuilt every time theopenssl package changes.Type: boolean
Default:
trueDeclared by:
security.duosec.acceptEnvFactor¶
Look for factor selection or passcode in the``$DUO_PASSCODE`` environment variable before prompting the user for input.
When $DUO_PASSCODE is non-empty, it will override autopush. The SSH client will need SendEnv DUO_PASSCODE in its configuration, and the SSH server will similarly need AcceptEnv DUO_PASSCODE.
Type: boolean
Default:
falseDeclared by:
security.duosec.allowTcpForwarding¶
By default, when SSH forwarding, enabling Duo Security will disable TCP forwarding. By enabling this, you potentially undermine some of the SSH based login security. Note this is not needed if you use PAM.
Type: boolean
Default:
falseDeclared by:
security.duosec.autopush¶
If
true, Duo Unix will automatically send a push login request to the user’s phone, falling back on a phone call if push is unavailable. If``false``, the user will be prompted to choose an authentication method. When configured with``autopush = yes``, we recommend setting``prompts = 1``.Type: boolean
Default:
falseDeclared by:
security.duosec.failmode¶
On service or configuration errors that prevent Duo authentication, fail “safe” (allow access) or “secure” (deny access). The default is “safe”.
Type: one of “safe”, “secure”
Default:
"safe"Declared by:
security.duosec.fallbackLocalIP¶
Duo Unix reports the IP address of the authorizing user, for the purposes of authorization and whitelisting. If Duo Unix cannot detect the IP address of the client, setting``fallbackLocalIP = yes`` will cause Duo Unix to send the IP address of the server it is running on.
If you are using IP whitelisting, enabling this option could cause unauthorized logins if the local IP is listed in the whitelist.
Type: boolean
Default:
falseDeclared by:
security.duosec.groups¶
If specified, Duo authentication is required only for users whose primary group or supplementary group list matches one of the space-separated pattern lists. Refer to` <https://duo.com/docs/duounix>`_ for details.
Type: string
Default:
""Example:
"users,!wheel,!*admin guests"Declared by:
security.duosec.host¶
security.duosec.ikey¶
security.duosec.motd¶
Print the contents of
/etc/motdto screen after a successful login.Type: boolean
Default:
falseDeclared by:
security.duosec.pam.enable¶
If enabled, protect logins with Duo Security using PAM support.
Type: boolean
Default:
falseDeclared by:
security.duosec.prompts¶
If a user fails to authenticate with a second factor, Duo Unix will prompt the user to authenticate again. This option sets the maximum number of prompts that Duo Unix will display before denying access. Must be 1, 2, or 3. Default is 3.
For example, when
prompts = 1, the user will have to successfully authenticate on the first prompt, whereas ifprompts = 2, if the user enters incorrect information at the initial prompt, he/she will be prompted to authenticate again.When configured with
autopush = true, we recommend settingprompts = 1.Type: one of 1, 2, 3
Default:
3Declared by:
security.duosec.pushinfo¶
Include information such as the command to be executed in the Duo Push message.
Type: boolean
Default:
falseDeclared by:
security.duosec.skey¶
security.duosec.ssh.enable¶
If enabled, protect SSH logins with Duo Security.
Type: boolean
Default:
falseDeclared by:
security.forcePageTableIsolation¶
Whether to force-enable the Page Table Isolation (PTI) Linux kernel feature even on CPU models that claim to be safe from Meltdown.
This hardening feature is most beneficial to systems that run untrusted workloads that rely on address space isolation for security.
Type: boolean
Default:
falseDeclared by:
security.googleOsLogin.enable¶
Whether to enable Google OS Login
The OS Login package enables the following components: AuthorizedKeysCommand to query valid SSH keys from the user’s OS Login profile during ssh authentication phase. NSS Module to provide user and group information PAM Module for the sshd service, providing authorization and authentication support, allowing the system to use data stored in Google Cloud IAM permissions to control both, the ability to log into an instance, and to perform operations as root (sudo).
Type: boolean
Default:
falseDeclared by:
security.hideProcessInformation¶
Restrict process information to the owning user.
Type: boolean
Default:
falseDeclared by:
security.lockKernelModules¶
Disable kernel module loading once the system is fully initialised. Module loading is disabled until the next reboot. Problems caused by delayed module loading can be fixed by adding the module(s) in question to .
Type: boolean
Default:
falseDeclared by:
security.pam.enableEcryptfs¶
Enable eCryptfs PAM module (mounting ecryptfs home directory on login).
Type: unspecified
Default:
falseDeclared by:
security.pam.enableOTPW¶
Enable the OTPW (one-time password) PAM module.
Type: unspecified
Default:
falseDeclared by:
security.pam.enableSSHAgentAuth¶
Enable sudo logins if the user’s SSH agent provides a key present in
~/.ssh/authorized_keys. This allows machines to exclusively use SSH keys instead of passwords.Type: unspecified
Default:
falseDeclared by:
security.pam.loginLimits¶
Define resource limits that should apply to users or groups. Each item in the list should be an attribute set with a
domain,type,item, andvalueattribute. The syntax and semantics of these attributes must be that described in the limits.conf(5) man page.Note that these limits do not apply to systemd services, whose limits can be changed via instead.
Type: unspecified
Default: ``[
]``
Example: ``[
{ domain = “ftp”; item = “nproc”; type = “hard”; value = “0”; }
{ domain = “@student”; item = “maxlogins”; type = “-“; value = “4”; }
]``
Declared by:
security.pam.makeHomeDir.skelDirectory¶
Path to skeleton directory whose contents are copied to home directories newly created by
pam_mkhomedir.Type: string
Default:
"/var/empty"Example:
"/etc/skel"Declared by:
security.pam.mount.enable¶
Enable PAM mount system to mount fileystems on user login.
Type: boolean
Default:
falseDeclared by:
security.pam.mount.extraVolumes¶
List of volume definitions for pam_mount. For more information, visit ` <http://pam-mount.sourceforge.net/pam_mount.conf.5.html>`_.
Type: list of strings
Default: ``[
]``
Declared by:
security.pam.oath.enable¶
Enable the OATH (one-time password) PAM module.
Type: boolean
Default:
falseDeclared by:
security.pam.oath.digits¶
Specify the length of the one-time password in number of digits.
Type: one of 6, 7, 8
Default:
6Declared by:
security.pam.oath.usersFile¶
Set the path to file where the user’s credentials are stored. This file must not be world readable!
Type: path
Default:
"/etc/users.oath"Declared by:
security.pam.oath.window¶
Specify the number of one-time passwords to check in order to accommodate for situations where the system and the client are slightly out of sync (iteration for HOTP or time steps for TOTP).
Type: signed integer
Default:
5Declared by:
security.pam.services¶
This option defines the PAM services. A service typically corresponds to a program that uses PAM, e.g. login or passwd. Each attribute of this set defines a PAM service, with the attribute name defining the name of the service.
Type: list or attribute set of submodules
Default: ``[
]``
Declared by:
security.pam.services.<name?>.enableAppArmor¶
Enable support for attaching AppArmor profiles at the user/group level, e.g., as part of a role based access control scheme.
Type: boolean
Default:
falseDeclared by:
security.pam.services.<name?>.enableGnomeKeyring¶
If enabled, pam_gnome_keyring will attempt to automatically unlock the user’s default Gnome keyring upon login. If the user login password does not match their keyring password, Gnome Keyring will prompt separately after login.
Type: boolean
Default:
falseDeclared by:
security.pam.services.<name?>.enableKwallet¶
If enabled, pam_wallet will attempt to automatically unlock the user’s default KDE wallet upon login. If the user has no wallet named “kdewallet”, or the login password does not match their wallet password, KDE will prompt separately after login.
Type: boolean
Default:
falseDeclared by:
security.pam.services.<name?>.allowNullPassword¶
Whether to allow logging into accounts that have no password set (i.e., have an empty password field in:file:/etc/passwd or:file:/etc/group). This does not enable logging into disabled accounts (i.e., that have the password field set to
!). Note that regardless of what the pam_unix documentation says, accounts with hashed empty passwords are always allowed to log in.Type: boolean
Default:
falseDeclared by:
security.pam.services.<name?>.duoSecurity.enable¶
If set, use the Duo Security pam module``pam_duo`` for authentication. Requires configuration of options.
Type: boolean
Default:
falseDeclared by:
security.pam.services.<name?>.forwardXAuth¶
Whether X authentication keys should be passed from the calling user to the target user (e.g. for:command:su)
Type: boolean
Default:
falseDeclared by:
security.pam.services.<name?>.fprintAuth¶
If set, fingerprint reader will be used (if exists and your fingerprints are enrolled).
Type: boolean
Default:
falseDeclared by:
security.pam.services.<name?>.googleAuthenticator.enable¶
If set, users with enabled Google Authenticator (created:file:~/.google_authenticator) will be required to provide Google Authenticator token to log in.
Type: boolean
Default:
falseDeclared by:
security.pam.services.<name?>.googleOsLoginAccountVerification¶
If set, will use the Google OS Login PAM modules (
pam_oslogin_login,``pam_oslogin_admin``) to verify possible OS Login users and set sudoers configuration accordingly. This only makes sense to enable for thesshdPAM service.Type: boolean
Default:
falseDeclared by:
security.pam.services.<name?>.googleOsLoginAuthentication¶
If set, will use the
pam_oslogin_login’s user authentication methods to authenticate users using 2FA. This only makes sense to enable for thesshdPAM service.Type: boolean
Default:
falseDeclared by:
security.pam.services.<name?>.limits¶
Attribute set describing resource limits. Defaults to the value of .
Type: unspecified
Declared by:
security.pam.services.<name?>.logFailures¶
Whether to log authentication failures in
/var/log/faillog.Type: boolean
Default:
falseDeclared by:
security.pam.services.<name?>.makeHomeDir¶
Whether to try to create home directories for users with ``$HOME``s pointing to nonexistent locations on session login.
Type: boolean
Default:
falseDeclared by:
security.pam.services.<name?>.name¶
Name of the PAM service.
Type: string
Example:
"sshd"Declared by:
security.pam.services.<name?>.oathAuth¶
If set, the OATH Toolkit will be used.
Type: boolean
Default:
falseDeclared by:
security.pam.services.<name?>.otpwAuth¶
If set, the OTPW system will be used (if:file:~/.otpw exists).
Type: boolean
Default:
falseDeclared by:
security.pam.services.<name?>.pamMount¶
Enable PAM mount (pam_mount) system to mount fileystems on user login.
Type: boolean
Default:
falseDeclared by:
security.pam.services.<name?>.requireWheel¶
Whether to permit root access only to members of group wheel.
Type: boolean
Default:
falseDeclared by:
security.pam.services.<name?>.rootOK¶
If set, root doesn’t need to authenticate (e.g. for the:command:useradd service).
Type: boolean
Default:
falseDeclared by:
security.pam.services.<name?>.setEnvironment¶
Whether the service should set the environment variables listed in using
pam_env.so.Type: boolean
Default:
trueDeclared by:
security.pam.services.<name?>.setLoginUid¶
Set the login uid of the process (
/proc/self/loginuid) for auditing purposes. The login uid is only set by ‘entry points’ like:command:login and sshd, not by commands like sudo.Type: boolean
Declared by:
security.pam.services.<name?>.showMotd¶
Whether to show the message of the day.
Type: boolean
Default:
falseDeclared by:
security.pam.services.<name?>.sshAgentAuth¶
If set, the calling user’s SSH agent is used to authenticate against the keys in the calling user’s:file:~/.ssh/authorized_keys. This is useful for sudo on password-less remote systems.
Type: boolean
Default:
falseDeclared by:
security.pam.services.<name?>.sssdStrictAccess¶
enforce sssd access control
Type: boolean
Default:
falseDeclared by:
security.pam.services.<name?>.startSession¶
If set, the service will register a new session with systemd’s login manager. For local sessions, this will give the user access to audio devices, CD-ROM drives. In the default PolicyKit configuration, it also allows the user to reboot the system.
Type: boolean
Default:
falseDeclared by:
security.pam.services.<name?>.text¶
Contents of the PAM service file.
Type: null or strings concatenated with “\n”
Declared by:
security.pam.services.<name?>.u2fAuth¶
If set, users listed in:file:$XDG_CONFIG_HOME/Yubico/u2f_keys (or:file:$HOME/.config/Yubico/u2f_keys if XDG variable is not set) are able to log in with the associated U2F key. Path can be changed using option.
Type: boolean
Default:
falseDeclared by:
security.pam.services.<name?>.unixAuth¶
Whether users can log in with passwords defined in:file:/etc/shadow.
Type: boolean
Default:
trueDeclared by:
security.pam.services.<name?>.updateWtmp¶
Whether to update
/var/log/wtmp.Type: boolean
Default:
falseDeclared by:
security.pam.services.<name?>.usbAuth¶
If set, users listed in:file:/etc/pamusb.conf are able to log in with the associated USB key.
Type: boolean
Default:
falseDeclared by:
security.pam.services.<name?>.yubicoAuth¶
If set, users listed in:file:~/.yubico/authorized_yubikeys are able to log in with the asociated Yubikey tokens.
Type: boolean
Default:
falseDeclared by:
security.pam.u2f.enable¶
Enables U2F PAM (
pam-u2f) module.If set, users listed in:file:$XDG_CONFIG_HOME/Yubico/u2f_keys (or:file:$HOME/.config/Yubico/u2f_keys if XDG variable is not set) are able to log in with the associated U2F key. The path can be changed using option.
File format is:
username:first_keyHandle,first_public_key: second_keyHandle,second_public_keyThis file can be generated using pamu2fcfg command.More information can be found here.
Type: boolean
Default:
falseDeclared by:
security.pam.u2f.authFile¶
By default
pam-u2fmodule reads the keys from:file:$XDG_CONFIG_HOME/Yubico/u2f_keys (or:file:$HOME/.config/Yubico/u2f_keys if XDG variable is not set).If you want to change auth file locations or centralize database (for example use
/etc/u2f-mappings) you can set this option.File format is:
username:first_keyHandle,first_public_key: second_keyHandle,second_public_keyThis file can be generated using pamu2fcfg command.More information can be found here.
Type: null or path
Default:
nullDeclared by:
security.pam.u2f.control¶
This option sets pam “control”. If you want to have multi factor authentication, use “required”. If you want to use U2F device instead of regular password, use “sufficient”.
Readpam.conf5 for better understanding of this option.
Type: one of “required”, “requisite”, “sufficient”, “optional”
Default:
"sufficient"Declared by:
security.pam.u2f.cue¶
By default
pam-u2fmodule does not inform user that he needs to use the u2f device, it just waits without a prompt.If you set this option to
true,``cue`` option is added topam-u2fmodule and reminder message will be displayed.Type: boolean
Default:
falseDeclared by:
security.pam.u2f.debug¶
Debug output to stderr.
Type: boolean
Default:
falseDeclared by:
security.pam.u2f.interactive¶
Set to prompt a message and wait before testing the presence of a U2F device. Recommended if your device doesn’t have a tactile trigger.
Type: boolean
Default:
falseDeclared by:
security.pam.usb.enable¶
Enable USB login for all login systems that support it. For more information, visit ` <https://github.com/aluzzardi/pam_usb/wiki/Getting-Started#setting-up-devices-and-users>`_.
Type: boolean
Default:
falseDeclared by:
security.pam.yubico.enable¶
Enables Yubico PAM (
yubico-pam) module.If set, users listed in:file:~/.yubico/authorized_yubikeys are able to log in with the associated Yubikey tokens.
The file must have only one line:
username:yubikey_token_id1:yubikey_token_id2More information can be found here.Type: boolean
Default:
falseDeclared by:
security.pam.yubico.control¶
This option sets pam “control”. If you want to have multi factor authentication, use “required”. If you want to use Yubikey instead of regular password, use “sufficient”.
Readpam.conf5 for better understanding of this option.
Type: one of “required”, “requisite”, “sufficient”, “optional”
Default:
"sufficient"Declared by:
security.pam.yubico.debug¶
Debug output to stderr.
Type: boolean
Default:
falseDeclared by:
security.pam.yubico.id¶
security.pam.yubico.mode¶
Mode of operation.
Use “client” for online validation with a YubiKey validation service such as the YubiCloud.
Use “challenge-response” for offline validation using YubiKeys with HMAC-SHA-1 Challenge-Response configurations. See the man-page ykpamcfg(1) for further details on how to configure offline Challenge-Response validation.
More information can be found here.
Type: one of “client”, “challenge-response”
Default:
"client"Declared by:
security.pki.caCertificateBlacklist¶
A list of blacklisted CA certificate names that won’t be imported from the Mozilla Trust Store into:file:/etc/ssl/certs/ca-certificates.crt. Use the names from that file.
Type: list of strings
Default: ``[
]``
Example:
[ "WoSign" "WoSign China" "CA WoSign ECC Root" "Certification Authority of WoSign G2" ]Declared by:
security.pki.certificateFiles¶
A list of files containing trusted root certificates in PEM format. These are concatenated to form:file:/etc/ssl/certs/ca-certificates.crt, which is used by many programs that use OpenSSL, such as:command:curl and git.
Type: list of paths
Default: ``[
]``
Example:
[ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]Declared by:
security.pki.certificates¶
A list of trusted root certificates in PEM format.
Type: list of strings
Default: ``[
]``
Example:
[ '' NixOS.org ========= -----BEGIN CERTIFICATE----- MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0 ... -----END CERTIFICATE----- '' ]Declared by:
security.polkit.enable¶
Whether to enable PolKit.
Type: boolean
Default:
trueDeclared by:
security.polkit.adminIdentities¶
Specifies which users are considered “administrators”, for those actions that require the user to authenticate as an administrator (i.e. have an
auth_adminvalue). By default, this is all users in thewheelgroup.Type: list of strings
Default:
[ "unix-group:wheel" ]Example:
[ "unix-user:alice" "unix-group:admin" ]Declared by:
security.polkit.extraConfig¶
Any polkit rules to be added to config (in JavaScript ;-). See: http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules
Type: strings concatenated with “\n”
Default:
""Example:
'' /* Log authorization checks. */ polkit.addRule(function(action, subject) { polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid); }); /* Allow any local user to do anything (dangerous!). */ polkit.addRule(function(action, subject) { if (subject.local) return "yes"; }); ''Declared by:
security.protectKernelImage¶
Whether to prevent replacing the running kernel image.
Type: boolean
Default:
falseDeclared by:
security.rngd.enable¶
Whether to enable the rng daemon, which adds entropy from hardware sources of randomness to the kernel entropy pool when available.
Type: boolean
Default:
trueDeclared by:
security.rngd.debug¶
Whether to enable debug output (-d).
Type: boolean
Default:
falseDeclared by:
security.rtkit.enable¶
Whether to enable the RealtimeKit system service, which hands out realtime scheduling priority to user processes on demand. For example, the PulseAudio server uses this to acquire realtime priority.
Type: boolean
Default:
falseDeclared by:
security.sudo.enable¶
Whether to enable the sudo command, which allows non-root users to execute commands as root.
Type: boolean
Default:
trueDeclared by:
security.sudo.configFile¶
This string contains the contents of the:file:sudoers file.
Type: strings concatenated with “\n”
Declared by:
security.sudo.extraConfig¶
Extra configuration text appended to
sudoers.Type: strings concatenated with “\n”
Default:
""Declared by:
security.sudo.extraRules¶
Define specific rules to be in the
sudoersfile. More specific rules should come after more general ones in order to yield the expected behavior. You can use mkBefore/mkAfter to ensure this is the case when configuration options are merged.Type: list of submodules
Default: ``[
]``
Example:
[ # Allow execution of any command by all users in group sudo, # requiring a password. { groups = [ "sudo" ]; commands = [ "ALL" ]; } # Allow execution of "/home/root/secret.sh" by user `backup`, `database` # and the group with GID `1006` without a password. { users = [ "backup" "database" ]; groups = [ 1006 ]; commands = [ { command = "/home/root/secret.sh"; options = [ "SETENV" "NOPASSWD" ]; } ]; } # Allow all users of group `bar` to run two executables as user `foo` # with arguments being pre-set. { groups = [ "bar" ]; runAs = "foo"; commands = [ "/home/baz/cmd1.sh hello-sudo" { command = ''/home/baz/cmd2.sh ""''; options = [ "SETENV" ]; } ]; } ]Declared by:
security.sudo.extraRules.*.commands¶
The commands for which the rule should apply.
Type: list of string or submodules
Declared by:
security.sudo.extraRules.*.groups¶
The groups / GIDs this rule should apply for.
Type: list of string or signed integers
Default: ``[
]``
Declared by:
security.sudo.extraRules.*.host¶
For what host this rule should apply.
Type: string
Default:
"ALL"Declared by:
security.sudo.extraRules.*.runAs¶
Under which user/group the specified command is allowed to run.
A user can be specified using just the username: “foo”. It is also possible to specify a user/group combination using “foo:bar” or to only allow running as a specific group with “:bar”.
Type: string
Default:
"ALL:ALL"Declared by:
security.sudo.extraRules.*.users¶
The usernames / UIDs this rule should apply for.
Type: list of string or signed integers
Default: ``[
]``
Declared by:
security.sudo.wheelNeedsPassword¶
Whether users of the wheel group must provide a password to run commands as super user via sudo.
Type: boolean
Default:
trueDeclared by:
security.virtualisation.flushL1DataCache¶
Whether the hypervisor should flush the L1 data cache before entering guests. See also security.allowSimultaneousMultithreading.
nulluses the kernel default
"never"disables L1 data cache flushing entirely. May be appropriate if all guests are trusted.
"cond"flushes L1 data cache only for pre-determined code paths. May leak information about the host address space layout.
"always"flushes L1 data cache every time the hypervisor enters the guest. May incur significant performance cost.Type: null or one of “never”, “cond”, “always”
Default:
nullDeclared by:
security.wrappers¶
This option allows the ownership and permissions on the setuid wrappers for specific programs to be overridden from the default (setuid root, but not setgid root).
Note
The sub-attribute
sourceis mandatory, it must be the absolute path to the program to be wrapped.The sub-attribute
programis optional and can give the wrapper program a new name. The default name is the same as the attribute name itself.Additionally, this option can set capabilities on a wrapper program that propagates those capabilities down to the wrapped, real program.
NOTE: cap_setpcap, which is required for the wrapper program to be able to raise caps into the Ambient set is NOT raised to the Ambient set so that the real program cannot modify its own capabilities!! This may be too restrictive for cases in which the real program needs cap_setpcap but it at least leans on the side security paranoid vs. too relaxed.
Type: attribute set
Default: ``{
}``
Example:
{ sendmail.source = "/nix/store/.../bin/sendmail"; ping = { source = "${pkgs.iputils.out}/bin/ping"; owner = "nobody"; group = "nogroup"; capabilities = "cap_net_raw+ep"; }; }Declared by:
services.packagekit.enable¶
Whether to enable PackageKit provides a cross-platform D-Bus abstraction layer for installing software. Software utilizing PackageKit can install software regardless of the package manager. .
Type: boolean
Default:
falseExample:
trueDeclared by:
services.packagekit.backend¶
PackageKit supports multiple different backends and
autowhich should do the right thing.On NixOS however, we do not have a backend compatible with nix 2.0 (refer to this issue so we have to force it to
test_nopfor now.Type: one of “test_nop”
Default:
"test_nop"Declared by:
services.SystemdJournal2Gelf.enable¶
Whether to enable SystemdJournal2Gelf.
Type: boolean
Default:
falseDeclared by:
services.SystemdJournal2Gelf.package¶
SystemdJournal2Gelf package to use.
Type: package
Default:
*(build of SystemdJournal2Gelf-unstable-20190702)*Declared by:
services.SystemdJournal2Gelf.extraOptions¶
Any extra flags to pass to SystemdJournal2Gelf. Note that these are basically
journalctlflags.Type: strings concatenated with ” “
Default:
""Declared by:
services.SystemdJournal2Gelf.graylogServer¶
Host and port of your graylog2 input. This should be a GELF UDP input.
Type: string
Example:
"graylog2.example.com:11201"Declared by:
services._3proxy.enable¶
Whether to enable 3proxy.
Type: boolean
Default:
falseExample:
trueDeclared by:
services._3proxy.confFile¶
Ignore all other 3proxy options and load configuration from this file.
Type: path
Example:
"/var/lib/3proxy/3proxy.conf"Declared by:
services._3proxy.denyPrivate¶
Whether to deny access to private IP ranges including loopback.
Type: boolean
Default:
trueDeclared by:
services._3proxy.extraConfig¶
Extra configuration, appended to the 3proxy configuration file. Consult documentation for available options.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services._3proxy.privateRanges¶
What IP ranges to deny access when denyPrivate is set tu true.
Type: list of strings
Default:
[ "0.0.0.0/8" "127.0.0.0/8" "10.0.0.0/8" "100.64.0.0/10" "172.16.0.0/12" "192.168.0.0/16" "::" "::1" "fc00::/7" ]Example:
[ "0.0.0.0/8" "127.0.0.0/8" "10.0.0.0/8" "100.64.0.0/10" "172.16.0.0/12" "192.168.0.0/16" "::" "::1" "fc00::/7" ]Declared by:
services._3proxy.resolution¶
Use this option to configure name resolution and DNS caching.
Type: submodule
Default: ``{
}``
Declared by:
services._3proxy.resolution.nscache¶
Set name cache size for IPv4.
Type: signed integer
Default:
65535Example:
65535Declared by:
services._3proxy.resolution.nscache6¶
Set name cache size for IPv6.
Type: signed integer
Default:
65535Example:
65535Declared by:
services._3proxy.resolution.nserver¶
List of nameservers to use.
Up to 5 nservers may be specified. If no nserver is configured, default system name resolution functions are used.
Type: list of strings
Default: ``[
]``
Example:
[ "127.0.0.53" "192.168.1.3:5353/tcp" ]Declared by:
services._3proxy.resolution.nsrecord¶
Adds static nsrecords.
Type: attribute set of strings
Default: ``{
}``
Example:
{ files.local = "192.168.1.12"; site.local = "192.168.1.43"; }Declared by:
services._3proxy.services¶
Use this option to define 3proxy services.
Type: list of submodules
Default: ``[
]``
Example:
[ { type = "proxy"; bindAddress = "192.168.1.24"; bindPort = 3128; auth = [ "none" ]; } { type = "proxy"; bindAddress = "10.10.1.20"; bindPort = 3128; auth = [ "iponly" ]; } { type = "socks"; bindAddress = "172.17.0.1"; bindPort = 1080; auth = [ "strong" ]; } ]Declared by:
services._3proxy.services.*.acl¶
Use this option to limit user access to resources.
Type: list of submodules
Default: ``[
]``
Example:
[ { rule = "allow"; users = [ "user1" ]; } { rule = "allow"; sources = [ "192.168.1.0/24" ]; } { rule = "deny"; } ]Declared by:
services._3proxy.services.*.acl.*.rule¶
ACL rule. The following values are valid:
"allow": connections allowed."deny": connections not allowed.Type: one of “allow”, “deny”
Example:
"allow"Declared by:
services._3proxy.services.*.acl.*.sources¶
List of source IP range, use empty list for any.
Type: list of strings
Default: ``[
]``
Example:
[ "127.0.0.1" "192.168.1.0/24" ]Declared by:
services._3proxy.services.*.acl.*.targetPorts¶
List of target ports, use empty list for any.
Type: list of signed integers
Default: ``[
]``
Example:
[ 80 443 ]Declared by:
services._3proxy.services.*.acl.*.targets¶
List of target IP ranges, use empty list for any. May also contain host names instead of addresses. It’s possible to use wildmask in the begginning and in the the end of hostname, e.g. *badsite.com or *badcontent*. Hostname is only checked if hostname presents in request.
Type: list of strings
Default: ``[
]``
Example:
[ "127.0.0.1" "192.168.1.0/24" ]Declared by:
services._3proxy.services.*.acl.*.users¶
List of users, use empty list for any.
Type: list of strings
Default: ``[
]``
Example:
[ "user1" "user2" "user3" ]Declared by:
services._3proxy.services.*.auth¶
Authentication type. The following values are valid:
"none": disables both authentication and authorization. You can not use ACLs."iponly": specifies no authentication. ACLs authorization is used."strong": authentication by username/password. If user is not registered his access is denied regardless of ACLs.Double authentication is possible, e.g.
{ auth = [ "iponly" "strong" ]; acl = [ { rule = "allow"; targets = [ "192.168.0.0/16" ]; } { rule = "allow" users = [ "user1" "user2" ]; } ]; }In this example strong username authentication is not required to access 192.168.0.0/16.Type: list of one of “none”, “iponly”, “strong”s
Example:
[ "iponly" "strong" ]Declared by:
services._3proxy.services.*.bindAddress¶
Address used for service.
Type: string
Default:
"\[::]"Example:
"127.0.0.1"Declared by:
services._3proxy.services.*.bindPort¶
Override default port used for service.
Type: null or signed integer
Default:
nullExample:
3128Declared by:
services._3proxy.services.*.extraArguments¶
Extra arguments for service. Consult “Options” section in documentation for available arguments.
Type: null or string
Default:
nullExample:
"-46"Declared by:
services._3proxy.services.*.extraConfig¶
Extra configuration for service. Use this to configure things like bandwidth limiter or ACL-based redirection. Consult documentation for available options.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services._3proxy.services.*.maxConnections¶
Maximum number of simulationeous connections to this service.
Type: signed integer
Default:
100Example:
1000Declared by:
services._3proxy.services.*.type¶
Service type. The following values are valid:
"proxy": HTTP/HTTPS proxy (default port 3128)."socks": SOCKS 4/4.5/5 proxy (default port 1080)."pop3p": POP3 proxy (default port 110)."ftppr": FTP proxy (default port 21)."admin": Web interface (default port 80)."dnspr": Caching DNS proxy (default port 53)."tcppm": TCP portmapper."udppm": UDP portmapper.Type: one of “proxy”, “socks”, “pop3p”, “ftppr”, “admin”, “dnspr”, “tcppm”, “udppm”
Example:
"proxy"Declared by:
services._3proxy.usersFile¶
Load users and passwords from this file.
Example users file with plain-text passwords:
test1:CL:password1 test2:CL:password2Example users file with md5-crypted passwords:
test1:CR:$1$tFkisVd2$1GA8JXkRmTXdLDytM/i3a1 test2:CR:$1$rkpibm5J$Aq1.9VtYAn0JrqZ8M.1ME.You can generate md5-crypted passwords via https://unix4lyfe.org/crypt/ Note that htpasswd tool generates incompatible md5-crypted passwords. Consult documentation for more information.
Type: null or path
Default:
nullExample:
"/var/lib/3proxy/3proxy.passwd"Declared by:
services.accounts-daemon.enable¶
Whether to enable AccountsService, a DBus service for accessing the list of user accounts and information attached to those accounts.
Type: boolean
Default:
falseDeclared by:
services.acpid.enable¶
Whether to enable the ACPI daemon.
Type: boolean
Default:
falseDeclared by:
services.acpid.acEventCommands¶
Shell commands to execute on an ac_adapter.* event.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.acpid.handlers¶
Event handlers.
Note
Handler can be a single command.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ ac-power = { action = "vals=(\\$1) # space separated string to array of multiple values\\ncase \\${vals[3]} in\\n 00000000)\\n echo unplugged >> /tmp/acpi.log\\n ;;\\n 00000001)\\n echo plugged in >> /tmp/acpi.log\\n ;;\\n \*)\\n echo unknown >> /tmp/acpi.log\\n ;;\\nesac\\n"; event = "ac_adapter/\*"; } ; }Declared by:
services.acpid.handlers.<name>.action¶
Shell commands to execute when the event is triggered.
Type: strings concatenated with “\n”
Declared by:
services.acpid.handlers.<name>.event¶
Event type.
Type: string
Example:
[ "button/power.*" "button/lid.*" "ac_adapter.*" "button/mute.*" "button/volumedown.*" "cd/play.*" "cd/next.*" ]Declared by:
services.acpid.lidEventCommands¶
Shell commands to execute on a button/lid.* event.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.acpid.logEvents¶
Log all event activity.
Type: boolean
Default:
falseDeclared by:
services.acpid.powerEventCommands¶
Shell commands to execute on a button/power.* event.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.activemq.enable¶
Enable the Apache ActiveMQ message broker service.
Type: boolean
Default:
falseDeclared by:
services.activemq.baseDir¶
The base directory where ActiveMQ stores its persistent data and logs. This will be overridden if you set “activemq.base” and “activemq.data” in the
javaPropertiesoption. You can also override this in activemq.xml.Type: string
Default:
"/var/activemq"Declared by:
services.activemq.configurationDir¶
The base directory for ActiveMQ’s configuration. By default, this directory is searched for a file named activemq.xml, which should contain the configuration for the broker service.
Type: unspecified
Default:
"\\${pkgs.activemq}/conf"Declared by:
services.activemq.configurationURI¶
The URI that is passed along to the BrokerFactory to set up the configuration of the ActiveMQ broker service. You should not need to change this. For custom configuration, set the
configurationDirinstead, and create an activemq.xml configuration file in it.Type: string
Default:
"xbean:activemq.xml"Declared by:
services.activemq.extraJavaOptions¶
Add extra options here that you want to be sent to the Java runtime when the broker service is started.
Type: strings concatenated with ” “
Default:
""Example:
"-Xmx2G -Xms2G -XX:MaxPermSize=512M"Declared by:
services.activemq.javaProperties¶
Specifies Java properties that are sent to the ActiveMQ broker service with the “-D” option. You can set properties here to change the behaviour and configuration of the broker. All essential properties that are not set here are automatically given reasonable defaults.
Type: attribute set
Default: ``{
}``
Example:
{ java.net.preferIPv4Stack = "true"; }Declared by:
services.actkbd.enable¶
Whether to enable the actkbd key mapping daemon.
Turning this on will start an actkbd instance for every evdev input that has at least one key (which is okay even for systems with tiny memory footprint, since actkbd normally uses <100 bytes of memory per instance).
This allows binding keys globally without the need for e.g. X11.
Type: boolean
Default:
falseDeclared by:
services.actkbd.bindings¶
Key bindings for actkbd.
See actkbd
READMEfor documentation.The example shows a piece of what does when enabled.
Type: list of submodules
Default: ``[
]``
Example:
[ { keys = [ 113 ]; events = [ "key" ]; command = "${pkgs.alsaUtils}/bin/amixer -q set Master toggle"; } ]Declared by:
services.actkbd.bindings.*.attributes¶
List of attributes.
Type: list of strings
Default:
[ "exec" ]Declared by:
services.actkbd.bindings.*.command¶
What to run.
Type: string
Default:
""Declared by:
services.actkbd.bindings.*.events¶
List of events to match.
Type: list of one of “key”, “rep”, “rel”s
Default:
[ "key" ]Declared by:
services.actkbd.bindings.*.keys¶
List of keycodes to match.
Type: list of signed integers
Declared by:
services.actkbd.extraConfig¶
Literal contents to append to the end of actkbd configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.aerospike.enable¶
Whether to enable Aerospike server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.aerospike.package¶
Which Aerospike derivation to use
Type: package
Default:
"pkgs.aerospike"Declared by:
services.aerospike.extraConfig¶
Extra configuration
Type: strings concatenated with “\n”
Default:
""Example:
'' namespace test { replication-factor 2 memory-size 4G default-ttl 30d storage-engine memory } ''Declared by:
services.aerospike.networkConfig¶
network section of configuration file
Type: strings concatenated with “\n”
Default:
'' service { address any port 3000 } heartbeat { address any mode mesh port 3002 interval 150 timeout 10 } fabric { address any port 3001 } info { address any port 3003 } ''Declared by:
services.aerospike.workDir¶
Location where Aerospike stores its files
Type: string
Default:
"/var/lib/aerospike"Declared by:
services.airsonic.enable¶
Whether to enable Airsonic, the Free and Open Source media streaming server (fork of Subsonic and Libresonic).
Type: boolean
Default:
falseExample:
trueDeclared by:
services.airsonic.contextPath¶
The context path, i.e., the last part of the Airsonic URL. Typically ‘/’ or ‘/airsonic’. Default ‘/’
Type: path
Default:
"/"Declared by:
services.airsonic.home¶
The directory where Airsonic will create files. Make sure it is writable.
Type: path
Default:
"/var/lib/airsonic"Declared by:
services.airsonic.jvmOptions¶
Extra command line options for the JVM running AirSonic. Useful for sending jukebox output to non-default alsa devices.
Type: list of strings
Default: ``[
]``
Example:
[ "-Djavax.sound.sampled.Clip='#CODEC \[plughw:1,0]'" "-Djavax.sound.sampled.Port='#Port CODEC \[hw:1]'" "-Djavax.sound.sampled.SourceDataLine='#CODEC \[plughw:1,0]'" "-Djavax.sound.sampled.TargetDataLine='#CODEC \[plughw:1,0]'" ]Declared by:
services.airsonic.listenAddress¶
The host name or IP address on which to bind Airsonic. Only relevant if you have multiple network interfaces and want to make Airsonic available on only one of them. The default value will bind Airsonic to all available network interfaces.
Type: string
Default:
"127.0.0.1"Declared by:
services.airsonic.maxMemory¶
The memory limit (max Java heap size) in megabytes. Default: 100
Type: signed integer
Default:
100Declared by:
services.airsonic.port¶
The port on which Airsonic will listen for incoming HTTP traffic. Set to 0 to disable.
Type: signed integer
Default:
4040Declared by:
services.airsonic.transcoders¶
List of paths to transcoder executables that should be accessible from Airsonic. Symlinks will be created to each executable inside /var/lib/airsonic/transcoders.
Type: list of paths
Default:
[ "\\${pkgs.ffmpeg.bin}/bin/ffmpeg" ]Declared by:
services.airsonic.user¶
User account under which airsonic runs.
Type: string
Default:
"airsonic"Declared by:
services.airsonic.virtualHost¶
Name of the nginx virtualhost to use and setup. If null, do not setup any virtualhost.
Type: null or string
Default:
nullDeclared by:
services.alerta.enable¶
Whether to enable alerta.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.alerta.authenticationRequired¶
Whether users must authenticate when using the web UI or command-line tool
Type: boolean
Default:
falseDeclared by:
services.alerta.bind¶
Address to bind to. The default is to bind to all addresses
Type: string
Default:
"0.0.0.0"Example:
0.0.0.0Declared by:
services.alerta.corsOrigins¶
List of URLs that can access the API for Cross-Origin Resource Sharing (CORS)
Type: list of strings
Default:
[ "http://localhost" "http://localhost:5000" ]Example:
[ "http://localhost" "http://localhost:5000" ]Declared by:
services.alerta.databaseName¶
Name of the database instance to connect to
Type: string
Default:
"monitoring"Example:
"monitoring"Declared by:
services.alerta.databaseUrl¶
URL of the MongoDB or PostgreSQL database to connect to
Type: string
Default:
"mongodb://localhost"Example:
"mongodb://localhost"Declared by:
services.alerta.extraConfig¶
These lines go into alertad.conf verbatim.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.alerta.logDir¶
Location where the logfiles are stored
Type: path
Default:
"/var/log/alerta"Declared by:
services.alerta.port¶
Port of Alerta
Type: signed integer
Default:
5000Declared by:
services.alerta.signupEnabled¶
Whether to prevent sign-up of new users via the web UI
Type: boolean
Default:
trueDeclared by:
services.amule.enable¶
Whether to run the AMule daemon. You need to manually run “amuled –ec-config” to configure the service for the first time.
Type: unspecified
Default:
falseDeclared by:
services.amule.dataDir¶
The directory holding configuration, incoming and temporary files.
Type: unspecified
Default:
"/home/amule/"Declared by:
services.amule.user¶
The user the AMule daemon should run as.
Type: unspecified
Default:
nullDeclared by:
services.apache-kafka.enable¶
Whether to enable Apache Kafka.
Type: boolean
Default:
falseDeclared by:
services.apache-kafka.package¶
The kafka package to use
Type: package
Default:
"pkgs.apacheKafka"Declared by:
services.apache-kafka.brokerId¶
Broker ID.
Type: signed integer
Default:
-1Declared by:
services.apache-kafka.extraProperties¶
Extra properties for server.properties.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.apache-kafka.hostname¶
Hostname the broker should bind to.
Type: string
Default:
"localhost"Declared by:
services.apache-kafka.jvmOptions¶
Extra command line options for the JVM running Kafka.
Type: list of strings
Default:
[ "-server" "-Xmx1G" "-Xms1G" "-XX:+UseCompressedOops" "-XX:+UseParNewGC" "-XX:+UseConcMarkSweepGC" "-XX:+CMSClassUnloadingEnabled" "-XX:+CMSScavengeBeforeRemark" "-XX:+DisableExplicitGC" "-Djava.awt.headless=true" "-Djava.net.preferIPv4Stack=true" ]Example:
[ "-Djava.net.preferIPv4Stack=true" "-Dcom.sun.management.jmxremote" "-Dcom.sun.management.jmxremote.local.only=true" ]Declared by:
services.apache-kafka.log4jProperties¶
Kafka log4j property configuration.
Type: strings concatenated with “\n”
Default:
'' log4j.rootLogger=INFO, stdout log4j.appender.stdout=org.apache.log4j.ConsoleAppender log4j.appender.stdout.layout=org.apache.log4j.PatternLayout log4j.appender.stdout.layout.ConversionPattern=[%d] %p %m (%c)%n ''Declared by:
services.apache-kafka.logDirs¶
Log file directories
Type: list of paths
Default:
[ "/tmp/kafka-logs" ]Declared by:
services.apache-kafka.port¶
Port number the broker should listen on.
Type: signed integer
Default:
9092Declared by:
services.apache-kafka.serverProperties¶
Complete server.properties content. Other server.properties config options will be ignored if this option is used.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.apache-kafka.zookeeper¶
Zookeeper connection string
Type: string
Default:
"localhost:2181"Declared by:
services.apcupsd.enable¶
Whether to enable the APC UPS daemon. apcupsd monitors your UPS and permits orderly shutdown of your computer in the event of a power failure. User manual: http://www.apcupsd.com/manual/manual.html. Note that apcupsd runs as root (to allow shutdown of computer). You can check the status of your UPS with the “apcaccess” command.
Type: boolean
Default:
falseDeclared by:
services.apcupsd.configText¶
Contents of the runtime configuration file, apcupsd.conf. The default settings makes apcupsd autodetect USB UPSes, limit network access to localhost and shutdown the system when the battery level is below 50 percent, or when the UPS has calculated that it has 5 minutes or less of remaining power-on time. See man apcupsd.conf for details.
Type: strings concatenated with “\n”
Default:
'' UPSTYPE usb NISIP 127.0.0.1 BATTERYLEVEL 50 MINUTES 5 ''Declared by:
services.apcupsd.hooks¶
Each attribute in this option names an apcupsd event and the string value it contains will be executed in a shell, in response to that event (prior to the default action). See “man apccontrol” for the list of events and what they represent.
A hook script can stop apccontrol from doing its default action by exiting with value 99. Do not do this unless you know what you’re doing.
Type: attribute set of strings concatenated with “\n”s
Default: ``{
}``
Example:
{ doshutdown = "# shell commands to notify that the computer is shutting down"; }Declared by:
services.arbtt.enable¶
Enable the arbtt statistics capture service.
Type: boolean
Default:
falseDeclared by:
services.arbtt.package¶
The package to use for the arbtt binaries.
Type: package
Default:
"pkgs.haskellPackages.arbtt"Example:
pkgs.haskellPackages.arbttDeclared by:
services.arbtt.logFile¶
The log file for captured samples.
Type: string
Default:
"%h/.arbtt/capture.log"Example:
"/home/username/.arbtt-capture.log"Declared by:
services.arbtt.sampleRate¶
The sampling interval in seconds.
Type: signed integer
Default:
60Example:
120Declared by:
services.aria2.enable¶
Whether or not to enable the headless Aria2 daemon service.
Aria2 daemon can be controlled via the RPC interface using one of many WebUI (http://localhost:6800/ by default).
Targets are downloaded to /var/lib/aria2/Downloads by default and are accessible to users in the “aria2” group.
Type: boolean
Default:
falseDeclared by:
services.aria2.downloadDir¶
Directory to store downloaded files.
Type: path
Default:
"/var/lib/aria2/Downloads"Declared by:
services.aria2.extraArguments¶
Additional arguments to be passed to Aria2.
Type: strings concatenated with ” “
Default:
""Example:
"--rpc-listen-all --remote-time=true"Declared by:
services.aria2.listenPortRange¶
Set UDP listening port range used by DHT(IPv4, IPv6) and UDP tracker.
Type: list of attribute sets
Default: ``[
{ from = 6881; to = 6999; }
]``
Declared by:
services.aria2.openPorts¶
Open listen and RPC ports found in listenPortRange and rpcListenPort options in the firewall.
Type: boolean
Default:
falseDeclared by:
services.aria2.rpcListenPort¶
Specify a port number for JSON-RPC/XML-RPC server to listen to. Possible Values: 1024-65535
Type: signed integer
Default:
6800Declared by:
services.aria2.rpcSecret¶
Set RPC secret authorization token. Read https://aria2.github.io/manual/en/html/aria2c.html#rpc-auth to know how this option value is used.
Type: string
Default:
"aria2rpc"Declared by:
services.asterisk.enable¶
Whether to enable the Asterisk PBX server.
Type: boolean
Default:
falseDeclared by:
services.asterisk.package¶
The Asterisk package to use.
Type: package
Default:
"pkgs.asterisk"Declared by:
services.asterisk.confFiles¶
Sets the content of config files (typically ending with``.conf``) in the Asterisk configuration directory.
Note that if you want to change
asterisk.conf, it is preferable to use the option over this option. If"asterisk.conf"is specified with the option (not recommended), you must be prepared to set your ownastetcdirpath.See` <http://www.asterisk.org/community/documentation>`_ for more examples of what is possible here.
Type: attribute set of strings
Default: ``{
}``
Example:
{ "extensions.conf" = '' [tests] ; Dial 100 for "hello, world" exten => 100,1,Answer() same => n,Wait(1) same => n,Playback(hello-world) same => n,Hangup() [softphones] include => tests [unauthorized] ''; "sip.conf" = '' [general] allowguest=no ; Require authentication context=unauthorized ; Send unauthorized users to /dev/null srvlookup=no ; Don't do DNS lookup udpbindaddr=0.0.0.0 ; Listen on all interfaces nat=force_rport,comedia ; Assume device is behind NAT [softphone](!) type=friend ; Match on username first, IP second context=softphones ; Send to softphones context in ; extensions.conf file host=dynamic ; Device will register with asterisk disallow=all ; Manually specify codecs to allow allow=g722 allow=ulaw allow=alaw [myphone](softphone) secret=GhoshevFew ; Change this password! ''; "logger.conf" = '' [general] [logfiles] ; Add debug output to log syslog.local0 => notice,warning,error,debug ''; }Declared by:
services.asterisk.extraArguments¶
Additional command line arguments to pass to Asterisk.
Type: list of strings
Default: ``[
]``
Example:
[ "-vvvddd" "-e" "1024" ]Declared by:
services.asterisk.extraConfig¶
Extra configuration options appended to the default``asterisk.conf`` file.
Type: strings concatenated with “\n”
Default:
""Example:
'' [options] verbose=3 debug=3 ''Declared by:
services.asterisk.useTheseDefaultConfFiles¶
Sets these config files to the default content. The default value for this option contains all necesscary files to avoid errors at startup. This does not override settings via .
Type: list of strings
Default:
[ "ari.conf" "acl.conf" "agents.conf" "amd.conf" "calendar.conf" "cdr.conf" "cdr_syslog.conf" "cdr_custom.conf" "cel.conf" "cel_custom.conf" "cli_aliases.conf" "confbridge.conf" "dundi.conf" "features.conf" "hep.conf" "iax.conf" "pjsip.conf" "pjsip_wizard.conf" "phone.conf" "phoneprov.conf" "queues.conf" "res_config_sqlite3.conf" "res_parking.conf" "statsd.conf" "udptl.conf" "unistim.conf" ]Example:
[ "sip.conf" "dundi.conf" ]Declared by:
services.atd.enable¶
Whether to enable the at daemon, a command scheduler.
Type: boolean
Default:
falseDeclared by:
services.atd.allowEveryone¶
Whether to make
/var/spool/atjobs,spoolwriteable by everyone (and sticky). This is normally not needed since the at commands are setuid/setgidatd.Type: boolean
Default:
falseDeclared by:
services.atftpd.enable¶
Whether to enable the atftpd TFTP server. By default, the server binds to address 0.0.0.0.
Type: boolean
Default:
falseDeclared by:
services.atftpd.extraOptions¶
Extra command line arguments to pass to atftp.
Type: list of strings
Default: ``[
]``
Example:
[ "--bind-address 192.168.9.1" "--verbose=7" ]Declared by:
services.atftpd.root¶
Document root directory for the atftpd.
Type: path
Default:
"/srv/tftp"Declared by:
services.autofs.enable¶
Mount filesystems on demand. Unmount them automatically. You may also be interested in afuse.
Type: unspecified
Default:
falseDeclared by:
services.autofs.autoMaster¶
Contents of
/etc/auto.masterfile. See auto.master(5) and autofs(5).Type: string
Example:
let mapConf = pkgs.writeText "auto" '' kernel -ro,soft,intr ftp.kernel.org:/pub/linux boot -fstype=ext2 :/dev/hda1 windoze -fstype=smbfs ://windoze/c removable -fstype=ext2 :/dev/hdd cd -fstype=iso9660,ro :/dev/hdc floppy -fstype=auto :/dev/fd0 server -rw,hard,intr / -ro myserver.me.org:/ \ /usr myserver.me.org:/usr \ /home myserver.me.org:/home ''; in '' /auto file:${mapConf} ''Declared by:
services.autofs.debug¶
Pass -d and -7 to automount and write log to the system journal.
Type: unspecified
Default:
falseDeclared by:
services.autofs.timeout¶
Set the global minimum timeout, in seconds, until directories are unmounted
Type: unspecified
Default:
600Declared by:
services.automysqlbackup.enable¶
Whether to enable AutoMySQLBackup.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.automysqlbackup.calendar¶
Configured when to run the backup service systemd unit (DayOfWeek Year-Month-Day Hour:Minute:Second).
Type: string
Default:
"01:15:00"Declared by:
services.automysqlbackup.config¶
automysqlbackup configuration. Refer to:file:${pkgs.automysqlbackup}/etc/automysqlbackup.conf for details on supported values.
Type: attribute set of string or signed integer or boolean or list of stringss
Default: ``{
}``
Example:
{ db_names = [ "nextcloud" "matomo" ]; table_exclude = [ "nextcloud.oc_users" "nextcloud.oc_whats_new" ]; mailcontent = "log"; mail_address = "admin@example.org"; }Declared by:
services.autorandr.enable¶
Whether to enable handling of hotplug and sleep events by autorandr.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.autorandr.defaultTarget¶
Fallback if no monitor layout can be detected. See the docs (https://github.com/phillipberndt/autorandr/blob/v1.0/README.md#how-to-use) for further reference.
Type: string
Default:
"default"Declared by:
services.autossh.sessions¶
List of AutoSSH sessions to start as systemd services. Each service is named ‘autossh-{session.name}’.
Type: list of submodules
Default: ``[
]``
Example: ``[
{ extraArguments = “-N -D4343 billremote@socks.host.net”; monitoringPort = 20000; name = “socks-peer”; user = “bill”; }
]``
Declared by:
services.autossh.sessions.*.extraArguments¶
Arguments to be passed to AutoSSH and retransmitted to SSH process. Some meaningful options include -N (don’t run remote command), -D (open SOCKS proxy on local port), -R (forward remote port), -L (forward local port), -v (Enable debug). Check ssh manual for the complete list.
Type: strings concatenated with ” “
Example:
"-N -D4343 bill@socks.example.net"Declared by:
services.autossh.sessions.*.monitoringPort¶
Port to be used by AutoSSH for peer monitoring. Note, that AutoSSH also uses mport+1. Value of 0 disables the keep-alive style monitoring
Type: signed integer
Default:
0Example:
20000Declared by:
services.autossh.sessions.*.name¶
Name of the local AutoSSH session
Type: string
Example:
"socks-peer"Declared by:
services.autossh.sessions.*.user¶
Name of the user the AutoSSH session should run as
Type: string
Example:
"bill"Declared by:
services.avahi.enable¶
Whether to run the Avahi daemon, which allows Avahi clients to use Avahi’s service discovery facilities and also allows the local machine to advertise its presence and services (through the mDNS responder implemented by `avahi-daemon’).
Type: boolean
Default:
falseDeclared by:
services.avahi.allowPointToPoint¶
Whether to use POINTTOPOINT interfaces. Might make mDNS unreliable due to usually large latencies with such links and opens a potential security hole by allowing mDNS access from Internet connections.
Type: boolean
Default:
falseDeclared by:
services.avahi.browseDomains¶
List of non-local DNS domains to be browsed.
Type: list of strings
Default: ``[
]``
Example:
[ "0pointer.de" "zeroconf.org" ]Declared by:
services.avahi.cacheEntriesMax¶
Number of resource records to be cached per interface. Use 0 to disable caching. Avahi daemon defaults to 4096 if not set.
Type: null or signed integer
Default:
nullDeclared by:
services.avahi.domainName¶
Domain name for all advertisements.
Type: string
Default:
"local"Declared by:
services.avahi.extraConfig¶
Extra config to append to avahi-daemon.conf.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.avahi.extraServiceFiles¶
Specify custom service definitions which are placed in the avahi service directory. See the avahi.service5 manpage for detailed information.
Type: attribute set of string or paths
Default: ``{
}``
Example:
{ ssh = "${pkgs.avahi}/etc/avahi/services/ssh.service"; smb = '' <?xml version="1.0" standalone='no'?><!--*-nxml-*--> <!DOCTYPE service-group SYSTEM "avahi-service.dtd"> <service-group> <name replace-wildcards="yes">%h</name> <service> <type>_smb._tcp</type> <port>445</port> </service> </service-group> ''; }Declared by:
services.avahi.hostName¶
Host name advertised on the LAN. If not set, avahi will use the value of .
Type: string
Default:
config.networking.hostNameDeclared by:
services.avahi.interfaces¶
List of network interfaces that should be used by the avahi-daemon. Other interfaces will be ignored. If
null, all local interfaces except loopback and point-to-point will be used.Type: null or list of strings
Default:
nullDeclared by:
services.avahi.ipv4¶
Whether to use IPv4.
Type: boolean
Default:
trueDeclared by:
services.avahi.ipv6¶
Whether to use IPv6.
Type: boolean
Default:
falseDeclared by:
services.avahi.nssmdns¶
Whether to enable the mDNS NSS (Name Service Switch) plug-in. Enabling it allows applications to resolve names in the `.local’ domain by transparently querying the Avahi daemon.
Type: boolean
Default:
falseDeclared by:
services.avahi.openFirewall¶
Whether to open the firewall for UDP port 5353.
Type: boolean
Default:
trueDeclared by:
services.avahi.publish.enable¶
Whether to allow publishing in general.
Type: boolean
Default:
falseDeclared by:
services.avahi.publish.addresses¶
Whether to register mDNS address records for all local IP addresses.
Type: boolean
Default:
falseDeclared by:
services.avahi.publish.domain¶
Whether to announce the locally used domain name for browsing by other hosts.
Type: boolean
Default:
falseDeclared by:
services.avahi.publish.hinfo¶
Whether to register a mDNS HINFO record which contains information about the local operating system and CPU.
Type: boolean
Default:
falseDeclared by:
services.avahi.publish.userServices¶
Whether to publish user services. Will set
addresses=true.Type: boolean
Default:
falseDeclared by:
services.avahi.publish.workstation¶
Whether to register a service of type “_workstation._tcp” on the local LAN.
Type: boolean
Default:
falseDeclared by:
services.avahi.reflector¶
Reflect incoming mDNS requests to all allowed network interfaces.
Type: boolean
Default:
falseDeclared by:
services.avahi.wideArea¶
Whether to enable wide-area service discovery.
Type: boolean
Default:
trueDeclared by:
services.awstats.enable¶
Whether to enable awstats.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.awstats.configs¶
Attribute set of domains to collect stats for.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ "mysite" = { domain = "example.com"; logFile = "/var/spool/nginx/logs/access.log"; }; }Declared by:
services.awstats.configs.<name>.domain¶
The domain name to collect stats for.
Type: string
Default:
"‹name›"Example:
"example.com"Declared by:
services.awstats.configs.<name>.extraConfig¶
Extra configuration to be appendend to awstats.${name}.conf.
Type: attribute set of strings
Default: ``{
}``
Example:
{ "ValidHTTPCodes" = "404"; }Declared by:
services.awstats.configs.<name>.hostAliases¶
List of aliases the site has.
Type: list of strings
Default: ``[
]``
Example:
''[ "www.example.org" ]''Declared by:
services.awstats.configs.<name>.logFile¶
services.awstats.configs.<name>.logFormat¶
The log format being used.
For mail, set this to``%time2 %email %email_r %host %host_r %method %url %code %bytesd``
Type: string
Default:
"1"Declared by:
services.awstats.configs.<name>.type¶
The type of log being collected.
Type: one of “mail”, “web”
Default:
"web"Example:
"mail"Declared by:
services.awstats.configs.<name>.webService.enable¶
Whether to enable awstats web service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.awstats.configs.<name>.webService.hostname¶
The hostname the web service appears under.
Type: string
Default:
"‹name›"Declared by:
services.awstats.configs.<name>.webService.urlPrefix¶
The URL prefix under which the awstats pages appear.
Type: string
Default:
"/awstats"Declared by:
services.awstats.dataDir¶
The directory where awstats data will be stored.
Type: path
Default:
"/var/lib/awstats"Declared by:
services.awstats.updateAt¶
Specification of the time at which awstats will get updated. (in the format described by systemd.time7)
Type: null or string
Default:
nullExample:
"hourly"Declared by:
services.babeld.enable¶
Whether to run the babeld network routing daemon.
Type: unspecified
Default:
falseDeclared by:
services.babeld.extraConfig¶
Options that will be copied to babeld.conf. See babeld8 for details.
Type: unspecified
Default:
""Declared by:
services.babeld.interfaceDefaults¶
A set describing default parameters for babeld interfaces. See babeld8 for options.
Type: null or attribute set of unspecifieds
Default:
nullExample:
{ split-horizon = true; type = "tunnel"; }Declared by:
services.babeld.interfaces¶
A set describing babeld interfaces. See babeld8 for options.
Type: attribute set of attribute set of unspecifiedss
Default: ``{
}``
Example:
{ enp0s2 = { hello-interval = 5; split-horizon = "auto"; type = "wired"; } ; }Declared by:
services.bacula-dir.enable¶
Whether to enable Bacula Director Daemon.
Type: boolean
Default:
falseDeclared by:
services.bacula-dir.extraConfig¶
Extra configuration for Bacula Director Daemon.
Type: strings concatenated with “\n”
Default:
""Example:
'' TODO ''Declared by:
services.bacula-dir.extraDirectorConfig¶
Extra configuration to be passed in Director directive.
Type: unspecified
Default:
""Example:
'' Maximum Concurrent Jobs = 20; Heartbeat Interval = 30; ''Declared by:
services.bacula-dir.extraMessagesConfig¶
Extra configuration to be passed in Messages directive.
Type: unspecified
Default:
""Example:
'' console = all ''Declared by:
services.bacula-dir.name¶
The director name used by the system administrator. This directive is required.
Type: unspecified
Default:
"nixos-dir"Declared by:
services.bacula-dir.password¶
Specifies the password that must be supplied for a Director.
Type: unspecified
Declared by:
services.bacula-dir.port¶
Specify the port (a positive integer) on which the Director daemon will listen for Bacula Console connections. This same port number must be specified in the Director resource of the Console configuration file. The default is 9101, so normally this directive need not be specified. This directive should not be used if you specify DirAddresses (N.B plural) directive.
Type: signed integer
Default:
9101Declared by:
services.bacula-fd.enable¶
Whether to enable the Bacula File Daemon.
Type: boolean
Default:
falseDeclared by:
services.bacula-fd.director¶
This option defines director resources in Bacula File Daemon.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.bacula-fd.director.<name>.monitor¶
If Monitor is set to
no, this director will have full access to this Storage daemon. If Monitor is set to``yes``, this director will only be able to fetch the current status of this Storage daemon.Please note that if this director is being used by a Monitor, we highly recommend to set this directive to yes to avoid serious security problems.
Type: unspecified
Default:
"no"Example:
"yes"Declared by:
services.bacula-fd.director.<name>.password¶
Specifies the password that must be supplied for the default Bacula Console to be authorized. The same password must appear in the Director resource of the Console configuration file. For added security, the password is never passed across the network but instead a challenge response hash code created with the password. This directive is required. If you have either /dev/random or bc on your machine, Bacula will generate a random password during the configuration process, otherwise it will be left blank and you must manually supply it.
The password is plain text. It is not generated through any special process but as noted above, it is better to use random text for security reasons.
Type: unspecified
Declared by:
services.bacula-fd.extraClientConfig¶
Extra configuration to be passed in Client directive.
Type: unspecified
Default:
""Example:
'' Maximum Concurrent Jobs = 20; Heartbeat Interval = 30; ''Declared by:
services.bacula-fd.extraMessagesConfig¶
Extra configuration to be passed in Messages directive.
Type: unspecified
Default:
""Example:
'' console = all ''Declared by:
services.bacula-fd.name¶
The client name that must be used by the Director when connecting. Generally, it is a good idea to use a name related to the machine so that error messages can be easily identified if you have multiple Clients. This directive is required.
Type: unspecified
Default:
"nixos-fd"Declared by:
services.bacula-fd.port¶
This specifies the port number on which the Client listens for Director connections. It must agree with the FDPort specified in the Client resource of the Director’s configuration file.
Type: signed integer
Default:
9102Declared by:
services.bacula-sd.enable¶
Whether to enable Bacula Storage Daemon.
Type: boolean
Default:
falseDeclared by:
services.bacula-sd.autochanger¶
This option defines Autochanger resources in Bacula Storage Daemon.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.bacula-sd.autochanger.<name>.changerCommand¶
The name-string specifies an external program to be called that will automatically change volumes as required by Bacula. Normally, this directive will be specified only in the AutoChanger resource, which is then used for all devices. However, you may also specify the different Changer Command in each Device resource. Most frequently, you will specify the Bacula supplied mtx-changer script as follows:
"/path/mtx-changer %c %o %S %a %d"and you will install the mtx on your system (found in the depkgs release). An example of this command is in the default bacula-sd.conf file. For more details on the substitution characters that may be specified to configure your autochanger please see the AutochangersAutochangersChapter chapter of this manual. For FreeBSD users, you might want to see one of the several chio scripts in examples/autochangers.
Type: unspecified
Default:
"/etc/bacula/mtx-changer %c %o %S %a %d"Declared by:
services.bacula-sd.autochanger.<name>.changerDevice¶
The specified name-string must be the generic SCSI device name of the autochanger that corresponds to the normal read/write Archive Device specified in the Device resource. This generic SCSI device name should be specified if you have an autochanger or if you have a standard tape drive and want to use the Alert Command (see below). For example, on Linux systems, for an Archive Device name of``/dev/nst0``, you would specify``/dev/sg0`` for the Changer Device name. Depending on your exact configuration, and the number of autochangers or the type of autochanger, what you specify here can vary. This directive is optional. See the Using AutochangersAutochangersChapter chapter of this manual for more details of using this and the following autochanger directives.
Type: unspecified
Declared by:
services.bacula-sd.autochanger.<name>.devices¶
services.bacula-sd.autochanger.<name>.extraAutochangerConfig¶
Extra configuration to be passed in Autochanger directive.
Type: unspecified
Default:
""Example:
'' ''Declared by:
services.bacula-sd.device¶
This option defines Device resources in Bacula Storage Daemon.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.bacula-sd.device.<name>.archiveDevice¶
The specified name-string gives the system file name of the storage device managed by this storage daemon. This will usually be the device file name of a removable storage device (tape drive), for example
/dev/nst0or``/dev/rmt/0mbn``. For a DVD-writer, it will be for example/dev/hdc. It may also be a directory name if you are archiving to disk storage. In this case, you must supply the full absolute path to the directory. When specifying a tape device, it is preferable that the “non-rewind” variant of the device file name be given.Type: unspecified
Declared by:
services.bacula-sd.device.<name>.extraDeviceConfig¶
Extra configuration to be passed in Device directive.
Type: unspecified
Default:
""Example:
'' LabelMedia = yes Random Access = no AutomaticMount = no RemovableMedia = no MaximumOpenWait = 60 AlwaysOpen = no ''Declared by:
services.bacula-sd.device.<name>.mediaType¶
The specified name-string names the type of media supported by this device, for example,
DLT7000. Media type names are arbitrary in that you set them to anything you want, but they must be known to the volume database to keep track of which storage daemons can read which volumes. In general, each different storage type should have a unique Media Type associated with it. The same name-string must appear in the appropriate Storage resource definition in the Director’s configuration file.Even though the names you assign are arbitrary (i.e. you choose the name you want), you should take care in specifying them because the Media Type is used to determine which storage device Bacula will select during restore. Thus you should probably use the same Media Type specification for all drives where the Media can be freely interchanged. This is not generally an issue if you have a single Storage daemon, but it is with multiple Storage daemons, especially if they have incompatible media.
For example, if you specify a Media Type of
DDS-4then during the restore, Bacula will be able to choose any Storage Daemon that handlesDDS-4. If you have an autochanger, you might want to name the Media Type in a way that is unique to the autochanger, unless you wish to possibly use the Volumes in other drives. You should also ensure to have unique Media Type names if the Media is not compatible between drives. This specification is required for all devices.In addition, if you are using disk storage, each Device resource will generally have a different mount point or directory. In order for Bacula to select the correct Device resource, each one must have a unique Media Type.
Type: unspecified
Declared by:
services.bacula-sd.director¶
This option defines Director resources in Bacula Storage Daemon.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.bacula-sd.director.<name>.monitor¶
If Monitor is set to
no, this director will have full access to this Storage daemon. If Monitor is set to``yes``, this director will only be able to fetch the current status of this Storage daemon.Please note that if this director is being used by a Monitor, we highly recommend to set this directive to yes to avoid serious security problems.
Type: unspecified
Default:
"no"Example:
"yes"Declared by:
services.bacula-sd.director.<name>.password¶
Specifies the password that must be supplied for the default Bacula Console to be authorized. The same password must appear in the Director resource of the Console configuration file. For added security, the password is never passed across the network but instead a challenge response hash code created with the password. This directive is required. If you have either /dev/random or bc on your machine, Bacula will generate a random password during the configuration process, otherwise it will be left blank and you must manually supply it.
The password is plain text. It is not generated through any special process but as noted above, it is better to use random text for security reasons.
Type: unspecified
Declared by:
services.bacula-sd.extraMessagesConfig¶
Extra configuration to be passed in Messages directive.
Type: unspecified
Default:
""Example:
'' console = all ''Declared by:
services.bacula-sd.extraStorageConfig¶
Extra configuration to be passed in Storage directive.
Type: unspecified
Default:
""Example:
'' Maximum Concurrent Jobs = 20; Heartbeat Interval = 30; ''Declared by:
services.bacula-sd.name¶
Specifies the Name of the Storage daemon.
Type: unspecified
Default:
"nixos-sd"Declared by:
services.bacula-sd.port¶
Specifies port number on which the Storage daemon listens for Director connections.
Type: signed integer
Default:
9103Declared by:
services.bamf.enable¶
Whether to enable bamf.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.beanstalkd.enable¶
Whether to enable the Beanstalk work queue.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.beanstalkd.listen.address¶
IP address to listen on.
Type: string
Default:
"127.0.0.1"Example:
"0.0.0.0"Declared by:
services.beanstalkd.listen.port¶
TCP port that will be used to accept client connections.
Type: signed integer
Default:
11300Declared by:
services.beesd.filesystems¶
BTRFS filesystems to run block-level deduplication on.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ root = { spec = "LABEL=root"; hashTableSizeMB = 2048; verbosity = "crit"; extraOptions = [ "--loadavg-target" "5.0" ]; }; }Declared by:
services.beesd.filesystems.<name>.extraOptions¶
Extra command-line options passed to the daemon. See upstream bees documentation.
Type: list of strings
Default: ``[
]``
Example:
[ "--thread-count" "4" ]Declared by:
services.beesd.filesystems.<name>.hashTableSizeMB¶
Hash table size in MB; must be a multiple of 16.
A larger ratio of index size to storage size means smaller blocks of duplicate content are recognized.
If you have 1TB of data, a 4GB hash table (which is to say, a value of 4096) will permit 4KB extents (the smallest possible size) to be recognized, whereas a value of 1024 – creating a 1GB hash table – will recognize only aligned duplicate blocks of 16KB.
Type: signed integer
Default:
1024Declared by:
services.beesd.filesystems.<name>.spec¶
Description of how to identify the filesystem to be duplicated by this instance of bees. Note that deduplication crosses subvolumes; one must not configure multiple instances for subvolumes of the same filesystem (or block devices which are part of the same filesystem), but only for completely independent btrfs filesystems.
This must be in a format usable by findmnt; that could be a key=value pair, or a bare path to a mount point.
Type: string
Example:
"LABEL=MyBulkDataDrive"Declared by:
services.beesd.filesystems.<name>.verbosity¶
Log verbosity (syslog keyword/level).
Type: one of “alert”, “crit”, “debug”, “emerg”, “err”, “info”, “notice”, “warning”, 1, 2, 7, 0, 3, 6, 5, 4
Default:
"info"Declared by:
services.beesd.filesystems.<name>.workDir¶
Name (relative to the root of the filesystem) of the subvolume where the hash table will be stored.
Type: string
Default:
".beeshome"Declared by:
services.bepasty.enable¶
Whether to enable Bepasty servers.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.bepasty.servers¶
configure a number of bepasty servers which will be started with gunicorn.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.bepasty.servers.<name>.bind¶
Bind address to be used for this server.
Type: string
Default:
"127.0.0.1:8000"Example:
"0.0.0.0:8000"Declared by:
services.bepasty.servers.<name>.dataDir¶
Path to the directory where the pastes will be saved to
Type: string
Default:
"/var/lib/bepasty/data"Declared by:
services.bepasty.servers.<name>.defaultPermissions¶
default permissions for all unauthenticated accesses.
Type: string
Default:
"read"Example:
"read,create,delete"Declared by:
services.bepasty.servers.<name>.extraConfig¶
Extra configuration for bepasty server to be appended on the configuration. see https://bepasty-server.readthedocs.org/en/latest/quickstart.html#configuring-bepasty for all options.
Type: strings concatenated with “\n”
Default:
""Example:
'' PERMISSIONS = { 'myadminsecret': 'admin,list,create,read,delete', } MAX_ALLOWED_FILE_SIZE = 5 * 1000 * 1000 ''Declared by:
services.bepasty.servers.<name>.secretKey¶
server secret for safe session cookies, must be set.
Warning: this secret is stored in the WORLD-READABLE Nix store!
It’s recommended to use which takes precedence over .
Type: string
Default:
""Declared by:
services.bepasty.servers.<name>.secretKeyFile¶
A file that contains the server secret for safe session cookies, must be set.
takes precedence over .
Warning: when is non-empty defaults to a file in the WORLD-READABLE Nix store containing that secret.
Type: null or string
Default:
nullDeclared by:
services.bepasty.servers.<name>.workDir¶
Path to the working directory (used for config and pidfile). Defaults to the users home directory.
Type: string
Default:
"/var/lib/bepasty"Declared by:
services.bind.enable¶
Whether to enable BIND domain name server.
Type: unspecified
Default:
falseDeclared by:
services.bind.blockedNetworks¶
services.bind.cacheNetworks¶
What networks are allowed to use us as a resolver. Note that this is for recursive queries – all networks are allowed to query zones configured with the `zones` option. It is recommended that you limit cacheNetworks to avoid your server being used for DNS amplification attacks.
Type: unspecified
Default:
[ "127.0.0.0/24" ]Declared by:
services.bind.configFile¶
Overridable config file to use for named. By default, that generated by nixos.
Type: path
Default:
"confFile"Declared by:
services.bind.extraConfig¶
Extra lines to be added verbatim to the generated named configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.bind.extraOptions¶
Extra lines to be added verbatim to the options section of the generated named configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.bind.forwarders¶
services.bind.ipv4Only¶
Only use ipv4, even if the host supports ipv6.
Type: unspecified
Default:
falseDeclared by:
services.bind.listenOn¶
Interfaces to listen on.
Type: list of strings
Default:
[ "any" ]Declared by:
services.bind.listenOnIpv6¶
Ipv6 interfaces to listen on.
Type: list of strings
Default:
[ "any" ]Declared by:
services.bind.zones¶
List of zones we claim authority over. master=false means slave server; slaves means addresses who may request zone transfer.
Type: unspecified
Default: ``[
]``
Example: ``[
{ extraConfig = “”; file = “/var/dns/example.com”; master = false; masters = [ “192.168.0.1” ] ; name = “example.com”; slaves = [
}
]``
Declared by:
services.bird.enable¶
Whether to enable BIRD Internet Routing Daemon (1.9.x with IPv4 suport).
Type: boolean
Default:
falseExample:
trueDeclared by:
services.bird.config¶
BIRD Internet Routing Daemon configuration file.` <http://bird.network.cz/>`_
Type: strings concatenated with “\n”
Declared by:
services.bird2.enable¶
Whether to enable BIRD Internet Routing Daemon (2.x).
Type: boolean
Default:
falseExample:
trueDeclared by:
services.bird2.config¶
BIRD Internet Routing Daemon configuration file.` <http://bird.network.cz/>`_
Type: strings concatenated with “\n”
Declared by:
services.bird6.enable¶
Whether to enable BIRD Internet Routing Daemon (1.9.x with IPv6 suport).
Type: boolean
Default:
falseExample:
trueDeclared by:
services.bird6.config¶
BIRD Internet Routing Daemon configuration file.` <http://bird.network.cz/>`_
Type: strings concatenated with “\n”
Declared by:
services.bitcoind.enable¶
Whether to enable Bitcoin daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.bitcoind.package¶
The package providing bitcoin binaries.
Type: package
Default:
"pkgs.bitcoind"Declared by:
services.bitcoind.configFile¶
The configuration file path to supply bitcoind.
Type: path
Default:
*(build of bitcoin.conf)*Example:
"/etc/bitcoind.conf"Declared by:
services.bitcoind.dataDir¶
The data directory for bitcoind.
Type: path
Default:
"/var/lib/bitcoind"Declared by:
services.bitcoind.dbCache¶
Override the default database cache size in megabytes.
Type: null or integer between 4 and 16384 (both inclusive)
Default:
nullExample:
4000Declared by:
services.bitcoind.extraConfig¶
Additional configurations to be appended to
bitcoin.conf.Type: strings concatenated with “\n”
Default:
""Example:
'' par=16 rpcthreads=16 logips=1 ''Declared by:
services.bitcoind.group¶
The group as which to run bitcoind.
Type: string
Default:
"bitcoin"Declared by:
services.bitcoind.port¶
Override the default port on which to listen for connections.
Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
nullDeclared by:
services.bitcoind.prune¶
Reduce storage requirements by enabling pruning (deleting) of old blocks. This allows the pruneblockchain RPC to be called to delete specific blocks, and enables automatic pruning of old blocks if a target size in MiB is provided. This mode is incompatible with -txindex and -rescan. Warning: Reverting this setting requires re-downloading the entire blockchain. (“disable” = disable pruning blocks, “manual” = allow manual pruning via RPC, >=550 = automatically prune block files to stay under the specified target size in MiB)
Type: null or unsigned integer, meaning >=0 or one of “disable”, “manual” convertible to it
Default:
nullExample:
10000Declared by:
services.bitcoind.rpc.port¶
Override the default port on which to listen for JSON-RPC connections.
Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
nullDeclared by:
services.bitcoind.rpc.users¶
RPC user information for JSON-RPC connnections.
Type: list or attribute set of submodules
Default: ``{
}``
Example:
{ alice.passwordHMAC = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae"; bob.passwordHMAC = "b2dd077cb54591a2f3139e69a897ac$4e71f08d48b4347cf8eff3815c0e25ae2e9a4340474079f55705f40574f4ec99"; }Declared by:
services.bitcoind.rpc.users.<name?>.name¶
Username for JSON-RPC connections.
Type: string
Example:
"alice"Declared by:
services.bitcoind.rpc.users.<name?>.passwordHMAC¶
Password HMAC-SHA-256 for JSON-RPC connections. Must be a string of the format <SALT-HEX>$<HMAC-HEX>.
Type: string matching the pattern [0-9a-f]+\$[0-9a-f]{64}
Example:
"f7efda5c189b999524f151318c0c86\\$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae"Declared by:
services.bitcoind.testnet¶
Whether to use the test chain.
Type: boolean
Default:
falseDeclared by:
services.bitcoind.user¶
The user as which to run bitcoind.
Type: string
Default:
"bitcoin"Declared by:
services.bitlbee.enable¶
Whether to run the BitlBee IRC to other chat network gateway. Running it allows you to access the MSN, Jabber, Yahoo! and ICQ chat networks via an IRC client.
Type: unspecified
Default:
falseDeclared by:
services.bitlbee.authBackend¶
How users are authenticated storage – save passwords internally pam – Linux PAM authentication
Type: one of “storage”, “pam”
Default:
"storage"Declared by:
services.bitlbee.authMode¶
The following authentication modes are available: Open – Accept connections from anyone, use NickServ for user authentication. Closed – Require authorization (using the PASS command during login) before allowing the user to connect at all. Registered – Only allow registered users to use this server; this disables the register- and the account command until the user identifies himself.
Type: one of “Open”, “Closed”, “Registered”
Default:
"Open"Declared by:
services.bitlbee.configDir¶
Specify an alternative directory to store all the per-user configuration files.
Type: path
Default:
"/var/lib/bitlbee"Declared by:
services.bitlbee.extraDefaults¶
Will be inserted in the Default section of the config file.
Type: unspecified
Default:
""Declared by:
services.bitlbee.extraSettings¶
Will be inserted in the Settings section of the config file.
Type: unspecified
Default:
""Declared by:
services.bitlbee.hostName¶
Normally, BitlBee gets a hostname using getsockname(). If you have a nicer alias for your BitlBee daemon, you can set it here and BitlBee will identify itself with that name instead.
Type: string
Default:
""Declared by:
services.bitlbee.interface¶
The interface the BitlBee deamon will be listening to. If `127.0.0.1’, only clients on the local host can connect to it; if `0.0.0.0’, clients can access it from any network interface.
Type: unspecified
Default:
"127.0.0.1"Declared by:
services.bitlbee.libpurple_plugins¶
The list of libpurple plugins to install.
Type: list of packages
Default: ``[
]``
Example:
[ pkgs.purple-matrix ]Declared by:
services.bitlbee.plugins¶
The list of bitlbee plugins to install.
Type: list of packages
Default: ``[
]``
Example:
[ pkgs.bitlbee-facebook ]Declared by:
services.bitlbee.portNumber¶
Number of the port BitlBee will be listening to.
Type: unspecified
Default:
6667Declared by:
services.bitlbee.protocols¶
This option allows to remove the support of protocol, even if compiled in. If nothing is given, there are no restrictions.
Type: string
Default:
""Declared by:
services.bitwarden_rs.enable¶
Whether to enable bitwarden_rs.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.bitwarden_rs.backupDir¶
The directory under which bitwarden_rs will backup its persistent data.
Type: null or string
Default:
nullDeclared by:
services.bitwarden_rs.config¶
The configuration of bitwarden_rs is done through environment variables, therefore the names are converted from camel case (e.g. disable2FARemember) to upper case snake case (e.g. DISABLE_2FA_REMEMBER). In this conversion digits (0-9) are handled just like upper case characters, so foo2 would be converted to FOO_2. Names already in this format remain unchanged, so FOO2 remains FOO2 if passed as such, even though foo2 would have been converted to FOO_2. This allows working around any potential future conflicting naming conventions.
Based on the attributes passed to this config option an environment file will be generated that is passed to bitwarden_rs’s systemd service.
The available configuration options can be found in`the environment template file <https://github.com/dani-garcia/bitwarden_rs/blob/1.13.1/.env.template>`_.
Type: attribute set of null or boolean or signed integer or strings
Default: ``{
}``
Example:
{ domain = https://bw.domain.tld:8443; signupsAllowed = true; rocketPort = 8222; rocketLog = "critical"; }Declared by:
services.bitwarden_rs.dbBackend¶
Which database backend bitwarden_rs will be using.
Type: one of “sqlite”, “mysql”, “postgresql”
Default:
"sqlite"Declared by:
services.bloop.extraOptions¶
Specifies additional command line argument to pass to bloop java process.
Type: list of strings
Default: ``[
]``
Example:
[ "-J-Xmx2G" "-J-XX:MaxInlineLevel=20" "-J-XX:+UseParallelGC" ]Declared by:
services.bloop.install¶
Whether to install a user service for the Bloop server.
The service must be manually started for each user with “systemctl –user start bloop”.
Type: boolean
Default:
falseDeclared by:
services.blueman.enable¶
Whether to enable blueman.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.boinc.enable¶
Whether to enable the BOINC distributed computing client. If this option is set to true, the boinc_client daemon will be run as a background service. The boinccmd command can be used to control the daemon.
Type: boolean
Default:
falseDeclared by:
services.boinc.package¶
Which BOINC package to use.
Type: package
Default:
"pkgs.boinc"Declared by:
services.boinc.allowRemoteGuiRpc¶
If set to true, any remote host can connect to and control this BOINC client (subject to password authentication). If instead set to false, only the hosts listed in
dataDir/remote_hosts.cfg will be allowed to connect.See also: ` <http://boinc.berkeley.edu/wiki/Controlling_BOINC_remotely#Remote_access>`_
Type: boolean
Default:
falseDeclared by:
services.boinc.dataDir¶
The directory in which to store BOINC’s configuration and data files.
Type: path
Default:
"/var/lib/boinc"Declared by:
services.boinc.extraEnvPackages¶
Additional packages to make available in the environment in which BOINC will run. Common choices are:
pkgs.virtualboxThe VirtualBox virtual machine framework. Required by some BOINC projects, such as ATLAS@home.
pkgs.ocl-icdOpenCL infrastructure library. Required by BOINC projects that use OpenCL, in addition to a device-specific OpenCL driver.
pkgs.linuxPackages.nvidia_x11Provides CUDA libraries. Required by BOINC projects that use CUDA. Note that this requires an NVIDIA graphics device to be present on the system.
Also provides OpenCL drivers for NVIDIA GPUs;
pkgs.ocl-icdis also needed in this case.Type: list of packages
Default: ``[
]``
Example:
"[ pkgs.virtualbox ]"Declared by:
services.borgbackup.jobs¶
Deduplicating backups using BorgBackup. Adding a job will cause a borg-job-NAME wrapper to be added to your system path, so that you can perform maintenance easily.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ rootBackup = { paths = "/"; exclude = [ "/nix" ]; repo = "/path/to/local/repo"; encryption = { mode = "repokey"; passphrase = "secret"; }; compression = "auto,lzma"; startAt = "weekly"; }; }Declared by:
services.borgbackup.jobs.<name>.appendFailedSuffix¶
Append a
.failedsuffix to the archive name, which is only removed if:command:borg create has a zero exit status.Type: boolean
Default:
trueDeclared by:
services.borgbackup.jobs.<name>.archiveBaseName¶
How to name the created archives. A timestamp, whose format is determined by , will be appended. The full name can be modified at runtime (
$archiveName). Placeholders like{hostname}must not be used.Type: string matching the pattern [^/{}]+
Default:
"\\${config.networking.hostName}-<name>"Declared by:
services.borgbackup.jobs.<name>.compression¶
Compression method to use. Refer to:command:borg help compression for all available options.
Type: string matching the pattern none|(auto,)?(lz4|zstd|zlib|lzma)(,[[:digit:]]{1,2})?
Default:
"lz4"Example:
"auto,lzma"Declared by:
services.borgbackup.jobs.<name>.dateFormat¶
Arguments passed to date to create a timestamp suffix for the archive name.
Type: string
Default:
"+%Y-%m-%dT%H:%M:%S"Example:
"-u +%s"Declared by:
services.borgbackup.jobs.<name>.doInit¶
Run borg init if the specified does not exist. You should set this to
falseif the repository is located on an external drive that might not always be mounted.Type: boolean
Default:
trueDeclared by:
services.borgbackup.jobs.<name>.encryption.mode¶
Encryption mode to use. Setting a mode other than
"none"requires you to specify a or a .Type: one of “repokey”, “keyfile”, “repokey-blake2”, “keyfile-blake2”, “authenticated”, “authenticated-blake2”, “none”
Declared by:
services.borgbackup.jobs.<name>.encryption.passCommand¶
A command which prints the passphrase to stdout. Mutually exclusive with .
Type: null or string
Default:
nullExample:
"cat /path/to/passphrase_file"Declared by:
services.borgbackup.jobs.<name>.encryption.passphrase¶
The passphrase the backups are encrypted with. Mutually exclusive with . If you do not want the passphrase to be stored in the world-readable Nix store, use .
Type: null or string
Default:
nullDeclared by:
services.borgbackup.jobs.<name>.environment¶
Environment variables passed to the backup script. You can for example specify which SSH key to use.
Type: attribute set of strings
Default: ``{
}``
Example:
{ BORG_RSH = "ssh -i /path/to/key"; }Declared by:
services.borgbackup.jobs.<name>.exclude¶
Exclude paths matching any of the given patterns. See:command:borg help patterns for pattern syntax.
Type: list of strings
Default: ``[
]``
Example:
[ "/home/\*/.cache" "/nix" ]Declared by:
services.borgbackup.jobs.<name>.extraArgs¶
Additional arguments for all borg calls the service has. Handle with care.
Type: string
Default:
""Example:
"--remote-path=/path/to/borg"Declared by:
services.borgbackup.jobs.<name>.extraCreateArgs¶
Additional arguments for borg create. Can also be set at runtime using
$extraCreateArgs.Type: string
Default:
""Example:
"--stats --checkpoint-interval 600"Declared by:
services.borgbackup.jobs.<name>.extraInitArgs¶
Additional arguments for borg init. Can also be set at runtime using
$extraInitArgs.Type: string
Default:
""Example:
"--append-only"Declared by:
services.borgbackup.jobs.<name>.extraPruneArgs¶
Additional arguments for borg prune. Can also be set at runtime using
$extraPruneArgs.Type: string
Default:
""Example:
"--save-space"Declared by:
services.borgbackup.jobs.<name>.group¶
The group borg is run as. User or group needs read permission for the specified .
Type: string
Default:
"root"Declared by:
services.borgbackup.jobs.<name>.paths¶
Path(s) to back up.
Type: list of strings or string convertible to it
Example:
"/home/user"Declared by:
services.borgbackup.jobs.<name>.postCreate¶
Shell commands to run after borg create. The name of the created archive is stored in
$archiveName.Type: strings concatenated with “\n”
Default:
""Declared by:
services.borgbackup.jobs.<name>.postHook¶
Shell commands to run just before exit. They are executed even if a previous command exits with a non-zero exit code. The latter is available as
$exitStatus.Type: strings concatenated with “\n”
Default:
""Declared by:
services.borgbackup.jobs.<name>.postInit¶
Shell commands to run after borg init.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.borgbackup.jobs.<name>.postPrune¶
Shell commands to run after borg prune.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.borgbackup.jobs.<name>.preHook¶
Shell commands to run before the backup. This can for example be used to mount file systems.
Type: strings concatenated with “\n”
Default:
""Example:
'' # To add excluded paths at runtime extraCreateArgs="$extraCreateArgs --exclude /some/path" ''Declared by:
services.borgbackup.jobs.<name>.privateTmp¶
Set the
PrivateTmpoption for the systemd-service. Set to false if you need sockets or other files from global /tmp.Type: boolean
Default:
trueDeclared by:
services.borgbackup.jobs.<name>.prune.keep¶
Prune a repository by deleting all archives not matching any of the specified retention options. See borg help prune for the available options.
Type: attribute set of signed integer or string matching the pattern [[:digit:]]+[Hdwmy]s
Default: ``{
}``
Example:
{ within = "1d"; # Keep all archives from the last day daily = 7; weekly = 4; monthly = -1; # Keep at least one archive for each month }Declared by:
services.borgbackup.jobs.<name>.prune.prefix¶
Only consider archive names starting with this prefix for pruning. By default, only archives created by this job are considered. Use
""to consider all archives.Type: string
Default:
"\\${archiveBaseName}"Declared by:
services.borgbackup.jobs.<name>.readWritePaths¶
By default, borg cannot write anywhere on the system but``$HOME/.config/borg`` and
$HOME/.cache/borg. If, for example, your preHook script needs to dump files somewhere, put those directories here.Type: list of paths
Default: ``[
]``
Example:
[ "/var/backup/mysqldump" ]Declared by:
services.borgbackup.jobs.<name>.removableDevice¶
Whether the repo (which must be local) is a removable device.
Type: boolean
Default:
falseDeclared by:
services.borgbackup.jobs.<name>.repo¶
Remote or local repository to back up to.
Type: string
Example:
"user@machine:/path/to/repo"Declared by:
services.borgbackup.jobs.<name>.startAt¶
When or how often the backup should run. Must be in the format described insystemd.time7. If you do not want the backup to start automatically, use
[ ].Type: string or list of strings
Default:
"daily"Declared by:
services.borgbackup.jobs.<name>.user¶
The user borg is run as. User or group need read permission for the specified .
Type: string
Default:
"root"Declared by:
services.borgbackup.repos¶
Serve BorgBackup repositories to given public SSH keys, restricting their access to the repository only. Also, clients do not need to specify the absolute path when accessing the repository, i.e.
user@machine:.is enough. (Note colon and dot.)Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.borgbackup.repos.<name>.allowSubRepos¶
Allow clients to create repositories in subdirectories of the specified . These can be accessed using``user@machine:path/to/subrepo``. Note that a applies to repositories independently. Therefore, if this is enabled, clients can create multiple repositories and upload an arbitrary amount of data.
Type: boolean
Default:
falseDeclared by:
services.borgbackup.repos.<name>.authorizedKeys¶
Public SSH keys that are given full write access to this repository. You should use a different SSH key for each repository you write to, because the specified keys are restricted to running borg serve and can only access this single repository.
Type: list of strings
Default: ``[
]``
Declared by:
services.borgbackup.repos.<name>.authorizedKeysAppendOnly¶
Public SSH keys that can only be used to append new data (archives) to the repository. Note that archives can still be marked as deleted and are subsequently removed from disk upon accessing the repo with full write access, e.g. when pruning.
Type: list of strings
Default: ``[
]``
Declared by:
services.borgbackup.repos.<name>.group¶
The group borg serve is run as. User or group needs write permission for the specified .
Type: string
Default:
"borg"Declared by:
services.borgbackup.repos.<name>.path¶
Where to store the backups. Note that the directory is created automatically, with correct permissions.
Type: path
Default:
"/var/lib/borgbackup"Declared by:
services.borgbackup.repos.<name>.quota¶
Storage quota for the repository. This quota is ensured for all sub-repositories if is enabled but not for the overall storage space used.
Type: null or string matching the pattern [[:digit:].]+[KMGTP]?
Default:
nullExample:
"100G"Declared by:
services.borgbackup.repos.<name>.user¶
The user borg serve is run as. User or group needs write permission for the specified .
Type: string
Default:
"borg"Declared by:
services.bosun.enable¶
Whether to run bosun.
Type: boolean
Default:
falseDeclared by:
services.bosun.package¶
bosun binary to use.
Type: package
Default:
"pkgs.bosun"Example:
pkgs.bosunDeclared by:
services.bosun.checkFrequency¶
Bosun’s check frequency
Type: string
Default:
"5m"Declared by:
services.bosun.extraConfig¶
Extra configuration options for Bosun. You should describe your desired templates, alerts, macros, etc through this configuration option.
A detailed description of the supported syntax can be found at-spi2-atk http://bosun.org/configuration.html
Type: strings concatenated with “\n”
Default:
""Declared by:
services.bosun.group¶
Group account under which bosun runs.
Type: string
Default:
"bosun"Declared by:
services.bosun.influxHost¶
Host and port of the influxdb database.
Type: null or string
Default:
nullExample:
"localhost:8086"Declared by:
services.bosun.ledisDir¶
Path to bosun’s ledis data dir
Type: path
Default:
"/var/lib/bosun/ledis_data"Declared by:
services.bosun.listenAddress¶
The host address and port that bosun’s web interface will listen on.
Type: string
Default:
":8070"Declared by:
services.bosun.opentsdbHost¶
Host and port of the OpenTSDB database that stores bosun data. To disable opentsdb you can pass null as parameter.
Type: null or string
Default:
"localhost:4242"Declared by:
services.bosun.stateFile¶
Path to bosun’s state file.
Type: path
Default:
"/var/lib/bosun/bosun.state"Declared by:
services.bosun.user¶
User account under which bosun runs.
Type: string
Default:
"bosun"Declared by:
services.brltty.enable¶
Whether to enable the BRLTTY daemon.
Type: boolean
Default:
falseDeclared by:
services.btrfs.autoScrub.enable¶
Whether to enable regular btrfs scrub.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.btrfs.autoScrub.fileSystems¶
List of paths to btrfs filesystems to regularily call btrfs scrub on. Defaults to all mount points with btrfs filesystems. If you mount a filesystem multiple times or additionally mount subvolumes, you need to manually specify this list to avoid scrubbing multiple times.
Type: list of paths
Example:
[ "/" ]Declared by:
services.btrfs.autoScrub.interval¶
Systemd calendar expression for when to scrub btrfs filesystems. The recommended period is a month but could be less (btrfs-scrub8). Seesystemd.time7 for more information on the syntax.
Type: string
Default:
"monthly"Example:
"weekly"Declared by:
services.buildbot-master.enable¶
Whether to enable the Buildbot continuous integration server.
Type: boolean
Default:
falseDeclared by:
services.buildbot-master.package¶
Package to use for buildbot.
Type: package
Default:
"pkgs.python3Packages.buildbot-full"Example:
pkgs.python3Packages.buildbotDeclared by:
services.buildbot-master.packages¶
Packages to add to PATH for the buildbot process.
Type: list of packages
Default:
[ *(build of git-minimal-2.25.1)* ]Example:
[ pkgs.git ]Declared by:
services.buildbot-master.bpPort¶
Port where the master will listen to Buildbot Worker.
Type: signed integer
Default:
9989Declared by:
services.buildbot-master.buildbotDir¶
Specifies the Buildbot directory.
Type: path
Default:
"/home/buildbot/master"Declared by:
services.buildbot-master.buildbotUrl¶
Specifies the Buildbot URL.
Type: string
Default:
"http://localhost:8010/"Declared by:
services.buildbot-master.builders¶
List of Builders.
Type: list of strings
Default:
[ "util.BuilderConfig(name='runtests',workernames=['example-worker'],factory=factory)" ]Declared by:
services.buildbot-master.changeSource¶
List of Change Sources.
Type: list of strings
Default: ``[
]``
Example:
[ "changes.GitPoller('git://github.com/buildbot/pyflakes.git', workdir='gitpoller-workdir', branch='master', pollinterval=300)" ]Declared by:
services.buildbot-master.dbUrl¶
Specifies the database connection string.
Type: string
Default:
"sqlite:///state.sqlite"Declared by:
services.buildbot-master.extraConfig¶
Extra configuration to append to master.cfg
Type: string
Default:
"c['buildbotNetUsageData'] = None"Declared by:
services.buildbot-master.extraGroups¶
List of extra groups that the buildbot user should be a part of.
Type: list of strings
Default: ``[
]``
Declared by:
services.buildbot-master.factorySteps¶
Factory Steps
Type: list of strings
Default: ``[
]``
Example:
[ "steps.Git(repourl='git://github.com/buildbot/pyflakes.git', mode='incremental')" "steps.ShellCommand(command=['trial', 'pyflakes'])" ]Declared by:
services.buildbot-master.group¶
Primary group of buildbot user.
Type: string
Default:
"buildbot"Declared by:
services.buildbot-master.home¶
Buildbot home directory.
Type: path
Default:
"/home/buildbot"Declared by:
services.buildbot-master.listenAddress¶
Specifies the bind address on which the buildbot HTTP interface listens.
Type: string
Default:
"0.0.0.0"Declared by:
services.buildbot-master.masterCfg¶
Optionally pass master.cfg path. Other options in this configuration will be ignored.
Type: path
Default:
*(build of master.cfg)*Example:
"/etc/nixos/buildbot/master.cfg"Declared by:
services.buildbot-master.port¶
Specifies port number on which the buildbot HTTP interface listens.
Type: signed integer
Default:
8010Declared by:
services.buildbot-master.pythonPackages¶
Packages to add the to the PYTHONPATH of the buildbot process.
Type: unspecified
Default:
"pythonPackages: with pythonPackages; [ ]"Example:
pythonPackages: with pythonPackages; [ requests ]Declared by:
services.buildbot-master.schedulers¶
List of Schedulers.
Type: list of strings
Default:
[ "schedulers.SingleBranchScheduler(name='all', change_filter=util.ChangeFilter(branch='master'), treeStableTimer=None, builderNames=['runtests'])" "schedulers.ForceScheduler(name='force',builderNames=['runtests'])" ]Declared by:
services.buildbot-master.status¶
services.buildbot-master.title¶
Specifies the Buildbot Title.
Type: string
Default:
"Buildbot"Declared by:
services.buildbot-master.titleUrl¶
Specifies the Buildbot TitleURL.
Type: string
Default:
"Buildbot"Declared by:
services.buildbot-master.user¶
User the buildbot server should execute under.
Type: string
Default:
"buildbot"Declared by:
services.buildbot-master.workers¶
List of Workers.
Type: list of strings
Default:
[ "worker.Worker('example-worker', 'pass')" ]Declared by:
services.buildbot-worker.enable¶
Whether to enable the Buildbot Worker.
Type: boolean
Default:
falseDeclared by:
services.buildbot-worker.package¶
Package to use for buildbot worker.
Type: package
Default:
"pkgs.python3Packages.buildbot-worker"Example:
pkgs.python2Packages.buildbot-workerDeclared by:
services.buildbot-worker.packages¶
Packages to add to PATH for the buildbot process.
Type: list of packages
Default:
[ *(build of )* ]Example:
[ pkgs.git ]Declared by:
services.buildbot-worker.adminMessage¶
Name of the administrator of this worker
Type: null or string
Default:
nullDeclared by:
services.buildbot-worker.buildbotDir¶
Specifies the Buildbot directory.
Type: path
Default:
"/home/bbworker/worker"Declared by:
services.buildbot-worker.extraGroups¶
List of extra groups that the Buildbot Worker user should be a part of.
Type: list of strings
Default: ``[
]``
Declared by:
services.buildbot-worker.group¶
Primary group of buildbot Worker user.
Type: string
Default:
"bbworker"Declared by:
services.buildbot-worker.home¶
Buildbot home directory.
Type: path
Default:
"/home/bbworker"Declared by:
services.buildbot-worker.hostMessage¶
Description of this worker
Type: null or string
Default:
nullDeclared by:
services.buildbot-worker.masterUrl¶
Specifies the Buildbot Worker connection string.
Type: string
Default:
"localhost:9989"Declared by:
services.buildbot-worker.user¶
User the buildbot Worker should execute under.
Type: string
Default:
"bbworker"Declared by:
services.buildbot-worker.workerPass¶
Specifies the Buildbot Worker password.
Type: string
Default:
"pass"Declared by:
services.buildbot-worker.workerPassFile¶
File used to store the Buildbot Worker password
Type: path
Declared by:
services.buildbot-worker.workerUser¶
Specifies the Buildbot Worker user.
Type: string
Default:
"example-worker"Declared by:
services.buildkite-agents¶
Attribute set of buildkite agents. The attribute key is combined with the hostname and a unique integer to create the final agent name. This can be overridden by setting the `name` attribute.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.buildkite-agents.<name>.enable¶
Whether to enable this buildkite agent
Type: boolean
Default:
trueDeclared by:
services.buildkite-agents.<name>.package¶
Which buildkite-agent derivation to use
Type: package
Default:
"pkgs.buildkite-agent"Declared by:
services.buildkite-agents.<name>.dataDir¶
The workdir for the agent
Type: string
Default:
"/var/lib/buildkite-agent-‹name›"Declared by:
services.buildkite-agents.<name>.extraConfig¶
Extra lines to be added verbatim to the configuration file.
Type: strings concatenated with “\n”
Default:
""Example:
"debug=true"Declared by:
services.buildkite-agents.<name>.hooks.checkout¶
The `checkout` hook script will replace the default checkout routine of the bootstrap.sh script. You can use this hook to do your own SCM checkout behaviour
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.buildkite-agents.<name>.hooks.command¶
The `command` hook script will replace the default implementation of running the build command.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.buildkite-agents.<name>.hooks.environment¶
The `environment` hook will run before all other commands, and can be used to set up secrets, data, etc. Anything exported in hooks will be available to the build script.
Note: the contents of this file will be copied to the world-readable Nix store.
Type: null or strings concatenated with “\n”
Default:
nullExample:
'' export SECRET_VAR=`head -1 /run/keys/secret` ''Declared by:
services.buildkite-agents.<name>.hooks.post-artifact¶
The `post-artifact` hook will run just after artifacts are uploaded
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.buildkite-agents.<name>.hooks.post-checkout¶
The `post-checkout` hook will run after the bootstrap script has checked out your projects source code.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.buildkite-agents.<name>.hooks.post-command¶
The `post-command` hook will run after the bootstrap script has run your build commands
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.buildkite-agents.<name>.hooks.pre-artifact¶
The `pre-artifact` hook will run just before artifacts are uploaded
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.buildkite-agents.<name>.hooks.pre-checkout¶
The `pre-checkout` hook will run just before your projects source code is checked out from your SCM provider
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.buildkite-agents.<name>.hooks.pre-command¶
The `pre-command` hook will run just before your build command runs
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.buildkite-agents.<name>.hooks.pre-exit¶
The `pre-exit` hook will run just before your build job finishes
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.buildkite-agents.<name>.hooksPath¶
Path to the directory storing the hooks. Consider using instead.
Type: path
Default:
"generated from services.buildkite-agents.<name>.hooks"Declared by:
services.buildkite-agents.<name>.name¶
The name of the agent as seen in the buildkite dashboard.
Type: string
Default:
"%hostname-‹name›-%n"Declared by:
services.buildkite-agents.<name>.privateSshKeyPath¶
OpenSSH private key
A run-time path to the key file, which is supposed to be provisioned outside of Nix store.
Type: null or path
Default:
nullDeclared by:
services.buildkite-agents.<name>.runtimePackages¶
Add programs to the buildkite-agent environment
Type: list of packages
Default:
"[ pkgs.bash pkgs.gnutar pkgs.gzip pkgs.git pkgs.nix ]"Declared by:
services.buildkite-agents.<name>.shell¶
Command that buildkite-agent 3 will execute when it spawns a shell.
Type: string
Default:
"\\${pkgs.bash}/bin/bash -e -c"Declared by:
services.buildkite-agents.<name>.tags¶
Tags for the agent.
Type: attribute set of strings
Default: ``{
}``
Example:
{ docker = "true"; queue = "default"; ruby2 = "true"; }Declared by:
services.buildkite-agents.<name>.tokenPath¶
The token from your Buildkite “Agents” page.
A run-time path to the token file, which is supposed to be provisioned outside of Nix store.
Type: path
Declared by:
services.cachefilesd.enable¶
Whether to enable cachefilesd network filesystems caching daemon.
Type: boolean
Default:
falseDeclared by:
services.cachefilesd.cacheDir¶
Directory to contain filesystem cache.
Type: string
Default:
"/var/cache/fscache"Declared by:
services.cachefilesd.extraConfig¶
Additional configuration file entries. See cachefilesd.conf(5) for more information.
Type: strings concatenated with “\n”
Default:
""Example:
"brun 10%"Declared by:
services.caddy.enable¶
Whether to enable Caddy web server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.caddy.package¶
Caddy package to use.
Type: package
Default:
"pkgs.caddy"Declared by:
services.caddy.agree¶
Agree to Let’s Encrypt Subscriber Agreement
Type: boolean
Default:
falseDeclared by:
services.caddy.ca¶
Certificate authority ACME server. The default (Let’s Encrypt production server) should be fine for most people.
Type: string
Default:
"https://acme-v02.api.letsencrypt.org/directory"Example:
"https://acme-staging-v02.api.letsencrypt.org/directory"Declared by:
services.caddy.config¶
Verbatim Caddyfile to use
Type: strings concatenated with “\n”
Default:
""Example:
'' example.com { gzip minify log syslog root /srv/http } ''Declared by:
services.caddy.dataDir¶
The data directory, for storing certificates. Before 17.09, this would create a .caddy directory. With 17.09 the contents of the .caddy directory are in the specified data directory instead.
Type: path
Default:
"/var/lib/caddy"Declared by:
services.caddy.email¶
Email address (for Let’s Encrypt certificate)
Type: string
Default:
""Declared by:
services.cadvisor.enable¶
Whether to enable cadvisor service.
Type: boolean
Default:
falseDeclared by:
services.cadvisor.extraOptions¶
Additional cadvisor options.
See ` <https://github.com/google/cadvisor/blob/master/docs/runtime_options.md>`_ for available options.
Type: list of strings
Default: ``[
]``
Declared by:
services.cadvisor.listenAddress¶
Cadvisor listening host
Type: string
Default:
"127.0.0.1"Declared by:
services.cadvisor.port¶
Cadvisor listening port
Type: signed integer
Default:
8080Declared by:
services.cadvisor.storageDriver¶
Cadvisor storage driver.
Type: null or string
Default:
nullExample:
"influxdb"Declared by:
services.cadvisor.storageDriverDb¶
Cadvisord storage driver database name.
Type: string
Default:
"root"Declared by:
services.cadvisor.storageDriverHost¶
Cadvisor storage driver host.
Type: string
Default:
"localhost:8086"Declared by:
services.cadvisor.storageDriverPassword¶
Cadvisor storage driver password.
Warning: this password is stored in the world-readable Nix store. It’s recommended to use the option since that gives you control over the security of the password. also takes precedence over .
Type: string
Default:
"root"Declared by:
services.cadvisor.storageDriverPasswordFile¶
File that contains the cadvisor storage driver password.
takes precedence over
Warning: when is non-empty this defaults to a file in the world-readable Nix store that contains the value of .
It’s recommended to override this with a path not in the Nix store. Tip: use nixops key management
Type: string
Declared by:
services.cadvisor.storageDriverSecure¶
Cadvisor storage driver, enable secure communication.
Type: boolean
Default:
falseDeclared by:
services.cadvisor.storageDriverUser¶
Cadvisor storage driver username.
Type: string
Default:
"root"Declared by:
services.calibre-server.enable¶
Whether to enable calibre-server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.calibre-server.libraryDir¶
The directory where the Calibre library to serve is.
Type: path
Declared by:
services.canto-daemon.enable¶
Whether to enable the canto RSS daemon.
Type: boolean
Default:
falseDeclared by:
services.cassandra.enable¶
Whether to enable Apache Cassandra – Scalable and highly available database. .
Type: boolean
Default:
falseExample:
trueDeclared by:
services.cassandra.package¶
The Apache Cassandra package to use.
Type: package
Default:
"pkgs.cassandra"Example:
pkgs.cassandra_3_11Declared by:
services.cassandra.allowClients¶
Enables or disables the native transport server (CQL binary protocol). This server uses the same address as the
rpcAddress, but the port it uses is notrpc_portbut``native_transport_port``. See the official Cassandra docs for more information on these variables and set them using``extraConfig``.Type: boolean
Default:
trueDeclared by:
services.cassandra.clusterName¶
The name of the cluster. This setting prevents nodes in one logical cluster from joining another. All nodes in a cluster must have the same value.
Type: string
Default:
"Test Cluster"Declared by:
services.cassandra.extraConfig¶
Extra options to be merged into cassandra.yaml as nix attribute set.
Type: attribute set
Default: ``{
}``
Example:
{ commitlog_sync_batch_window_in_ms = 3; }Declared by:
services.cassandra.fullRepairInterval¶
Set the interval how often full repairs are run, i.e.``nodetool repair –full`` is executed. See https://cassandra.apache.org/doc/latest/operating/repair.html for more information.
Set to
nullto disable full repairs.Type: null or string
Default:
"3w"Example:
nullDeclared by:
services.cassandra.fullRepairOptions¶
Options passed through to the full repair command.
Type: list of strings
Default: ``[
]``
Example:
[ "--partitioner-range" ]Declared by:
services.cassandra.group¶
Run Apache Cassandra under this group.
Type: string
Default:
"cassandra"Declared by:
services.cassandra.heapNewSize¶
Must be left blank or set together with heapNewSize. If left blank a sensible value for the available amount of RAM and CPU cores is calculated.
Override to set the amount of memory to allocate to the JVM at start-up. For production use you may wish to adjust this for your environment. HEAP_NEWSIZE refers to the size of the young generation.
The main trade-off for the young generation is that the larger it is, the longer GC pause times will be. The shorter it is, the more expensive GC will be (usually).
The example HEAP_NEWSIZE assumes a modern 8-core+ machine for decent pause times. If in doubt, and if you do not particularly want to tweak, go with 100 MB per physical CPU core.
Type: null or string
Default:
nullExample:
"800M"Declared by:
services.cassandra.homeDir¶
Home directory for Apache Cassandra.
Type: path
Default:
"/var/lib/cassandra"Declared by:
services.cassandra.incrementalRepairInterval¶
Set the interval how often incremental repairs are run, i.e.``nodetool repair`` is executed. See https://cassandra.apache.org/doc/latest/operating/repair.html for more information.
Set to
nullto disable incremental repairs.Type: null or string
Default:
"3d"Example:
nullDeclared by:
services.cassandra.incrementalRepairOptions¶
Options passed through to the incremental repair command.
Type: list of strings
Default: ``[
]``
Example:
[ "--partitioner-range" ]Declared by:
services.cassandra.jmxPort¶
Specifies the default port over which Cassandra will be available for JMX connections. For security reasons, you should not expose this port to the internet. Firewall it if needed.
Type: signed integer
Default:
7199Declared by:
services.cassandra.jmxRoles¶
Roles that are allowed to access the JMX (e.g. nodetool) BEWARE: The passwords will be stored world readable in the nix-store. It’s recommended to use your own protected file using
jmxRolesFileDoesn’t work in versions older than 3.11 because they don’t like that it’s world readable.
Type: list of submodules
Default: ``[
]``
Declared by:
services.cassandra.jmxRoles.*.password¶
services.cassandra.jmxRoles.*.username¶
services.cassandra.jmxRolesFile¶
Specify your own jmx roles file.
Make sure the permissions forbid “others” from reading the file if you’re using Cassandra below version 3.11.
Type: null or path
Default:
*(build of jmx-roles-file)*Example:
"/var/lib/cassandra/jmx.password"Declared by:
services.cassandra.jvmOpts¶
services.cassandra.listenAddress¶
Address or interface to bind to and tell other Cassandra nodes to connect to. You _must_ change this if you want multiple nodes to be able to communicate!
Set listenAddress OR listenInterface, not both.
Leaving it blank leaves it up to InetAddress.getLocalHost(). This will always do the Right Thing _if_ the node is properly configured (hostname, name resolution, etc), and the Right Thing is to use the address associated with the hostname (it might not be).
Setting listen_address to 0.0.0.0 is always wrong.
Type: null or string
Default:
"127.0.0.1"Example:
nullDeclared by:
services.cassandra.listenInterface¶
Set listenAddress OR listenInterface, not both. Interfaces must correspond to a single address, IP aliasing is not supported.
Type: null or string
Default:
nullExample:
"eth1"Declared by:
services.cassandra.logbackConfig¶
XML logback configuration for cassandra
Type: strings concatenated with “\n”
Default:
'' <configuration scan="false"> <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender"> <encoder> <pattern>%-5level %date{HH:mm:ss,SSS} %msg%n</pattern> </encoder> </appender> <root level="INFO"> <appender-ref ref="STDOUT" /> </root> <logger name="com.thinkaurelius.thrift" level="ERROR"/> </configuration> ''Declared by:
services.cassandra.mallocArenaMax¶
Set this to control the amount of arenas per-thread in glibc.
Type: null or signed integer
Default:
nullExample:
4Declared by:
services.cassandra.maxHeapSize¶
Must be left blank or set together with heapNewSize. If left blank a sensible value for the available amount of RAM and CPU cores is calculated.
Override to set the amount of memory to allocate to the JVM at start-up. For production use you may wish to adjust this for your environment. MAX_HEAP_SIZE is the total amount of memory dedicated to the Java heap. HEAP_NEWSIZE refers to the size of the young generation.
The main trade-off for the young generation is that the larger it is, the longer GC pause times will be. The shorter it is, the more expensive GC will be (usually).
Type: null or string
Default:
nullExample:
"4G"Declared by:
services.cassandra.remoteJmx¶
Cassandra ships with JMX accessible *only* from localhost. To enable remote JMX connections set to true.
Be sure to also enable authentication and/or TLS. See: https://wiki.apache.org/cassandra/JmxSecurity
Type: boolean
Default:
falseDeclared by:
services.cassandra.rpcAddress¶
The address or interface to bind the native transport server to.
Set rpcAddress OR rpcInterface, not both.
Leaving rpcAddress blank has the same effect as on listenAddress (i.e. it will be based on the configured hostname of the node).
Note that unlike listenAddress, you can specify 0.0.0.0, but you must also set extraConfig.broadcast_rpc_address to a value other than 0.0.0.0.
For security reasons, you should not expose this port to the internet. Firewall it if needed.
Type: null or string
Default:
"127.0.0.1"Example:
nullDeclared by:
services.cassandra.rpcInterface¶
Set rpcAddress OR rpcInterface, not both. Interfaces must correspond to a single address, IP aliasing is not supported.
Type: null or string
Default:
nullExample:
"eth1"Declared by:
services.cassandra.seedAddresses¶
The addresses of hosts designated as contact points in the cluster. A joining node contacts one of the nodes in the seeds list to learn the topology of the ring. Set to 127.0.0.1 for a single node cluster.
Type: list of strings
Default:
[ "127.0.0.1" ]Declared by:
services.cassandra.user¶
Run Apache Cassandra under this user.
Type: string
Default:
"cassandra"Declared by:
services.ceph.enable¶
Whether to enable Ceph global configuration.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.ceph.client.enable¶
Whether to enable Ceph client configuration.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.ceph.client.extraConfig¶
Extra configuration to add to the client section. Configuration for rados gateways would be added here, with their own sections, see example.
Type: attribute set of strings
Default: ``{
}``
Example:
'' { # This would create a section for a radosgw daemon named node0 and related # configuration for it "client.radosgw.node0" = { "some config option" = "true"; }; }; ''Declared by:
services.ceph.extraConfig¶
Extra configuration to add to the global section. Use for setting values that are common for all daemons in the cluster.
Type: attribute set of strings
Default: ``{
}``
Example:
'' { "ms bind ipv6" = "true"; }; ''Declared by:
services.ceph.global.authClientRequired¶
Enables requiring the cluster to authenticate itself to the client.
Type: one of “cephx”, “none”
Default:
"cephx"Declared by:
services.ceph.global.authClusterRequired¶
Enables requiring daemons to authenticate with eachother in the cluster.
Type: one of “cephx”, “none”
Default:
"cephx"Declared by:
services.ceph.global.authServiceRequired¶
Enables requiring clients to authenticate with the cluster to access services in the cluster (e.g. radosgw, mds or osd).
Type: one of “cephx”, “none”
Default:
"cephx"Declared by:
services.ceph.global.clusterName¶
Name of cluster
Type: string
Default:
"ceph"Declared by:
services.ceph.global.clusterNetwork¶
A comma-separated list of subnets that will be used as cluster networks in the cluster.
Type: null or strings concatenated with “,”
Default:
nullExample:
'' 10.10.0.0/24, 192.168.0.0/24 ''Declared by:
services.ceph.global.fsid¶
Filesystem ID, a generated uuid, its must be generated and set before attempting to start a cluster
Type: string
Example:
'' 433a2193-4f8a-47a0-95d2-209d7ca2cca5 ''Declared by:
services.ceph.global.maxOpenFiles¶
Max open files for each OSD daemon.
Type: signed integer
Default:
131072Declared by:
services.ceph.global.mgrModulePath¶
Path at which to find ceph-mgr modules.
Type: path
Default:
"\\${pkgs.ceph.lib}/lib/ceph/mgr"Declared by:
services.ceph.global.monHost¶
List of hostname shortnames/IP addresses of the initial monitors.
Type: null or strings concatenated with “,”
Default:
nullExample:
'' 10.10.0.1, 10.10.0.2, 10.10.0.3 ''Declared by:
services.ceph.global.monInitialMembers¶
List of hosts that will be used as monitors at startup.
Type: null or strings concatenated with “,”
Default:
nullExample:
'' node0, node1, node2 ''Declared by:
services.ceph.global.publicNetwork¶
A comma-separated list of subnets that will be used as public networks in the cluster.
Type: null or strings concatenated with “,”
Default:
nullExample:
'' 10.20.0.0/24, 192.168.1.0/24 ''Declared by:
services.ceph.global.rgwMimeTypesFile¶
Path to mime types used by radosgw.
Type: null or path
Default:
"\\${pkgs.mime-types}/etc/mime.types"Declared by:
services.ceph.mds.enable¶
Whether to enable Ceph MDS daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.ceph.mds.daemons¶
A list of metadata service daemons that should have a service created. The names correspond to the id part in ceph i.e. [ “name1” ] would result in mds.name1
Type: list of strings
Default: ``[
]``
Example:
'' [ "name1" "name2" ]; ''Declared by:
services.ceph.mds.extraConfig¶
Extra configuration to add to the MDS section.
Type: attribute set of strings
Default: ``{
}``
Declared by:
services.ceph.mgr.enable¶
Whether to enable Ceph MGR daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.ceph.mgr.daemons¶
A list of names for manager daemons that should have a service created. The names correspond to the id part in ceph i.e. [ “name1” ] would result in mgr.name1
Type: list of strings
Default: ``[
]``
Example:
'' [ "name1" "name2" ]; ''Declared by:
services.ceph.mgr.extraConfig¶
Extra configuration to add to the global section for manager daemons.
Type: attribute set of strings
Default: ``{
}``
Declared by:
services.ceph.mon.enable¶
Whether to enable Ceph MON daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.ceph.mon.daemons¶
A list of monitor daemons that should have a service created. The names correspond to the id part in ceph i.e. [ “name1” ] would result in mon.name1
Type: list of strings
Default: ``[
]``
Example:
'' [ "name1" "name2" ]; ''Declared by:
services.ceph.mon.extraConfig¶
Extra configuration to add to the monitor section.
Type: attribute set of strings
Default: ``{
}``
Declared by:
services.ceph.osd.enable¶
Whether to enable Ceph OSD daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.ceph.osd.daemons¶
A list of OSD daemons that should have a service created. The names correspond to the id part in ceph i.e. [ “name1” ] would result in osd.name1
Type: list of strings
Default: ``[
]``
Example:
'' [ "name1" "name2" ]; ''Declared by:
services.ceph.osd.extraConfig¶
Extra configuration to add to the OSD section.
Type: attribute set of strings
Default:
{ osd crush chooseleaf type = "1"; osd journal size = "10000"; osd pool default min size = "2"; osd pool default pg num = "200"; osd pool default pgp num = "200"; osd pool default size = "3"; }Declared by:
services.ceph.rgw.enable¶
Whether to enable Ceph RadosGW daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.ceph.rgw.daemons¶
A list of rados gateway daemons that should have a service created. The names correspond to the id part in ceph i.e. [ “name1” ] would result in client.name1, radosgw daemons aren’t daemons to cluster in the sense that OSD, MGR or MON daemons are. They are simply daemons, from ceph, that uses the cluster as a backend.
Type: list of strings
Default: ``[
]``
Example:
'' [ "name1" "name2" ]; ''Declared by:
services.certmgr.enable¶
Whether to enable certmgr.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.certmgr.package¶
Which certmgr package to use in the service.
Type: package
Default:
"pkgs.certmgr"Declared by:
services.certmgr.defaultRemote¶
The default CA host:port to use.
Type: string
Default:
"127.0.0.1:8888"Declared by:
services.certmgr.metricsAddress¶
The address for the Prometheus HTTP endpoint.
Type: string
Default:
"127.0.0.1"Declared by:
services.certmgr.metricsPort¶
The port for the Prometheus HTTP endpoint.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
9488Declared by:
services.certmgr.renewInterval¶
How often to check certificate expirations and how often to update the cert_next_expires metric.
Type: string
Default:
"30m"Declared by:
services.certmgr.specs¶
Certificate specs as described by:` <https://github.com/cloudflare/certmgr#certificate-specs>`_ These will be added to the Nix store, so they will be world readable.
Type: attribute set of path or submodules
Default: ``{
}``
Example:
{ exampleCert = let domain = "example.com"; secret = name: "/var/lib/secrets/${name}.pem"; in { service = "nginx"; action = "reload"; authority = { file.path = secret "ca"; }; certificate = { path = secret domain; }; private_key = { owner = "root"; group = "root"; mode = "0600"; path = secret "${domain}-key"; }; request = { CN = domain; hosts = [ "mail.${domain}" "www.${domain}" ]; key = { algo = "rsa"; size = 2048; }; names = { O = "Example Organization"; C = "USA"; }; }; }; otherCert = "/var/certmgr/specs/other-cert.json"; }Declared by:
services.certmgr.svcManager¶
This specifies the service manager to use for restarting or reloading services. See: ` <https://github.com/cloudflare/certmgr#certmgryaml>`_. For how to use the “command” service manager in particular, see: ` <https://github.com/cloudflare/certmgr#command-svcmgr-and-how-to-use-it>`_.
Type: one of “circus”, “command”, “dummy”, “openrc”, “systemd”, “sysv”
Default:
"systemd"Declared by:
services.certmgr.validMin¶
The interval before a certificate expires to start attempting to renew it.
Type: string
Default:
"72h"Declared by:
services.cfdyndns.enable¶
Whether to enable Cloudflare Dynamic DNS Client.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.cfdyndns.apikey¶
The API Key to use to authenticate to CloudFlare.
Type: string
Declared by:
services.cfdyndns.email¶
The email address to use to authenticate to CloudFlare.
Type: string
Declared by:
services.cfdyndns.records¶
The records to update in CloudFlare.
Type: list of strings
Default: ``[
]``
Example:
[ "host.tld" ]Declared by:
services.cfssl.enable¶
Whether to enable the CFSSL CA api-server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.cfssl.address¶
Address to bind.
Type: string
Default:
"127.0.0.1"Declared by:
services.cfssl.ca¶
CA used to sign the new certificate – accepts ‘[file:]fname’ or ‘env:varname’.
Type: string
Default:
"\\${cfg.dataDir}/ca.pem"Declared by:
services.cfssl.caBundle¶
Path to root certificate store.
Type: null or path
Default:
nullDeclared by:
services.cfssl.caKey¶
CA private key – accepts ‘[file:]fname’ or ‘env:varname’.
Type: string
Default:
"file:\\${cfg.dataDir}/ca-key.pem"Declared by:
services.cfssl.configFile¶
Path to configuration file. Do not put this in nix-store as it might contain secrets.
Type: null or string
Default:
nullDeclared by:
services.cfssl.dataDir¶
Cfssl work directory.
Type: path
Default:
"/var/lib/cfssl"Declared by:
services.cfssl.dbConfig¶
Certificate db configuration file. Path must be writeable.
Type: null or path
Default:
nullDeclared by:
services.cfssl.intBundle¶
Path to intermediate certificate store.
Type: null or path
Default:
nullDeclared by:
services.cfssl.intDir¶
Intermediates directory.
Type: null or path
Default:
nullDeclared by:
services.cfssl.logLevel¶
Log level (0 = DEBUG, 5 = FATAL).
Type: one of 0, 1, 2, 3, 4, 5
Default:
1Declared by:
services.cfssl.metadata¶
Metadata file for root certificate presence. The content of the file is a json dictionary (k,v): each key k is a SHA-1 digest of a root certificate while value v is a list of key store filenames.
Type: null or path
Default:
nullDeclared by:
services.cfssl.mutualTlsCa¶
Mutual TLS - require clients be signed by this CA.
Type: null or path
Default:
nullDeclared by:
services.cfssl.mutualTlsClientCert¶
Mutual TLS - client certificate to call remote instance requiring client certs.
Type: null or path
Default:
nullDeclared by:
services.cfssl.mutualTlsClientKey¶
Mutual TLS - client key to call remote instance requiring client certs. Do not put this in nix-store.
Type: null or path
Default:
nullDeclared by:
services.cfssl.mutualTlsCn¶
Mutual TLS - regex for whitelist of allowed client CNs.
Type: null or string
Default:
nullDeclared by:
services.cfssl.port¶
Port to bind.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
8888Declared by:
services.cfssl.remote¶
Remote CFSSL server.
Type: null or string
Default:
nullDeclared by:
services.cfssl.responder¶
Certificate for OCSP responder.
Type: null or path
Default:
nullDeclared by:
services.cfssl.responderKey¶
Private key for OCSP responder certificate. Do not put this in nix-store.
Type: null or string
Default:
nullDeclared by:
services.cfssl.tlsCert¶
Other endpoint’s CA to set up TLS protocol.
Type: null or path
Default:
nullDeclared by:
services.cfssl.tlsKey¶
Other endpoint’s CA private key. Do not put this in nix-store.
Type: null or string
Default:
nullDeclared by:
services.cfssl.tlsRemoteCa¶
CAs to trust for remote TLS requests.
Type: null or path
Default:
nullDeclared by:
services.cgmanager.enable¶
Whether to enable cgmanager.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.cgminer.enable¶
Whether to enable cgminer, an ASIC/FPGA/GPU miner for bitcoin and litecoin.
Type: unspecified
Default:
falseDeclared by:
services.cgminer.package¶
Which cgminer derivation to use.
Type: package
Default:
"pkgs.cgminer"Declared by:
services.cgminer.config¶
Additional config
Type: unspecified
Default: ``{
}``
Example:
{ auto-fan = true; auto-gpu = true; expiry = 120; failover-only = true; gpu-threads = 2; log = 5; queue = 1; scan-time = 60; temp-histeresys = 3; }Declared by:
services.cgminer.hardware¶
List of config options for every GPU
Type: unspecified
Default: ``[
]``
Example: ``[
{ gpu-engine = “0-985”; gpu-fan = “0-85”; gpu-memclock = 860; gpu-powertune = 20; intensity = 9; temp-cutoff = 95; temp-overheat = 85; temp-target = 75; }
{ gpu-engine = “0-950”; gpu-fan = “0-85”; gpu-memclock = 825; gpu-powertune = 20; intensity = 9; temp-cutoff = 95; temp-overheat = 85; temp-target = 75; }
]``
Declared by:
services.cgminer.pools¶
List of pools where to mine
Type: unspecified
Default: ``[
]``
Example: ``[
{ password = “X”; url = “http://p2pool.org:9332”; username = “17EUZxTvs9uRmPsjPZSYUU3zCz9iwstudk”; }
]``
Declared by:
services.cgminer.user¶
User account under which cgminer runs
Type: unspecified
Default:
"cgminer"Declared by:
services.charybdis.enable¶
Whether to enable Charybdis IRC daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.charybdis.config¶
Charybdis IRC daemon configuration file.
Type: string
Declared by:
services.charybdis.group¶
Charybdis IRC daemon group.
Type: string
Default:
"ircd"Declared by:
services.charybdis.motd¶
Charybdis MOTD text.
Charybdis will read its MOTD from /etc/charybdis/ircd.motd . If set, the value of this option will be written to this path.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.charybdis.statedir¶
Location of the state directory of charybdis.
Type: path
Default:
"/var/lib/charybdis"Declared by:
services.charybdis.user¶
Charybdis IRC daemon user.
Type: string
Default:
"ircd"Declared by:
services.chronos.enable¶
Whether to enable graphite web frontend.
Type: boolean
Default:
falseDeclared by:
services.chronos.httpPort¶
Chronos listening port
Type: signed integer
Default:
4400Declared by:
services.chronos.master¶
Chronos mesos master zookeeper address
Type: string
Default:
"zk://localhost:2181/mesos"Declared by:
services.chronos.zookeeperHosts¶
Chronos mesos zookepper addresses
Type: list of strings
Default:
[ "localhost:2181" ]Declared by:
services.chrony.enable¶
Whether to synchronise your machine’s time using chrony. Make sure you disable NTP if you enable this service.
Type: unspecified
Default:
falseDeclared by:
services.chrony.extraConfig¶
Extra configuration directives that should be added to``chrony.conf``
Type: strings concatenated with “\n”
Default:
""Declared by:
services.chrony.extraFlags¶
Extra flags passed to the chronyd command.
Type: list of strings
Default: ``[
]``
Example:
[ "-s" ]Declared by:
services.chrony.initstepslew¶
Allow chronyd to make a rapid measurement of the system clock error at boot time, and to correct the system clock by stepping before normal operation begins.
Type: unspecified
Default:
{ enabled = true; threshold = 1000; }Declared by:
services.chrony.servers¶
The set of NTP servers from which to synchronise.
Type: unspecified
Default:
[ "0.nixos.pool.ntp.org" "1.nixos.pool.ntp.org" "2.nixos.pool.ntp.org" "3.nixos.pool.ntp.org" ]Declared by:
services.cjdns.enable¶
Whether to enable the cjdns network encryption and routing engine. A file at /etc/cjdns.keys will be created if it does not exist to contain a random secret key that your IPv6 address will be derived from.
Type: boolean
Default:
falseDeclared by:
services.cjdns.ETHInterface.beacon¶
Auto-connect to other cjdns nodes on the same network. Options: 0: Disabled. 1: Accept beacons, this will cause cjdns to accept incoming beacon messages and try connecting to the sender. 2: Accept and send beacons, this will cause cjdns to broadcast messages on the local network which contain a randomly generated per-session password, other nodes which have this set to 1 or 2 will hear the beacon messages and connect automatically.
Type: signed integer
Default:
2Declared by:
services.cjdns.ETHInterface.bind¶
Bind to this device for native ethernet operation.``all`` is a pseudo-name which will try to connect to all devices.
Type: string
Default:
""Example:
"eth0"Declared by:
services.cjdns.ETHInterface.connectTo¶
Credentials for connecting look similar to UDP credientials except they begin with the mac address.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ 01:02:03:04:05:06 = { hostname = "homer.hype"; password = "5kG15EfpdcKNX3f2GSQ0H1HC7yIfxoCoImnO5FHM"; publicKey = "371zpkgs8ss387tmr81q04mp0hg1skb51hw34vk1cq644mjqhup0.k"; } ; }Declared by:
services.cjdns.ETHInterface.connectTo.<name>.hostname¶
Optional hostname to add to /etc/hosts; prevents reverse lookup failures.
Type: string
Default:
""Example:
"foobar.hype"Declared by:
services.cjdns.ETHInterface.connectTo.<name>.password¶
Authorized password to the opposite end of the tunnel.
Type: string
Declared by:
services.cjdns.ETHInterface.connectTo.<name>.publicKey¶
Public key at the opposite end of the tunnel.
Type: string
Declared by:
services.cjdns.UDPInterface.bind¶
Address and port to bind UDP tunnels to.
Type: string
Default:
""Example:
"192.168.1.32:43211"Declared by:
services.cjdns.UDPInterface.connectTo¶
Credentials for making UDP tunnels.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ 192.168.1.1:27313 = { hostname = "homer.hype"; password = "5kG15EfpdcKNX3f2GSQ0H1HC7yIfxoCoImnO5FHM"; publicKey = "371zpkgs8ss387tmr81q04mp0hg1skb51hw34vk1cq644mjqhup0.k"; } ; }Declared by:
services.cjdns.UDPInterface.connectTo.<name>.hostname¶
Optional hostname to add to /etc/hosts; prevents reverse lookup failures.
Type: string
Default:
""Example:
"foobar.hype"Declared by:
services.cjdns.UDPInterface.connectTo.<name>.password¶
Authorized password to the opposite end of the tunnel.
Type: string
Declared by:
services.cjdns.UDPInterface.connectTo.<name>.publicKey¶
Public key at the opposite end of the tunnel.
Type: string
Declared by:
services.cjdns.addExtraHosts¶
Whether to add cjdns peers with an associated hostname to:file:/etc/hosts. Beware that enabling this incurs heavy eval-time costs.
Type: boolean
Default:
falseDeclared by:
services.cjdns.admin.bind¶
Bind the administration port to this address and port.
Type: string
Default:
"127.0.0.1:11234"Declared by:
services.cjdns.authorizedPasswords¶
Any remote cjdns nodes that offer these passwords on connection will be allowed to route through this node.
Type: list of strings
Default: ``[
]``
Example:
[ "snyrfgkqsc98qh1y4s5hbu0j57xw5s0" "z9md3t4p45mfrjzdjurxn4wuj0d8swv" "49275fut6tmzu354pq70sr5b95qq0vj" ]Declared by:
services.cjdns.confFile¶
Ignore all other cjdns options and load configuration from this file.
Type: null or path
Default:
nullExample:
"/etc/cjdroute.conf"Declared by:
services.cjdns.extraConfig¶
Extra configuration, given as attrs, that will be merged recursively with the rest of the JSON generated by this module, at the root node.
Type: attribute set
Default: ``{
}``
Example:
{ router = { interface = { tunDevice = "tun10"; } ; } ; }Declared by:
services.clamav.daemon.enable¶
Whether to enable ClamAV clamd daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.clamav.daemon.extraConfig¶
Extra configuration for clamd. Contents will be added verbatim to the configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.clamav.updater.enable¶
Whether to enable ClamAV freshclam updater.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.clamav.updater.extraConfig¶
Extra configuration for freshclam. Contents will be added verbatim to the configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.clamav.updater.frequency¶
Number of database checks per day.
Type: signed integer
Default:
12Declared by:
services.clamav.updater.interval¶
How often freshclam is invoked. See systemd.time(7) for more information about the format.
Type: string
Default:
"hourly"Declared by:
services.clamsmtp.enable¶
Whether to enable clamsmtp.
Type: boolean
Default:
falseDeclared by:
services.clamsmtp.instances¶
Instances of clamsmtp to run.
Type: list of submodules
Declared by:
services.clamsmtp.instances.*.action¶
Action to take when a virus is detected.
Note that viruses often spoof sender addresses, so bouncing is in most cases not a good idea.
Type: one of “bounce”, “drop”, “pass”
Default:
"drop"Declared by:
services.clamsmtp.instances.*.header¶
A header to add to scanned messages. See clamsmtpd.conf(5) for more details. Empty means no header.
Type: string
Default:
""Example:
"X-Virus-Scanned: ClamAV using ClamSMTP"Declared by:
services.clamsmtp.instances.*.keepAlives¶
Number of seconds to wait between each NOOP sent to the sending server. 0 to disable.
This is meant for slow servers where the sending MTA times out waiting for clamd to scan the file.
Type: signed integer
Default:
0Declared by:
services.clamsmtp.instances.*.listen¶
Address to wait for incoming SMTP connections on. See clamsmtpd.conf(5) for more details.
Type: string
Example:
"127.0.0.1:10025"Declared by:
services.clamsmtp.instances.*.maxConnections¶
Maximum number of connections to accept at once.
Type: signed integer
Default:
64Declared by:
services.clamsmtp.instances.*.outAddress¶
Address of the SMTP server to send email to once it has been scanned.
Type: string
Declared by:
services.clamsmtp.instances.*.quarantine¶
Whether to quarantine files that contain viruses by leaving them in the temporary directory.
Type: boolean
Default:
falseDeclared by:
services.clamsmtp.instances.*.tempDirectory¶
Temporary directory that needs to be accessible to both clamd and clamsmtpd.
Type: string
Default:
"/tmp"Declared by:
services.clamsmtp.instances.*.timeout¶
Time-out for network connections.
Type: signed integer
Default:
180Declared by:
services.clamsmtp.instances.*.transparentProxy¶
Enable clamsmtp’s transparent proxy support.
Type: boolean
Default:
falseDeclared by:
services.clamsmtp.instances.*.virusAction¶
Command to run when a virus is found. Please see VIRUS ACTION in clamsmtpd(8) for a discussion of this option and its safe use.
Type: null or path
Default:
nullDeclared by:
services.clamsmtp.instances.*.xClient¶
Send the XCLIENT command to the receiving server, for forwarding client addresses and connection information if the receiving server supports this feature.
Type: boolean
Default:
falseDeclared by:
services.clickhouse.enable¶
Whether to enable ClickHouse database server.
Type: unspecified
Default:
falseDeclared by:
services.clight.enable¶
Whether to enable clight or not.
Type: boolean
Default:
falseDeclared by:
services.clight.settings¶
Additional configuration to extend clight.conf. See` <https://github.com/FedeDP/Clight/blob/master/Extra/clight.conf>`_ for a sample configuration file.
Type: attribute set of null or signed integer or string or boolean or floating point number or list of signed integer or string or boolean or floating point numberss
Default: ``{
}``
Example:
{ ac_capture_timeouts = [ 120 300 60 ] ; captures = 20; gamma_long_transition = true; }Declared by:
services.clight.temperature.day¶
Colour temperature to use during the day, between``1000`` and
25000K.Type: signed integer
Default:
5500Declared by:
services.clight.temperature.night¶
Colour temperature to use at night, between``1000`` and
25000K.Type: signed integer
Default:
3700Declared by:
services.cloud-init.enable¶
Enable the cloud-init service. This services reads configuration metadata in a cloud environment and configures the machine according to this metadata.
This configuration is not completely compatible with the NixOS way of doing configuration, as configuration done by cloud-init might be overriden by a subsequent nixos-rebuild call. However, some parts of cloud-init fall outside of NixOS’s responsibility, like filesystem resizing and ssh public key provisioning, and cloud-init is useful for that parts. Thus, be wary that using cloud-init in NixOS might come as some cost.
Type: boolean
Default:
falseDeclared by:
services.cloud-init.btrfs.enable¶
Allow the cloud-init service to operate `btrfs` filesystem.
Type: boolean
Default:
falseDeclared by:
services.cloud-init.config¶
cloud-init configuration.
Type: string
Default:
'' system_info: distro: nixos users: - root disable_root: false preserve_hostname: false cloud_init_modules: - migrator - seed_random - bootcmd - write-files - growpart - resizefs - update_etc_hosts - ca-certs - rsyslog - users-groups cloud_config_modules: - disk_setup - mounts - ssh-import-id - set-passwords - timezone - disable-ec2-metadata - runcmd - ssh cloud_final_modules: - rightscale_userdata - scripts-vendor - scripts-per-once - scripts-per-boot - scripts-per-instance - scripts-user - ssh-authkey-fingerprints - keys-to-console - phone-home - final-message - power-state-change ''Declared by:
services.cloud-init.ext4.enable¶
Allow the cloud-init service to operate `ext4` filesystem.
Type: boolean
Default:
trueDeclared by:
services.cntlm.enable¶
Whether to enable the cntlm, which start a local proxy.
Type: unspecified
Default:
falseDeclared by:
services.cntlm.configText¶
Verbatim contents of
cntlm.conf.Type: strings concatenated with “\n”
Default:
""Declared by:
services.cntlm.domain¶
Proxy account domain/workgroup name.
Type: unspecified
Declared by:
services.cntlm.extraConfig¶
Additional config appended to the end of the generated
cntlm.conf.Type: strings concatenated with “\n”
Default:
""Declared by:
services.cntlm.netbios_hostname¶
The hostname of your machine.
Type: string
Default:
""Declared by:
services.cntlm.noproxy¶
A list of domains where the proxy is skipped.
Type: unspecified
Default: ``[
]``
Example:
[ "\*.example.com" "example.com" ]Declared by:
services.cntlm.password¶
Proxy account password. Note: use chmod 0600 on /etc/cntlm.password for security.
Type: string
Default:
"/etc/cntlm.password"Declared by:
services.cntlm.port¶
Specifies on which ports the cntlm daemon listens.
Type: unspecified
Default:
[ 3128 ]Declared by:
services.cntlm.proxy¶
A list of NTLM/NTLMv2 authenticating HTTP proxies.
Parent proxy, which requires authentication. The same as proxy on the command-line, can be used more than once to specify unlimited number of proxies. Should one proxy fail, cntlm automatically moves on to the next one. The connect request fails only if the whole list of proxies is scanned and (for each request) and found to be invalid. Command-line takes precedence over the configuration file.
Type: unspecified
Example:
[ "proxy.example.com:81" ]Declared by:
services.cntlm.username¶
Proxy account name, without the possibility to include domain name (‘at’ sign is interpreted literally).
Type: unspecified
Declared by:
services.cockroachdb.enable¶
Whether to enable CockroachDB Server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.cockroachdb.package¶
The CockroachDB derivation to use for running the service.
This would primarily be useful to enable Enterprise Edition features in your own custom CockroachDB build (Nixpkgs CockroachDB binaries only contain open source features and open source code).
Type: package
Default:
"pkgs.cockroachdb"Declared by:
services.cockroachdb.cache¶
The total size for caches.
This can be a percentage, expressed with a fraction sign or as a decimal-point number, or any bytes-based unit. For example,``”25%”
, ``"0.25"both represent 25% of the available system memory. The values``”1000000000”`` and"1GB"both represent 1 gigabyte of memory.Type: string
Default:
"25%"Declared by:
services.cockroachdb.certsDir¶
The path to the certificate directory.
Type: null or path
Default:
nullDeclared by:
services.cockroachdb.group¶
User account under which CockroachDB runs
Type: string
Default:
"cockroachdb"Declared by:
services.cockroachdb.http.address¶
Address to bind to for http-based Admin UI
Type: string
Default:
"localhost"Declared by:
services.cockroachdb.http.port¶
Port to bind to for http-based Admin UI
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
8080Declared by:
services.cockroachdb.insecure¶
Run in insecure mode.
Type: boolean
Default:
falseDeclared by:
services.cockroachdb.join¶
The addresses for connecting the node to a cluster.
Type: null or string
Default:
nullDeclared by:
services.cockroachdb.listen.address¶
Address to bind to for intra-cluster communication
Type: string
Default:
"localhost"Declared by:
services.cockroachdb.listen.port¶
Port to bind to for intra-cluster communication
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
26257Declared by:
services.cockroachdb.locality¶
An ordered, comma-separated list of key-value pairs that describe the topography of the machine. Topography might include country, datacenter or rack designations. Data is automatically replicated to maximize diversities of each tier. The order of tiers is used to determine the priority of the diversity, so the more inclusive localities like country should come before less inclusive localities like datacenter. The tiers and order must be the same on all nodes. Including more tiers is better than including fewer. For example:
``country=us,region=us-west,datacenter=us-west-1b,rack=12 country=ca,region=ca-east,datacenter=ca-east-2,rack=4
planet=earth,province=manitoba,colo=secondary,power=3``
Type: null or string
Default:
nullDeclared by:
services.cockroachdb.maxSqlMemory¶
The maximum in-memory storage capacity available to store temporary data for SQL queries.
This can be a percentage, expressed with a fraction sign or as a decimal-point number, or any bytes-based unit. For example,``”25%”
, ``"0.25"both represent 25% of the available system memory. The values``”1000000000”`` and"1GB"both represent 1 gigabyte of memory.Type: string
Default:
"25%"Declared by:
services.cockroachdb.openPorts¶
Open firewall ports for cluster communication by default
Type: boolean
Default:
falseDeclared by:
services.cockroachdb.user¶
User account under which CockroachDB runs
Type: string
Default:
"cockroachdb"Declared by:
services.codimd.enable¶
Whether to enable the CodiMD Markdown Editor.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.codimd.configuration.allowAnonymous¶
Whether to allow anonymous usage.
Type: boolean
Default:
trueDeclared by:
services.codimd.configuration.allowAnonymousEdits¶
Whether to allow guests to edit existing notes with the `freely’ permission, when is enabled.
Type: boolean
Default:
falseDeclared by:
services.codimd.configuration.allowEmailRegister¶
Wether to enable email registration.
Type: boolean
Default:
trueDeclared by:
services.codimd.configuration.allowFreeURL¶
Whether to allow note creation by accessing a nonexistent note URL.
Type: boolean
Default:
falseDeclared by:
services.codimd.configuration.allowGravatar¶
Whether to use gravatar as profile picture source.
Type: boolean
Default:
trueDeclared by:
services.codimd.configuration.allowOrigin¶
List of domains to whitelist.
Type: list of strings
Default: ``[
]``
Example:
[ "localhost" "codimd.org" ]Declared by:
services.codimd.configuration.allowPDFExport¶
Whether to enable PDF exports.
Type: boolean
Default:
trueDeclared by:
services.codimd.configuration.azure¶
Configure the azure third-party integration.
Type: null or submodule
Default:
nullDeclared by:
services.codimd.configuration.azure.connectionString¶
Azure Blob Storage connection string.
Type: string
Declared by:
services.codimd.configuration.azure.container¶
Azure Blob Storage container name. It will be created if non-existent.
Type: string
Declared by:
services.codimd.configuration.csp¶
Specify the Content Security Policy which is passed to Helmet. For configuration details see https://helmetjs.github.io/docs/csp/.
Type: null or attribute set
Default:
nullExample:
{ enable = true; directives = { scriptSrc = "trustworthy.scripts.example.com"; }; upgradeInsecureRequest = "auto"; addDefaults = true; }Declared by:
services.codimd.configuration.db¶
Specify the configuration for sequelize. CodiMD supports mysql, postgres, sqlite and mssql. See https://sequelize.readthedocs.io/en/v3/ for more information. Note: This option overrides .
Type: attribute set
Default: ``{
}``
Example:
{ dialect = "sqlite"; storage = "/var/lib/codimd/db.codimd.sqlite"; }Declared by:
services.codimd.configuration.dbURL¶
Specify which database to use. CodiMD supports mysql, postgres, sqlite and mssql. See https://sequelize.readthedocs.io/en/v3/ for more information. Note: This option overrides .
Type: null or string
Default:
nullExample:
'' postgres://user:pass@host:5432/dbname ''Declared by:
services.codimd.configuration.debug¶
Whether to enable debug mode.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.codimd.configuration.defaultNotePath¶
Path to the default Note file. (Non-canonical paths are relative to CodiMD’s base directory)
Type: null or string
Default:
"./public/default.md"Declared by:
services.codimd.configuration.defaultPermission¶
Default permissions for notes. This only applies for signed-in users.
Type: one of “freely”, “editable”, “limited”, “locked”, “private”
Default:
"editable"Declared by:
services.codimd.configuration.dhParamPath¶
Path to the SSL dh params. Needed when is enabled.
Type: null or string
Default:
nullExample:
"/var/lib/codimd/dhparam.pem"Declared by:
services.codimd.configuration.docsPath¶
Path to the docs directory. (Non-canonical paths are relative to CodiMD’s base directory)
Type: null or string
Default:
"./public/docs"Declared by:
services.codimd.configuration.documentMaxLength¶
Specify the maximum document length.
Type: signed integer
Default:
100000Declared by:
services.codimd.configuration.domain¶
Domain name for the CodiMD instance.
Type: null or string
Default:
nullExample:
"codimd.org"Declared by:
services.codimd.configuration.dropbox¶
Configure the Dropbox third-party integration.
Type: null or submodule
Default:
nullDeclared by:
services.codimd.configuration.dropbox.appKey¶
services.codimd.configuration.dropbox.clientID¶
Dropbox API client ID.
Type: string
Declared by:
services.codimd.configuration.dropbox.clientSecret¶
Dropbox API client secret.
Type: string
Declared by:
services.codimd.configuration.email¶
Whether to enable email sign-in.
Type: boolean
Default:
trueDeclared by:
services.codimd.configuration.errorPath¶
Path to the error template file. (Non-canonical paths are relative to CodiMD’s base directory)
Type: null or string
Default:
"./public/views/error.ejs"Declared by:
services.codimd.configuration.facebook¶
Configure the facebook third-party integration
Type: null or submodule
Default:
nullDeclared by:
services.codimd.configuration.facebook.clientID¶
Facebook API client ID.
Type: string
Declared by:
services.codimd.configuration.facebook.clientSecret¶
Facebook API client secret.
Type: string
Declared by:
services.codimd.configuration.github¶
Configure the GitHub third-party integration.
Type: null or submodule
Default:
nullDeclared by:
services.codimd.configuration.github.clientID¶
GitHub API client ID.
Type: string
Declared by:
services.codimd.configuration.github.clientSecret¶
Github API client secret.
Type: string
Declared by:
services.codimd.configuration.gitlab¶
Configure the GitLab third-party integration.
Type: null or submodule
Default:
nullDeclared by:
services.codimd.configuration.gitlab.baseURL¶
GitLab API authentication endpoint. Only needed for other endpoints than gitlab.com.
Type: string
Default:
""Declared by:
services.codimd.configuration.gitlab.clientID¶
GitLab API client ID.
Type: string
Declared by:
services.codimd.configuration.gitlab.clientSecret¶
GitLab API client secret.
Type: string
Declared by:
services.codimd.configuration.gitlab.scope¶
GitLab API requested scope. GitLab snippet import/export requires api scope.
Type: one of “api”, “read_user”
Default:
"api"Declared by:
services.codimd.configuration.google¶
Configure the Google third-party integration.
Type: null or submodule
Default:
nullDeclared by:
services.codimd.configuration.google.clientID¶
Google API client ID.
Type: string
Declared by:
services.codimd.configuration.google.clientSecret¶
Google API client secret.
Type: string
Declared by:
services.codimd.configuration.hackmdPath¶
Path to the hackmd template file. (Non-canonical paths are relative to CodiMD’s base directory)
Type: null or string
Default:
"./public/views/hackmd.ejs"Declared by:
services.codimd.configuration.heartbeatInterval¶
Specify the socket.io heartbeat interval.
Type: signed integer
Default:
5000Declared by:
services.codimd.configuration.heartbeatTimeout¶
Specify the socket.io heartbeat timeout.
Type: signed integer
Default:
10000Declared by:
services.codimd.configuration.host¶
Address to listen on.
Type: string
Default:
"localhost"Declared by:
services.codimd.configuration.hsts.enable¶
Wheter to enable HSTS if HTTPS is also enabled.
Type: boolean
Default:
trueDeclared by:
services.codimd.configuration.hsts.includeSubdomains¶
Whether to include subdomains in HSTS.
Type: boolean
Default:
trueDeclared by:
services.codimd.configuration.hsts.maxAgeSeconds¶
Max duration for clients to keep the HSTS status.
Type: signed integer
Default:
31536000Declared by:
services.codimd.configuration.hsts.preload¶
Whether to allow preloading of the site’s HSTS status.
Type: boolean
Default:
trueDeclared by:
services.codimd.configuration.imageUploadType¶
Specify where to upload images.
Type: one of “imgur”, “s3”, “minio”, “filesystem”
Default:
"filesystem"Declared by:
services.codimd.configuration.imgur.clientId¶
Imgur API client ID.
Type: null or string
Default:
nullDeclared by:
services.codimd.configuration.indexPath¶
Path to the index template file. (Non-canonical paths are relative to CodiMD’s base directory)
Type: null or string
Default:
"./public/views/index.ejs"Declared by:
services.codimd.configuration.ldap¶
Configure the LDAP integration.
Type: null or submodule
Default:
nullDeclared by:
services.codimd.configuration.ldap.bindCredentials¶
Bind credentials for LDAP access.
Type: string
Declared by:
services.codimd.configuration.ldap.bindDn¶
Bind DN for LDAP access.
Type: string
Declared by:
services.codimd.configuration.ldap.providerName¶
Optional name to be displayed at login form, indicating the LDAP provider.
Type: string
Default:
""Declared by:
services.codimd.configuration.ldap.searchAttributes¶
LDAP attributes to search with.
Type: list of strings
Example:
[ "displayName" "mail" ]Declared by:
services.codimd.configuration.ldap.searchBase¶
LDAP directory to begin search from.
Type: string
Example:
"o=users,dc=example,dc=com"Declared by:
services.codimd.configuration.ldap.searchFilter¶
LDAP filter to search with.
Type: string
Example:
"(uid={{username}})"Declared by:
services.codimd.configuration.ldap.tlsca¶
Root CA for LDAP TLS in PEM format.
Type: string
Example:
"server-cert.pem,root.pem"Declared by:
services.codimd.configuration.ldap.url¶
URL of LDAP server.
Type: string
Example:
"ldap://localhost"Declared by:
services.codimd.configuration.ldap.userNameField¶
LDAP field which is used as the username on CodiMD. By default is used.
Type: string
Default:
""Declared by:
services.codimd.configuration.ldap.useridField¶
LDAP field which is a unique identifier for users on CodiMD.
Type: string
Example:
"uid"Declared by:
services.codimd.configuration.mattermost¶
Configure the Mattermost third-party integration.
Type: null or submodule
Default:
nullDeclared by:
services.codimd.configuration.mattermost.baseURL¶
Mattermost authentication endpoint.
Type: string
Declared by:
services.codimd.configuration.mattermost.clientID¶
Mattermost API client ID.
Type: string
Declared by:
services.codimd.configuration.mattermost.clientSecret¶
Mattermost API client secret.
Type: string
Declared by:
services.codimd.configuration.minio¶
Configure the minio third-party integration.
Type: null or submodule
Default:
nullDeclared by:
services.codimd.configuration.minio.accessKey¶
services.codimd.configuration.minio.endpoint¶
services.codimd.configuration.minio.port¶
Minio listen port.
Type: signed integer
Default:
9000Declared by:
services.codimd.configuration.minio.secretKey¶
services.codimd.configuration.minio.secure¶
Whether to use HTTPS for Minio.
Type: boolean
Default:
trueDeclared by:
services.codimd.configuration.oauth2¶
Configure the OAuth integration.
Type: null or submodule
Default:
nullDeclared by:
services.codimd.configuration.oauth2.authorizationURL¶
Specify the OAuth authorization URL.
Type: string
Declared by:
services.codimd.configuration.oauth2.clientID¶
Specify the OAuth client ID.
Type: string
Declared by:
services.codimd.configuration.oauth2.clientSecret¶
Specify the OAuth client secret.
Type: string
Declared by:
services.codimd.configuration.oauth2.tokenURL¶
Specify the OAuth token URL.
Type: string
Declared by:
services.codimd.configuration.path¶
Specify where a UNIX domain socket should be placed.
Type: null or string
Default:
nullExample:
"/run/codimd.sock"Declared by:
services.codimd.configuration.port¶
Port to listen on.
Type: signed integer
Default:
3000Example:
"80"Declared by:
services.codimd.configuration.prettyPath¶
Path to the pretty template file. (Non-canonical paths are relative to CodiMD’s base directory)
Type: null or string
Default:
"./public/views/pretty.ejs"Declared by:
services.codimd.configuration.protocolUseSSL¶
Enable to use TLS for resource paths. This only applies when is set.
Type: boolean
Default:
falseDeclared by:
services.codimd.configuration.s3¶
Configure the s3 third-party integration.
Type: null or submodule
Default:
nullDeclared by:
services.codimd.configuration.s3.accessKeyId¶
services.codimd.configuration.s3.region¶
services.codimd.configuration.s3.secretAccessKey¶
services.codimd.configuration.s3bucket¶
Specify the bucket name for upload types
s3andminio.Type: null or string
Default:
nullDeclared by:
services.codimd.configuration.saml¶
Configure the SAML integration.
Type: null or submodule
Default:
nullDeclared by:
services.codimd.configuration.saml.attribute.email¶
Attribute map for `email’. Defaults to `NameID’ of SAML response if has the default value.
Type: string
Default:
""Declared by:
services.codimd.configuration.saml.attribute.id¶
Attribute map for `id’. Defaults to `NameID’ of SAML response.
Type: string
Default:
""Declared by:
services.codimd.configuration.saml.attribute.username¶
Attribute map for `username’. Defaults to `NameID’ of SAML response.
Type: string
Default:
""Declared by:
services.codimd.configuration.saml.externalGroups¶
Excluded group names.
Type: list of strings
Default: ``[
]``
Example:
[ "Temporary-staff" "External-users" ]Declared by:
services.codimd.configuration.saml.groupAttribute¶
Optional attribute name for group list.
Type: string
Default:
""Example:
"memberOf"Declared by:
services.codimd.configuration.saml.identifierFormat¶
Optional name identifier format.
Type: string
Default:
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"Declared by:
services.codimd.configuration.saml.idpCert¶
Path to IdP certificate file in PEM format.
Type: path
Example:
"/path/to/cert.pem"Declared by:
services.codimd.configuration.saml.idpSsoUrl¶
IdP authentication endpoint.
Type: string
Example:
"https://idp.example.com/sso"Declared by:
services.codimd.configuration.saml.issuer¶
Optional identity of the service provider. This defaults to the server URL.
Type: string
Default:
""Declared by:
services.codimd.configuration.saml.requiredGroups¶
Required group names.
Type: list of strings
Default: ``[
]``
Example:
[ "Hackmd-users" "Codimd-users" ]Declared by:
services.codimd.configuration.sessionLife¶
Session life time in milliseconds.
Type: signed integer
Default:
1209600000Declared by:
services.codimd.configuration.sessionName¶
Specify the name of the session cookie.
Type: string
Default:
"connect.sid"Declared by:
services.codimd.configuration.sessionSecret¶
Specify the secret used to sign the session cookie. If unset, one will be generated on startup.
Type: null or string
Default:
nullDeclared by:
services.codimd.configuration.slidePath¶
Path to the slide template file. (Non-canonical paths are relative to CodiMD’s base directory)
Type: null or string
Default:
"./public/views/slide.hbs"Declared by:
services.codimd.configuration.sslCAPath¶
SSL ca chain. Needed when is enabled.
Type: list of strings
Default: ``[
]``
Example:
[ "/var/lib/codimd/ca.crt" ]Declared by:
services.codimd.configuration.sslCertPath¶
Path to the SSL cert. Needed when is enabled.
Type: null or string
Default:
nullExample:
"/var/lib/codimd/codimd.crt"Declared by:
services.codimd.configuration.sslKeyPath¶
Path to the SSL key. Needed when is enabled.
Type: null or string
Default:
nullExample:
"/var/lib/codimd/codimd.key"Declared by:
services.codimd.configuration.tmpPath¶
Path to the temp directory CodiMD should use. Note that is enabled for the CodiMD systemd service by default. (Non-canonical paths are relative to CodiMD’s base directory)
Type: string
Default:
"/tmp"Declared by:
services.codimd.configuration.twitter¶
Configure the Twitter third-party integration.
Type: null or submodule
Default:
nullDeclared by:
services.codimd.configuration.twitter.consumerKey¶
Twitter API consumer key.
Type: string
Declared by:
services.codimd.configuration.twitter.consumerSecret¶
Twitter API consumer secret.
Type: string
Declared by:
services.codimd.configuration.uploadsPath¶
Path under which uploaded files are saved.
Type: string
Default:
"/var/lib/codimd/uploads"Declared by:
services.codimd.configuration.urlAddPort¶
Enable to add the port to callback URLs. This only applies when is set and only for ports other than 80 and 443.
Type: boolean
Default:
falseDeclared by:
services.codimd.configuration.urlPath¶
Path under which CodiMD is accessible.
Type: null or string
Default:
nullExample:
"/url/path/to/codimd"Declared by:
services.codimd.configuration.useCDN¶
Whether to use CDN resources or not.
Type: boolean
Default:
trueDeclared by:
services.codimd.configuration.useSSL¶
Enable to use SSL server. This will also enable.
Type: boolean
Default:
falseDeclared by:
services.codimd.groups¶
Groups to which the codimd user should be added.
Type: list of strings
Default: ``[
]``
Declared by:
services.codimd.workDir¶
Working directory for the CodiMD service.
Type: path
Default:
"/var/lib/codimd"Declared by:
services.collectd.enable¶
Whether to enable collectd agent.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.collectd.package¶
Which collectd package to use.
Type: package
Default:
"pkgs.collectd"Declared by:
services.collectd.autoLoadPlugin¶
Enable plugin autoloading.
Type: boolean
Default:
falseDeclared by:
services.collectd.buildMinimalPackage¶
Build a minimal collectd package with only the configured `services.collectd.plugins`
Type: boolean
Default:
falseDeclared by:
services.collectd.dataDir¶
Data directory for collectd agent.
Type: path
Default:
"/var/lib/collectd"Declared by:
services.collectd.extraConfig¶
Extra configuration for collectd.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.collectd.include¶
services.collectd.plugins¶
Attribute set of plugin names to plugin config segments
Type: attribute set of strings
Default: ``{
}``
Example:
{ cpu = ""; memory = ""; network = "Server 192.168.1.1 25826"; }Declared by:
services.collectd.user¶
User under which to run collectd.
Type: null or string
Default:
"collectd"Declared by:
services.colord.enable¶
Whether to enable colord, the color management daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.compton¶
services.confd.enable¶
Whether to enable confd service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.confd.package¶
Confd package to use.
Type: package
Default:
"pkgs.confd"Declared by:
services.confd.backend¶
Confd config storage backend to use.
Type: one of “etcd”, “consul”, “redis”, “zookeeper”
Default:
"etcd"Declared by:
services.confd.confDir¶
The path to the confd configs.
Type: path
Default:
"/etc/confd"Declared by:
services.confd.interval¶
Confd check interval.
Type: signed integer
Default:
10Declared by:
services.confd.logLevel¶
Confd log level.
Type: one of “info”, “debug”
Default:
"info"Declared by:
services.confd.nodes¶
Confd list of nodes to connect to.
Type: list of strings
Default:
[ "http://127.0.0.1:2379" ]Declared by:
services.confd.prefix¶
The string to prefix to keys.
Type: path
Default:
"/"Declared by:
services.confd.watch¶
Confd, whether to watch etcd config for changes.
Type: boolean
Default:
trueDeclared by:
services.confluence.enable¶
Whether to enable Atlassian Confluence service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.confluence.package¶
Atlassian Confluence package to use.
Type: package
Default:
"pkgs.atlassian-confluence"Declared by:
services.confluence.catalinaOptions¶
Java options to pass to catalina/tomcat.
Type: list of strings
Default: ``[
]``
Example:
[ "-Xms1024m" "-Xmx2048m" "-Dconfluence.disable.peopledirectory.all=true" ]Declared by:
services.confluence.group¶
Group which runs confluence.
Type: string
Default:
"confluence"Declared by:
services.confluence.home¶
Home directory of the confluence instance.
Type: string
Default:
"/var/lib/confluence"Declared by:
services.confluence.jrePackage¶
Note that Atlassian only support the Oracle JRE (JRASERVER-46152).
Type: package
Default:
"pkgs.oraclejre8"Declared by:
services.confluence.listenAddress¶
Address to listen on.
Type: string
Default:
"127.0.0.1"Declared by:
services.confluence.listenPort¶
Port to listen on.
Type: signed integer
Default:
8090Declared by:
services.confluence.proxy.enable¶
Whether to enable proxy support.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.confluence.proxy.name¶
Virtual hostname at the proxy
Type: string
Example:
"confluence.example.com"Declared by:
services.confluence.proxy.port¶
Port used at the proxy
Type: signed integer
Default:
443Example:
80Declared by:
services.confluence.proxy.scheme¶
Protocol used at the proxy.
Type: string
Default:
"https"Example:
"http"Declared by:
services.confluence.sso.enable¶
Whether to enable SSO with Atlassian Crowd.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.confluence.sso.applicationName¶
Exact name of this Confluence instance in Crowd
Type: string
Example:
"jira"Declared by:
services.confluence.sso.applicationPassword¶
Application password of this Confluence instance in Crowd
Type: string
Declared by:
services.confluence.sso.crowd¶
Crowd Base URL without trailing slash
Type: string
Example:
"http://localhost:8095/crowd"Declared by:
services.confluence.sso.validationInterval¶
Set to 0, if you want authentication checks to occur on each request. Otherwise set to the number of minutes between request to validate if the user is logged in or out of the Crowd SSO server. Setting this value to 1 or higher will increase the performance of Crowd’s integration.
Type: signed integer
Default:
2Example:
0Declared by:
services.confluence.user¶
User which runs confluence.
Type: string
Default:
"confluence"Declared by:
services.connman.enable¶
Whether to use ConnMan for managing your network connections.
Type: boolean
Default:
falseDeclared by:
services.connman.enableVPN¶
Whether to enable ConnMan VPN service.
Type: boolean
Default:
trueDeclared by:
services.connman.extraConfig¶
Configuration lines appended to the generated connman configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.connman.extraFlags¶
Extra flags to pass to connmand
Type: list of strings
Default: ``[
]``
Example:
[ "--nodnsproxy" ]Declared by:
services.connman.networkInterfaceBlacklist¶
Default blacklisted interfaces, this includes NixOS containers interfaces (ve).
Type: list of strings
Default:
[ "vmnet" "vboxnet" "virbr" "ifb" "ve" ]Declared by:
services.connman.wifi.backend¶
Specify the Wi-Fi backend used. Currently supported are or .
Type: one of “wpa_supplicant”, “iwd”
Default:
"wpa_supplicant"Declared by:
services.consul.enable¶
Enables the consul daemon.
Type: boolean
Default:
falseDeclared by:
services.consul.package¶
The package used for the Consul agent and CLI.
Type: package
Default:
"pkgs.consul"Declared by:
services.consul.alerts.enable¶
Whether to enable consul-alerts.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.consul.alerts.package¶
Package to use for consul-alerts.
Type: package
Default:
"pkgs.consul-alerts"Declared by:
services.consul.alerts.consulAddr¶
Consul api listening adddress
Type: string
Default:
"localhost:8500"Declared by:
services.consul.alerts.listenAddr¶
Api listening address.
Type: string
Default:
"localhost:9000"Declared by:
services.consul.alerts.watchChecks¶
Whether to enable check watcher.
Type: boolean
Default:
trueDeclared by:
services.consul.alerts.watchEvents¶
Whether to enable event watcher.
Type: boolean
Default:
trueDeclared by:
services.consul.dropPrivileges¶
Whether the consul agent should be run as a non-root consul user.
Type: boolean
Default:
trueDeclared by:
services.consul.extraConfig¶
Extra configuration options which are serialized to json and added to the config.json file.
Type: unspecified
Default: ``{
}``
Declared by:
services.consul.extraConfigFiles¶
Additional configuration files to pass to consul NOTE: These will not trigger the service to be restarted when altered.
Type: list of strings
Default: ``[
]``
Declared by:
services.consul.forceIpv4¶
Whether we should force the interfaces to only pull ipv4 addresses.
Type: boolean
Default:
falseDeclared by:
services.consul.interface.advertise¶
The name of the interface to pull the advertise_addr from.
Type: null or string
Default:
nullDeclared by:
services.consul.interface.bind¶
The name of the interface to pull the bind_addr from.
Type: null or string
Default:
nullDeclared by:
services.consul.leaveOnStop¶
If enabled, causes a leave action to be sent when closing consul. This allows a clean termination of the node, but permanently removes it from the cluster. You probably don’t want this option unless you are running a node which going offline in a permanent / semi-permanent fashion.
Type: boolean
Default:
falseDeclared by:
services.consul.webUi¶
Enables the web interface on the consul http port.
Type: boolean
Default:
falseDeclared by:
services.coredns.enable¶
Whether to enable Coredns dns server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.coredns.package¶
Coredns package to use.
Type: package
Default:
"pkgs.coredns"Declared by:
services.coredns.config¶
Verbatim Corefile to use. See ` <https://coredns.io/manual/toc/#configuration>`_ for details.
Type: strings concatenated with “\n”
Default:
""Example:
'' . { whoami } ''Declared by:
services.corerad.enable¶
Whether to enable CoreRAD IPv6 NDP RA daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.corerad.package¶
CoreRAD package to use.
Type: package
Default:
pkgs.coreradDeclared by:
services.corerad.configFile¶
Path to CoreRAD TOML configuration file.
Type: path
Example:
"${pkgs.corerad}/etc/corerad/corerad.toml"Declared by:
services.coturn.enable¶
Whether to enable coturn TURN server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.coturn.alt-listening-port¶
Alternative listening port for UDP and TCP listeners; default (or zero) value means “listening port plus one”. This is needed for RFC 5780 support (STUN extension specs, NAT behavior discovery). The TURN Server supports RFC 5780 only if it is started with more than one listening IP address of the same family (IPv4 or IPv6). RFC 5780 is supported only by UDP protocol, other protocols are listening to that endpoint only for “symmetry”.
Type: signed integer
Default:
"listening-port + 1"Declared by:
services.coturn.alt-tls-listening-port¶
Alternative listening port for TLS and DTLS protocols.
Type: signed integer
Default:
"tls-listening-port + 1"Declared by:
services.coturn.cert¶
Certificate file in PEM format.
Type: null or string
Default:
nullExample:
"/var/lib/acme/example.com/fullchain.pem"Declared by:
services.coturn.cli-ip¶
Local system IP address to be used for CLI server endpoint.
Type: string
Default:
"127.0.0.1"Declared by:
services.coturn.cli-password¶
CLI access password. For the security reasons, it is recommended to use the encrypted for of the password (see the -P command in the turnadmin utility).
Type: null or string
Default:
nullDeclared by:
services.coturn.cli-port¶
CLI server port.
Type: signed integer
Default:
5766Declared by:
services.coturn.dh-file¶
Use custom DH TLS key, stored in PEM format in the file.
Type: null or string
Default:
nullDeclared by:
services.coturn.extraConfig¶
Additional configuration options
Type: strings concatenated with “\n”
Default:
""Declared by:
services.coturn.listening-ips¶
Listener IP addresses of relay server. If no IP(s) specified in the config file or in the command line options, then all IPv4 and IPv6 system IPs will be used for listening.
Type: list of strings
Default: ``[
]``
Example:
[ "203.0.113.42" "2001:DB8::42" ]Declared by:
services.coturn.listening-port¶
TURN listener port for UDP and TCP. Note: actually, TLS and DTLS sessions can connect to the “plain” TCP and UDP port(s), too - if allowed by configuration.
Type: signed integer
Default:
3478Declared by:
services.coturn.lt-cred-mech¶
Use long-term credential mechanism.
Type: boolean
Default:
falseDeclared by:
services.coturn.max-port¶
Upper bound of UDP relay endpoints
Type: signed integer
Default:
65535Declared by:
services.coturn.min-port¶
Lower bound of UDP relay endpoints
Type: signed integer
Default:
49152Declared by:
services.coturn.no-auth¶
This option is opposite to lt-cred-mech. (TURN Server with no-auth option allows anonymous access). If neither option is defined, and no users are defined, then no-auth is default. If at least one user is defined, in this file or in command line or in usersdb file, then lt-cred-mech is default.
Type: boolean
Default:
falseDeclared by:
services.coturn.no-cli¶
Turn OFF the CLI support.
Type: boolean
Default:
falseDeclared by:
services.coturn.no-dtls¶
Disable DTLS client listener
Type: boolean
Default:
falseDeclared by:
services.coturn.no-tcp¶
Disable TCP client listener
Type: boolean
Default:
falseDeclared by:
services.coturn.no-tcp-relay¶
Disable TCP relay endpoints
Type: boolean
Default:
falseDeclared by:
services.coturn.no-tls¶
Disable TLS client listener
Type: boolean
Default:
falseDeclared by:
services.coturn.no-udp¶
Disable UDP client listener
Type: boolean
Default:
falseDeclared by:
services.coturn.no-udp-relay¶
Disable UDP relay endpoints
Type: boolean
Default:
falseDeclared by:
services.coturn.pkey¶
Private key file in PEM format.
Type: null or string
Default:
nullExample:
"/var/lib/acme/example.com/key.pem"Declared by:
services.coturn.realm¶
The default realm to be used for the users when no explicit origin/realm relationship was found in the database, or if the TURN server is not using any database (just the commands-line settings and the userdb file). Must be used with long-term credentials mechanism or with TURN REST API.
Type: string
Default:
"nixos"Example:
"example.com"Declared by:
services.coturn.relay-ips¶
Relay address (the local IP address that will be used to relay the packets to the peer). Multiple relay addresses may be used. The same IP(s) can be used as both listening IP(s) and relay IP(s).
If no relay IP(s) specified, then the turnserver will apply the default policy: it will decide itself which relay addresses to be used, and it will always be using the client socket IP address as the relay IP address of the TURN session (if the requested relay address family is the same as the family of the client socket).
Type: list of strings
Default: ``[
]``
Example:
[ "203.0.113.42" "2001:DB8::42" ]Declared by:
services.coturn.secure-stun¶
Require authentication of the STUN Binding request. By default, the clients are allowed anonymous access to the STUN Binding functionality.
Type: boolean
Default:
falseDeclared by:
services.coturn.static-auth-secret¶
‘Static’ authentication secret value (a string) for TURN REST API only. If not set, then the turn server will try to use the ‘dynamic’ value in turn_secret table in user database (if present). The database-stored value can be changed on-the-fly by a separate program, so this is why that other mode is ‘dynamic’.
Type: null or string
Default:
nullDeclared by:
services.coturn.tls-listening-port¶
TURN listener port for TLS. Note: actually, “plain” TCP and UDP sessions can connect to the TLS and DTLS port(s), too - if allowed by configuration. The TURN server “automatically” recognizes the type of traffic. Actually, two listening endpoints (the “plain” one and the “tls” one) are equivalent in terms of functionality; but we keep both endpoints to satisfy the RFC 5766 specs. For secure TCP connections, we currently support SSL version 3 and TLS version 1.0, 1.1 and 1.2. For secure UDP connections, we support DTLS version 1.
Type: signed integer
Default:
5349Declared by:
services.coturn.use-auth-secret¶
TURN REST API flag. Flag that sets a special authorization option that is based upon authentication secret. This feature can be used with the long-term authentication mechanism, only. This feature purpose is to support “TURN Server REST API”, see “TURN REST API” link in the project’s page https://github.com/coturn/coturn/
This option is used with timestamp:
usercombo -> “timestamp:userid” turn user -> usercombo turn password -> base64(hmac(secret key, usercombo))
This allows TURN credentials to be accounted for a specific user id. If you don’t have a suitable id, the timestamp alone can be used. This option is just turning on secret-based authentication. The actual value of the secret is defined either by option static-auth-secret, or can be found in the turn_secret table in the database.
Type: boolean
Default:
falseDeclared by:
services.couchdb.enable¶
Whether to run CouchDB Server.
Type: boolean
Default:
falseDeclared by:
services.couchdb.package¶
CouchDB package to use.
Type: package
Default:
"pkgs.couchdb"Example:
pkgs.couchdbDeclared by:
services.couchdb.bindAddress¶
Defines the IP address by which CouchDB will be accessible.
Type: string
Default:
"127.0.0.1"Declared by:
services.couchdb.configFile¶
Configuration file for persisting runtime changes. File needs to be readable and writable from couchdb user/group.
Type: path
Declared by:
services.couchdb.databaseDir¶
Specifies location of CouchDB database files (*.couch named). This location should be writable and readable for the user the CouchDB service runs as (couchdb by default).
Type: path
Default:
"/var/lib/couchdb"Declared by:
services.couchdb.extraConfig¶
Extra configuration. Overrides any other cofiguration.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.couchdb.group¶
Group account under which couchdb runs.
Type: string
Default:
"couchdb"Declared by:
services.couchdb.logFile¶
Specifies the location of file for logging output.
Type: path
Default:
"/var/log/couchdb.log"Declared by:
services.couchdb.port¶
Defined the port number to listen.
Type: signed integer
Default:
5984Declared by:
services.couchdb.uriFile¶
This file contains the full URI that can be used to access this instance of CouchDB. It is used to help discover the port CouchDB is running on (if it was set to 0 (e.g. automatically assigned any free one). This file should be writable and readable for the user that runs the CouchDB service (couchdb by default).
Type: path
Default:
"/run/couchdb/couchdb.uri"Declared by:
services.couchdb.user¶
User account under which couchdb runs.
Type: string
Default:
"couchdb"Declared by:
services.couchdb.viewIndexDir¶
Specifies location of CouchDB view index files. This location should be writable and readable for the user that runs the CouchDB service (couchdb by default).
Type: path
Default:
"/var/lib/couchdb"Declared by:
services.couchpotato.enable¶
Whether to enable CouchPotato Server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.cpuminer-cryptonight.enable¶
Whether to enable the cpuminer cryptonight miner.
Type: boolean
Default:
falseDeclared by:
services.cpuminer-cryptonight.pass¶
Password for mining server
Type: string
Default:
"x"Declared by:
services.cpuminer-cryptonight.threads¶
Number of miner threads, defaults to available processors
Type: signed integer
Default:
0Declared by:
services.cpuminer-cryptonight.url¶
URL of mining server
Type: string
Declared by:
services.cpuminer-cryptonight.user¶
Username for mining server
Type: string
Declared by:
services.cron.enable¶
Whether to enable the Vixie cron daemon.
Type: boolean
Default:
falseDeclared by:
services.cron.cronFiles¶
A list of extra crontab files that will be read and appended to the main crontab file when the cron service starts.
Type: list of paths
Default: ``[
]``
Declared by:
services.cron.mailto¶
Email address to which job output will be mailed.
Type: null or string
Default:
nullDeclared by:
services.cron.systemCronJobs¶
A list of Cron jobs to be appended to the system-wide crontab. See the manual page for crontab for the expected format. If you want to get the results mailed you must setuid sendmail. See
If neither /var/cron/cron.deny nor /var/cron/cron.allow exist only root is allowed to have its own crontab file. The /var/cron/cron.deny file is created automatically for you, so every user can use a crontab.
Many nixos modules set systemCronJobs, so if you decide to disable vixie cron and enable another cron daemon, you may want it to get its system crontab based on systemCronJobs.
Type: list of strings
Default: ``[
]``
Example:
[ "* * * * * test ls -l / > /tmp/cronout 2>&1" "* * * * * eelco echo Hello World > /home/eelco/cronout" ]Declared by:
services.crowd.enable¶
Whether to enable Atlassian Crowd service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.crowd.package¶
Atlassian Crowd package to use.
Type: package
Default:
"pkgs.atlassian-crowd"Declared by:
services.crowd.catalinaOptions¶
Java options to pass to catalina/tomcat.
Type: list of strings
Default: ``[
]``
Example:
[ "-Xms1024m" "-Xmx2048m" ]Declared by:
services.crowd.group¶
Group which runs Crowd.
Type: string
Default:
"crowd"Declared by:
services.crowd.home¶
Home directory of the Crowd instance.
Type: string
Default:
"/var/lib/crowd"Declared by:
services.crowd.jrePackage¶
Note that Atlassian only support the Oracle JRE (JRASERVER-46152).
Type: package
Default:
"pkgs.oraclejre8"Declared by:
services.crowd.listenAddress¶
Address to listen on.
Type: string
Default:
"127.0.0.1"Declared by:
services.crowd.listenPort¶
Port to listen on.
Type: signed integer
Default:
8092Declared by:
services.crowd.openidPassword¶
Application password for OpenID server.
Type: string
Declared by:
services.crowd.proxy.enable¶
Whether to enable reverse proxy support.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.crowd.proxy.name¶
Virtual hostname at the proxy
Type: string
Example:
"crowd.example.com"Declared by:
services.crowd.proxy.port¶
Port used at the proxy
Type: signed integer
Default:
443Example:
80Declared by:
services.crowd.proxy.scheme¶
Protocol used at the proxy.
Type: string
Default:
"https"Example:
"http"Declared by:
services.crowd.proxy.secure¶
Whether the connections to the proxy should be considered secure.
Type: boolean
Default:
trueDeclared by:
services.crowd.user¶
User which runs Crowd.
Type: string
Default:
"crowd"Declared by:
services.cryptpad.enable¶
Whether to enable the Cryptpad service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.cryptpad.package¶
Cryptpad package to use.
Type: package
Default:
"pkgs.cryptpad"Declared by:
services.cryptpad.configFile¶
Path to the JavaScript configuration file.
See ` <https://github.com/xwiki-labs/cryptpad/blob/master/config/config.example.js>`_ for a configuration example.
Type: path
Default:
"\\${cfg.package}/lib/node_modules/cryptpad/config/config.example.js"Declared by:
services.dante.enable¶
Whether to enable Dante SOCKS proxy.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.dante.config¶
Contents of Dante’s configuration file. NOTE: user.privileged, user.unprivileged and logoutput are set by the service.
Type: strings concatenated with “\n”
Declared by:
services.darkhttpd.enable¶
Whether to enable DarkHTTPd web server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.darkhttpd.address¶
Address to listen on. Pass `all` to listen on all interfaces.
Type: string
Default:
"127.0.0.1"Declared by:
services.darkhttpd.extraArgs¶
Additional configuration passed to the executable.
Type: list of strings
Default: ``[
]``
Declared by:
services.darkhttpd.hideServerId¶
Don’t identify the server type in headers or directory listings.
Type: boolean
Default:
trueDeclared by:
services.darkhttpd.port¶
Port to listen on. Pass 0 to let the system choose any free port for you.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
80Declared by:
services.darkhttpd.rootDir¶
Path from which to serve files.
Type: path
Declared by:
services.das_watchdog.enable¶
Whether to enable realtime watchdog.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.datadog-agent.enable¶
Whether to enable the datadog-agent v6 monitoring service
Type: boolean
Default:
falseDeclared by:
services.datadog-agent.enableLiveProcessCollection¶
Whether to enable the live process collection agent.
Type: boolean
Default:
falseDeclared by:
services.datadog-agent.enableTraceAgent¶
Whether to enable the trace agent.
Type: boolean
Default:
falseDeclared by:
services.datadog-agent.package¶
Which DataDog v6 agent package to use. Note that the provided package is expected to have an overridable `pythonPackages`-attribute which configures the Python environment with the Datadog checks.
Type: package
Default:
"pkgs.datadog-agent"Declared by:
services.datadog-agent.apiKeyFile¶
Path to a file containing the Datadog API key to associate the agent with your account.
Type: path
Example:
"/run/keys/datadog_api_key"Declared by:
services.datadog-agent.checks¶
Configuration for all Datadog checks. Keys of this attribute set will be used as the name of the check to create the appropriate configuration in `conf.d/$check.d/conf.yaml`.
The configuration is converted into JSON from the plain Nix language configuration, meaning that you should write configuration adhering to Datadog’s documentation - but in Nix language.
Refer to the implementation of this module (specifically the definition of `defaultChecks`) for an example.
Note: The ‘disk’ and ‘network’ check are configured in separate options because they exist by default. Attempting to override their configuration here will have no effect.
Type: attribute set of attribute sets
Default: ``{
}``
Example: ``{ http_check = { init_config = null; instances = [
{ name = “some-service”; tags = [ “some-service” ] ; url = “http://localhost:1337/healthz”; }
}``
Declared by:
services.datadog-agent.diskCheck¶
Disk check config
Type: attribute set
Default: ``{ init_config = {
} ; instances = [
{ use_mount = “false”; }
}``
Declared by:
services.datadog-agent.extraConfig¶
Extra configuration options that will be merged into the main config file
datadog.yaml.Type: attribute set
Default: ``{
}``
Declared by:
services.datadog-agent.extraIntegrations¶
Extra integrations from the Datadog core-integrations repository that should be built and included.
By default the included integrations are disk, mongo, network, nginx and postgres.
To include additional integrations the name of the derivation and a function to filter its dependencies from the Python package set must be provided.
Type: attribute set
Default: ``{
}``
Example:
{ ntp = "<function>"; }Declared by:
services.datadog-agent.hostname¶
The hostname to show in the Datadog dashboard (optional)
Type: null or string
Default:
nullExample:
"mymachine.mydomain"Declared by:
services.datadog-agent.logLevel¶
Logging verbosity.
Type: null or one of “DEBUG”, “INFO”, “WARN”, “ERROR”
Default:
nullDeclared by:
services.datadog-agent.networkCheck¶
Network check config
Type: attribute set
Default: ``{ init_config = {
} ; instances = [
{ collect_connection_state = false; excluded_interfaces = [ “lo” “lo0” ] ; }
}``
Declared by:
services.datadog-agent.tags¶
The tags to mark this Datadog agent
Type: null or list of strings
Default:
nullExample:
[ "test" "service" ]Declared by:
services.davfs2.enable¶
Whether to enable davfs2.
Type: boolean
Default:
falseDeclared by:
services.davfs2.davGroup¶
The group of the running mount.davfs daemon. Ordinary users must be member of this group in order to mount a davfs2 file system. Value must be given as name, not as numerical id.
Type: string
Default:
"davfs2"Declared by:
services.davfs2.davUser¶
When invoked by root the mount.davfs daemon will run as this user. Value must be given as name, not as numerical id.
Type: string
Default:
"davfs2"Declared by:
services.davfs2.extraConfig¶
Extra lines appended to the configuration of davfs2.
Type: strings concatenated with “\n”
Default:
""Example:
'' kernel_fs coda proxy foo.bar:8080 use_locks 0 ''Declared by:
services.davmail.enable¶
Whether to enable davmail, an MS Exchange gateway.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.davmail.config¶
Davmail configuration. Refer to` <http://davmail.sourceforge.net/serversetup.html>`_ and ` <http://davmail.sourceforge.net/advanced.html>`_ for details on supported values.
Type: davmail config type (str, int, bool or attribute set thereof)
Default: ``{
}``
Example:
{ davmail.allowRemote = true; davmail.imapPort = 55555; davmail.bindAddress = "10.0.1.2"; davmail.smtpSaveInSent = true; davmail.folderSizeLimit = 10; davmail.caldavAutoSchedule = false; log4j.logger.rootLogger = "DEBUG"; }Declared by:
services.davmail.url¶
Outlook Web Access URL to access the exchange server, i.e. the base webmail URL.
Type: string
Example:
"https://outlook.office365.com/EWS/Exchange.asmx"Declared by:
services.dbus.packages¶
Packages whose D-Bus configuration files should be included in the configuration of the D-Bus system-wide or session-wide message bus. Specifically, files in the following directories will be included into their respective DBus configuration paths:
NoneNoneNoneNoneNoneNoneType: list of paths
Default: ``[
]``
Declared by:
services.dbus.socketActivated¶
Make the user instance socket activated.
Type: boolean
Default:
falseDeclared by:
services.dd-agent.enable¶
Whether to enable the dd-agent v5 monitoring service. For datadog-agent v6, see .
Type: boolean
Default:
falseDeclared by:
services.dd-agent.api_key¶
The Datadog API key to associate the agent with your account.
Warning: this key is stored in cleartext within the world-readable Nix store! Consider using the new v6 module instead.
Type: string
Example:
"ae0aa6a8f08efa988ba0a17578f009ab"Declared by:
services.dd-agent.hostname¶
The hostname to show in the Datadog dashboard (optional)
Type: null or string
Default:
nullExample:
"mymachine.mydomain"Declared by:
services.dd-agent.jmxConfig¶
JMX integration configuration
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.dd-agent.mongoConfig¶
MongoDB integration configuration
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.dd-agent.nginxConfig¶
Datadog nginx integration configuration
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.dd-agent.postgresqlConfig¶
Datadog PostgreSQL integration configuration
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.dd-agent.processConfig¶
Process integration configuration See ` <https://docs.datadoghq.com/integrations/process/>`_
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.dd-agent.tags¶
The tags to mark this Datadog agent
Type: null or list of strings
Default:
nullExample:
[ "test" "service" ]Declared by:
services.ddclient.enable¶
Whether to synchronise your machine’s IP address with a dynamic DNS provider (e.g. dyndns.org).
Type: boolean
Default:
falseDeclared by:
services.ddclient.configFile¶
Path to configuration file. When set to the default ‘/etc/ddclient.conf’ it will be populated with the various other options in this module. When it is changed (for example: ‘/root/nixos/secrets/ddclient.conf’) the file read directly to configure ddclient. This is a source of impurity. The purpose of this is to avoid placing secrets into the store.
Type: path
Default:
"/etc/ddclient.conf"Example:
"/root/nixos/secrets/ddclient.conf"Declared by:
services.ddclient.domains¶
Domain name(s) to synchronize.
Type: list of strings
Default:
[ "" ]Declared by:
services.ddclient.extraConfig¶
Extra configuration. Contents will be added verbatim to the configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.ddclient.interval¶
The interval at which to run the check and update. See man 7 systemd.time for the format.
Type: string
Default:
"10min"Declared by:
services.ddclient.password¶
Password. WARNING: The password becomes world readable in the Nix store.
Type: string
Default:
""Declared by:
services.ddclient.protocol¶
Protocol to use with dynamic DNS provider (see https://sourceforge.net/p/ddclient/wiki/protocols).
Type: string
Default:
"dyndns2"Declared by:
services.ddclient.quiet¶
Print no messages for unnecessary updates.
Type: boolean
Default:
falseDeclared by:
services.ddclient.script¶
script as required by some providers.
Type: string
Default:
""Declared by:
services.ddclient.server¶
Server address.
Type: string
Default:
""Declared by:
services.ddclient.ssl¶
Whether to use to use SSL/TLS to connect to dynamic DNS provider.
Type: boolean
Default:
trueDeclared by:
services.ddclient.use¶
Method to determine the IP address to send to the dynamic DNS provider.
Type: string
Default:
"web, web=checkip.dyndns.com/, web-skip='Current IP Address: '"Declared by:
services.ddclient.username¶
User name.
Type: string
Default:
""Declared by:
services.ddclient.verbose¶
Print verbose information.
Type: boolean
Default:
trueDeclared by:
services.ddclient.zone¶
zone as required by some providers.
Type: string
Default:
""Declared by:
services.deepin.core.enable¶
Whether to enable Basic dbus and systemd services, groups and users needed by the Deepin Desktop Environment. .
Type: boolean
Default:
falseExample:
trueDeclared by:
services.deepin.deepin-turbo.enable¶
Whether to enable Turbo service for the Deepin Desktop Environment. It is a daemon that helps to launch applications faster. .
Type: boolean
Default:
falseExample:
trueDeclared by:
services.deluge.enable¶
Whether to enable Deluge daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.deluge.authFile¶
The file managing the authentication for deluge, the format of this file is straightforward, each line contains a username:password:level tuple in plaintext. It only has an effect when is set to``true``. See ` <https://dev.deluge-torrent.org/wiki/UserGuide/Authentication>`_ for more informations.
Type: path
Example:
"/run/keys/deluge-auth"Declared by:
services.deluge.config¶
Deluge core configuration for the core.conf file. Only has an effect when is set to``true``. String values must be quoted, integer and boolean values must not. See` <https://git.deluge-torrent.org/deluge/tree/deluge/core/preferencesmanager.py#n41>`_ for the availaible options.
Type: attribute set
Default: ``{
}``
Example:
{ download_location = "/srv/torrents/"; max_upload_speed = "1000.0"; share_ratio_limit = "2.0"; allow_remote = true; daemon_port = 58846; listen_ports = [ 6881 6889 ]; }Declared by:
services.deluge.dataDir¶
The directory where deluge will create files.
Type: path
Default:
"/var/lib/deluge"Declared by:
services.deluge.declarative¶
Whether to use a declarative deluge configuration. Only if set to
true, the options, and will be applied.Type: boolean
Default:
falseDeclared by:
services.deluge.extraPackages¶
Extra packages available at runtime to enable Deluge’s plugins. For example, extraction utilities are required for the built-in “Extractor” plugin. This always contains unzip, gnutar, xz, p7zip and bzip2.
Type: list of packages
Default: ``[
]``
Declared by:
services.deluge.group¶
Group under which deluge runs.
Type: string
Default:
"deluge"Declared by:
services.deluge.openFilesLimit¶
Number of files to allow deluged to open.
Type: unspecified
Default:
4096Declared by:
services.deluge.openFirewall¶
Whether to open the firewall for the ports in. It only takes effet if is set to``true``.
It does NOT apply to the daemon port nor the web UI port. To access those ports secuerly check the documentation` <https://dev.deluge-torrent.org/wiki/UserGuide/ThinClient#CreateSSHTunnel>`_ or use a VPN or configure certificates for deluge.
Type: boolean
Default:
falseDeclared by:
services.deluge.user¶
User account under which deluge runs.
Type: string
Default:
"deluge"Declared by:
services.deluge.web.enable¶
Whether to enable Deluge Web daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.deluge.web.openFirewall¶
Open ports in the firewall for deluge web daemon
Type: boolean
Default:
falseDeclared by:
services.deluge.web.port¶
Deluge web UI port.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
8112Declared by:
services.devmon.enable¶
Whether to enable devmon, an automatic device mounting daemon.
Type: unspecified
Default:
falseDeclared by:
services.dhcpd4.enable¶
Whether to enable the DHCPv4 server.
Type: boolean
Default:
falseDeclared by:
services.dhcpd4.configFile¶
The path of the DHCP server configuration file. If no file is specified, a file is generated using the other options.
Type: null or path
Default:
nullDeclared by:
services.dhcpd4.extraConfig¶
Extra text to be appended to the DHCP server configuration file. Currently, you almost certainly need to specify something there, such as the options specifying the subnet mask, DNS servers, etc.
Type: strings concatenated with “\n”
Default:
""Example:
'' option subnet-mask 255.255.255.0; option broadcast-address 192.168.1.255; option routers 192.168.1.5; option domain-name-servers 130.161.158.4, 130.161.33.17, 130.161.180.1; option domain-name "example.org"; subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.100 192.168.1.200; } ''Declared by:
services.dhcpd4.extraFlags¶
Additional command line flags to be passed to the dhcpd daemon.
Type: list of strings
Default: ``[
]``
Declared by:
services.dhcpd4.interfaces¶
The interfaces on which the DHCP server should listen.
Type: list of strings
Default:
[ "eth0" ]Declared by:
services.dhcpd4.machines¶
A list mapping Ethernet addresses to IPv4 addresses for the DHCP server.
Type: list of submodules
Default: ``[
]``
Example: ``[
{ ethernetAddress = “00:16:76:9a:32:1d”; hostName = “foo”; ipAddress = “192.168.1.10”; }
{ ethernetAddress = “00:19:d1:1d:c4:9a”; hostName = “bar”; ipAddress = “192.168.1.11”; }
]``
Declared by:
services.dhcpd4.machines.*.ethernetAddress¶
MAC address of the machine.
Type: string
Example:
"00:16:76:9a:32:1d"Declared by:
services.dhcpd4.machines.*.hostName¶
Hostname which is assigned statically to the machine.
Type: string
Example:
"foo"Declared by:
services.dhcpd4.machines.*.ipAddress¶
IP address of the machine.
Type: string
Example:
"192.168.1.10"Declared by:
services.dhcpd4.stateDir¶
State directory for the DHCP server.
Type: path
Default:
"/var/lib/dhcp"Declared by:
services.dhcpd6.enable¶
Whether to enable the DHCPv6 server.
Type: boolean
Default:
falseDeclared by:
services.dhcpd6.configFile¶
The path of the DHCP server configuration file. If no file is specified, a file is generated using the other options.
Type: null or path
Default:
nullDeclared by:
services.dhcpd6.extraConfig¶
Extra text to be appended to the DHCP server configuration file. Currently, you almost certainly need to specify something there, such as the options specifying the subnet mask, DNS servers, etc.
Type: strings concatenated with “\n”
Default:
""Example:
'' option subnet-mask 255.255.255.0; option broadcast-address 192.168.1.255; option routers 192.168.1.5; option domain-name-servers 130.161.158.4, 130.161.33.17, 130.161.180.1; option domain-name "example.org"; subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.100 192.168.1.200; } ''Declared by:
services.dhcpd6.extraFlags¶
Additional command line flags to be passed to the dhcpd daemon.
Type: list of strings
Default: ``[
]``
Declared by:
services.dhcpd6.interfaces¶
The interfaces on which the DHCP server should listen.
Type: list of strings
Default:
[ "eth0" ]Declared by:
services.dhcpd6.machines¶
A list mapping Ethernet addresses to IPv6 addresses for the DHCP server.
Type: list of submodules
Default: ``[
]``
Example: ``[
{ ethernetAddress = “00:16:76:9a:32:1d”; hostName = “foo”; ipAddress = “192.168.1.10”; }
{ ethernetAddress = “00:19:d1:1d:c4:9a”; hostName = “bar”; ipAddress = “192.168.1.11”; }
]``
Declared by:
services.dhcpd6.machines.*.ethernetAddress¶
MAC address of the machine.
Type: string
Example:
"00:16:76:9a:32:1d"Declared by:
services.dhcpd6.machines.*.hostName¶
Hostname which is assigned statically to the machine.
Type: string
Example:
"foo"Declared by:
services.dhcpd6.machines.*.ipAddress¶
IP address of the machine.
Type: string
Example:
"192.168.1.10"Declared by:
services.dhcpd6.stateDir¶
State directory for the DHCP server.
Type: path
Default:
"/var/lib/dhcp6"Declared by:
services.dictd.enable¶
Whether to enable the DICT.org dictionary server.
Type: boolean
Default:
falseDeclared by:
services.dictd.DBs¶
List of databases to make available.
Type: list of packages
Default:
"with pkgs.dictdDBs; [ wiktionary wordnet ]"Example:
[ pkgs.dictdDBs.nld2eng ]Declared by:
services.diod.enable¶
Whether to enable the diod 9P file server.
Type: boolean
Default:
falseDeclared by:
services.diod.allsquash¶
Remap all users to “nobody”. The attaching user need not be present in the password file.
Type: boolean
Default:
trueDeclared by:
services.diod.authRequired¶
Allow clients to connect without authentication, i.e. without a valid MUNGE credential.
Type: boolean
Default:
falseDeclared by:
services.diod.exportall¶
Export all file systems listed in /proc/mounts. If new file systems are mounted after diod has started, they will become immediately mountable. If there is a duplicate entry for a file system in the exports list, any options listed in the exports entry will apply.
Type: boolean
Default:
trueDeclared by:
services.diod.exportopts¶
Establish a default set of export options. These are overridden, not appended to, by opts attributes in an “exports” entry.
Type: list of strings
Default: ``[
]``
Declared by:
services.diod.exports¶
List the file systems that clients will be allowed to mount. All paths should be fully qualified. The exports table can include two types of element: a string element (as above), or an alternate table element form { path=”/path”, opts=”ro” }. In the alternate form, the (optional) opts attribute is a comma-separated list of export options. The two table element forms can be mixed in the exports table. Note that although diod will not traverse file system boundaries for a given mount due to inode uniqueness constraints, subdirectories of a file system can be separately exported.
Type: list of strings
Default: ``[
]``
Declared by:
services.diod.extraConfig¶
Extra configuration options for diod.conf.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.diod.listen¶
[ “IP:PORT” [,”IP:PORT”,…] ] List the interfaces and ports that diod should listen on.
Type: list of strings
Default:
[ "0.0.0.0:564" ]Declared by:
services.diod.logdest¶
Set the destination for logging. The value has the form of “syslog:facility:level” or “filename”.
Type: string
Default:
"syslog:daemon:err"Declared by:
services.diod.nwthreads¶
Sets the (fixed) number of worker threads created to handle 9P requests for a unique aname.
Type: signed integer
Default:
16Declared by:
services.diod.squashuser¶
Change the squash user. The squash user must be present in the password file.
Type: string
Default:
"nobody"Declared by:
services.diod.statfsPassthru¶
This option configures statfs to return the host file system’s type rather than V9FS_MAGIC.
Type: boolean
Default:
falseDeclared by:
services.diod.userdb¶
This option disables password/group lookups. It allows any uid to attach and assumes gid=uid, and supplementary groups contain only the primary gid.
Type: boolean
Default:
falseDeclared by:
services.disnix.enable¶
Whether to enable Disnix
Type: unspecified
Default:
falseDeclared by:
services.disnix.enableMultiUser¶
Whether to support multi-user mode by enabling the Disnix D-Bus service
Type: boolean
Default:
trueDeclared by:
services.disnix.package¶
The Disnix package
Type: path
Default:
"pkgs.disnix"Declared by:
services.disnix.useWebServiceInterface¶
Whether to enable the DisnixWebService interface running on Apache Tomcat
Type: unspecified
Default:
falseDeclared by:
services.dkimproxy-out.enable¶
Whether to enable dkimproxy_out.
Note that a key will be auto-generated, and can be found in /var/lib/dkimproxy-out.
Type: boolean
Default:
falseDeclared by:
services.dkimproxy-out.domains¶
List of domains DKIMproxy can sign for.
Type: list of strings
Example:
[ "example.org" "example.com" ]Declared by:
services.dkimproxy-out.keySize¶
Size of the RSA key to use to sign outgoing emails. Note that the maximum mandatorily verified as per RFC6376 is 2048.
Type: signed integer
Default:
2048Declared by:
services.dkimproxy-out.listen¶
Address:port DKIMproxy should listen on.
Type: string
Example:
"127.0.0.1:10027"Declared by:
services.dkimproxy-out.relay¶
Address:port DKIMproxy should forward mail to.
Type: string
Example:
"127.0.0.1:10028"Declared by:
services.dkimproxy-out.selector¶
The selector to use for DKIM key identification.
For example, if ‘selector1’ is used here, then for each domain ‘example.org’ given in `domain`, ‘selector1._domainkey.example.org’ should contain the TXT record indicating the public key is the one in /var/lib/dkimproxy-out/public.key: “v=DKIM1; t=s; p=[THE PUBLIC KEY]”.
Type: string
Example:
"selector1"Declared by:
services.dleyna-renderer.enable¶
Whether to enable dleyna-renderer service, a DBus service for handling DLNA renderers.
Type: boolean
Default:
falseDeclared by:
services.dleyna-server.enable¶
Whether to enable dleyna-server service, a DBus service for handling DLNA servers.
Type: boolean
Default:
falseDeclared by:
services.dnscache.enable¶
Whether to run the dnscache caching dns server.
Type: boolean
Default:
falseDeclared by:
services.dnscache.clientIps¶
Client IP addresses (or prefixes) from which to accept connections.
Type: list of strings
Default:
[ "127.0.0.1" ]Example:
[ "192.168" "172.23.75.82" ]Declared by:
services.dnscache.domainServers¶
Table of {hostname: server} pairs to use as authoritative servers for hosts (and subhosts). If entry for @ is not specified predefined list of root servers is used.
Type: attribute set of list of stringss
Default: ``{
}``
Example:
{ @ = [ "8.8.8.8" "8.8.4.4" ] ; example.com = [ "192.168.100.100" ] ; }Declared by:
services.dnscache.forwardOnly¶
Whether to treat root servers (for @) as caching servers, requesting addresses the same way a client does. This is needed if you want to use e.g. Google DNS as your upstream DNS.
Type: boolean
Default:
falseDeclared by:
services.dnscache.ip¶
IP address on which to listen for connections.
Type: string
Default:
"0.0.0.0"Declared by:
services.dnschain.enable¶
Whether to enable DNSChain, a blockchain based DNS + HTTP server. To resolve .bit domains set
services.namecoind.enable = true;and an RPC username/password. .Type: boolean
Default:
falseExample:
trueDeclared by:
services.dnschain.api.hostname¶
The hostname (or IP address) the DNSChain API server will bind to.
Type: string
Default:
"0.0.0.0"Declared by:
services.dnschain.api.port¶
The port the DNSChain API server (HTTP) will bind to.
Type: signed integer
Default:
8080Declared by:
services.dnschain.api.tlsPort¶
The port the DNSChain API server (HTTPS) will bind to.
Type: signed integer
Default:
4433Declared by:
services.dnschain.dns.address¶
The IP address the DNSChain resolver will bind to. Leave this unchanged if you do not wish to directly expose the resolver.
Type: string
Default:
"127.0.0.1"Declared by:
services.dnschain.dns.externalAddress¶
The IP address used by clients to reach the resolver and the value of the
namecoin.dnsrecord. Set this in case the bind address is not the actual IP address (e.g. the machine is behind a NAT).Type: string
Default:
"127.0.0.1"Declared by:
services.dnschain.dns.port¶
The port the DNSChain resolver will bind to.
Type: signed integer
Default:
5333Declared by:
services.dnschain.extraConfig¶
Additional options that will be appended to the configuration file.
Type: strings concatenated with “\n”
Default:
""Example:
'' [log] level = debug ''Declared by:
services.dnscrypt-proxy2.enable¶
Whether to enable dnscrypt-proxy2.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.dnscrypt-proxy2.configFile¶
Path to TOML config file. See: ` <https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml>`_ If this option is set, it will override any configuration done in options.services.dnscrypt-proxy2.settings.
Type: path
Default:
TOML file generated from services.dnscrypt-proxy2.settingsExample:
"/etc/dnscrypt-proxy/dnscrypt-proxy.toml"Declared by:
services.dnscrypt-proxy2.settings¶
Attrset that is converted and passed as TOML config file. For available params, see: ` <https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml>`_
Type: attribute set
Default: ``{
}``
Example:
{ sources.public-resolvers = { urls = [ "https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md" ]; cache_file = "public-resolvers.md"; minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; refresh_delay = 72; }; }Declared by:
services.dnscrypt-wrapper.enable¶
Whether to enable DNSCrypt wrapper.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.dnscrypt-wrapper.address¶
The DNSCrypt wrapper will bind to this IP address.
Type: string
Default:
"127.0.0.1"Declared by:
services.dnscrypt-wrapper.keys.checkInterval¶
The time interval (in minutes) between key expiration checks.
Type: signed integer
Default:
1440Declared by:
services.dnscrypt-wrapper.keys.expiration¶
The duration (in days) of the time-limited secret key. This will be automatically rotated before expiration.
Type: signed integer
Default:
30Declared by:
services.dnscrypt-wrapper.port¶
The DNSCrypt wrapper will listen for DNS queries on this port.
Type: signed integer
Default:
5353Declared by:
services.dnscrypt-wrapper.providerName¶
The name that will be given to this DNSCrypt resolver. Note: the resolver name must start with
2.dnscrypt-cert..Type: string
Default:
"2.dnscrypt-cert.nixos"Example:
"2.dnscrypt-cert.myresolver"Declared by:
services.dnscrypt-wrapper.upstream.address¶
The IP address of the upstream DNS server DNSCrypt will “wrap”.
Type: string
Default:
"127.0.0.1"Declared by:
services.dnscrypt-wrapper.upstream.port¶
The port of the upstream DNS server DNSCrypt will “wrap”.
Type: signed integer
Default:
53Declared by:
services.dnsdist.enable¶
Whether to enable dnsdist domain name server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.dnsdist.extraConfig¶
Extra lines to be added verbatim to dnsdist.conf.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.dnsdist.listenAddress¶
Listen IP Address
Type: string
Default:
"0.0.0.0"Declared by:
services.dnsdist.listenPort¶
Listen port
Type: signed integer
Default:
53Declared by:
services.dnsmasq.enable¶
Whether to run dnsmasq.
Type: boolean
Default:
falseDeclared by:
services.dnsmasq.alwaysKeepRunning¶
If enabled, systemd will always respawn dnsmasq even if shut down manually. The default, disabled, will only restart it on error.
Type: boolean
Default:
falseDeclared by:
services.dnsmasq.extraConfig¶
Extra configuration directives that should be added to``dnsmasq.conf``.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.dnsmasq.resolveDNSChainQueries¶
Resolve
.bittop-level domains using DNSChain and namecoin.Type: boolean
Default:
falseDeclared by:
services.dnsmasq.resolveLocalQueries¶
Whether dnsmasq should resolve local queries (i.e. add 127.0.0.1 to /etc/resolv.conf).
Type: boolean
Default:
trueDeclared by:
services.dnsmasq.servers¶
The DNS servers which dnsmasq should query.
Type: list of strings
Default: ``[
]``
Example:
[ "8.8.8.8" "8.8.4.4" ]Declared by:
services.do-agent.enable¶
Whether to enable do-agent, the DigitalOcean droplet metrics agent.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.dockerRegistry.enable¶
Whether to enable Docker Registry.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.dockerRegistry.enableDelete¶
Enable delete for manifests and blobs.
Type: boolean
Default:
falseDeclared by:
services.dockerRegistry.enableGarbageCollect¶
Whether to enable garbage collect.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.dockerRegistry.enableRedisCache¶
Whether to enable redis as blob cache.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.dockerRegistry.extraConfig¶
Docker extra registry configuration via environment variables.
Type: attribute set
Default: ``{
}``
Declared by:
services.dockerRegistry.garbageCollectDates¶
Specification (in the format described bysystemd.time7) of the time at which the garbage collect will occur.
Type: string
Default:
"daily"Declared by:
services.dockerRegistry.listenAddress¶
Docker registry host or ip to bind to.
Type: string
Default:
"127.0.0.1"Declared by:
services.dockerRegistry.port¶
Docker registry port to bind to.
Type: signed integer
Default:
5000Declared by:
services.dockerRegistry.redisPassword¶
Set redis password.
Type: string
Default:
""Declared by:
services.dockerRegistry.redisUrl¶
Set redis host and port.
Type: string
Default:
"localhost:6379"Declared by:
services.dockerRegistry.storagePath¶
Docker registry storage path for the filesystem storage backend. Set to null to configure another backend via extraConfig.
Type: null or path
Default:
"/var/lib/docker-registry"Declared by:
services.documize.enable¶
Whether to enable Documize Wiki.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.documize.package¶
Which package to use for documize.
Type: package
Default:
*(build of documize-community-3.7.0)*Declared by:
services.documize.cert¶
The
cert.pemfile used for https.Type: null or string
Default:
nullDeclared by:
services.documize.db¶
Database specific connection string for example:
- MySQL/Percona/MariaDB:
user:password@tcp(host:3306)/documize- MySQLv8+:
user:password@tcp(host:3306)/documize?allowNativePasswords=true- PostgreSQL:
host=localhost port=5432 dbname=documize user=admin password=secret sslmode=disable- MSSQL:
sqlserver://username:password@localhost:1433?database=Documizeorsqlserver://sa@localhost/SQLExpress?database=DocumizeType: string
Declared by:
services.documize.dbtype¶
Specify the database provider:
mysql,percona,mariadb,postgresql,sqlserverType: one of “mysql”, “percona”, “mariadb”, “postgresql”, “sqlserver”
Default:
"postgresql"Declared by:
services.documize.forcesslport¶
Redirect given http port number to TLS.
Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
nullDeclared by:
services.documize.key¶
The
key.pemfile used for https.Type: null or string
Default:
nullDeclared by:
services.documize.location¶
reserved
Type: null or string
Default:
nullDeclared by:
services.documize.offline¶
Set
truefor offline mode.Type: boolean
Default:
falseDeclared by:
services.documize.port¶
The http/https port number.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
5001Declared by:
services.documize.salt¶
The salt string used to encode JWT tokens, if not set a random value will be generated.
Type: null or string
Default:
nullExample:
"3edIYV6c8B28b19fh"Declared by:
services.documize.stateDirectoryName¶
The name of the directory below
/var/lib/privatewhere documize runs in and stores, for example, backups.Type: string
Default:
"documize"Declared by:
services.dokuwiki.enable¶
Whether to enable DokuWiki web application..
Type: boolean
Default:
falseExample:
trueDeclared by:
services.dokuwiki.acl¶
Access Control Lists: see ` <https://www.dokuwiki.org/acl>`_ Mutually exclusive with services.dokuwiki.aclFile Set this to a value other than null to take precedence over aclFile option.
Type: null or strings concatenated with “\n”
Default:
nullExample:
"* @ALL 8"Declared by:
services.dokuwiki.aclFile¶
Location of the dokuwiki acl rules. Mutually exclusive with services.dokuwiki.acl Mutually exclusive with services.dokuwiki.acl which is preferred. Consult documentation ` <https://www.dokuwiki.org/acl>`_ for further instructions. Example: ` <https://github.com/splitbrain/dokuwiki/blob/master/conf/acl.auth.php.dist>`_
Type: null or path
Default:
nullDeclared by:
services.dokuwiki.aclUse¶
Necessary for users to log in into the system. Also limits anonymous users. When disabled, everyone is able to create and edit content.
Type: boolean
Default:
trueDeclared by:
services.dokuwiki.extraConfig¶
DokuWiki configuration. Refer to` <https://www.dokuwiki.org/config>`_ for details on supported values.
Type: null or strings concatenated with “\n”
Default:
nullExample:
'' $conf['title'] = 'My Wiki'; $conf['userewrite'] = 1; ''Declared by:
services.dokuwiki.hostName¶
FQDN for the instance.
Type: string
Default:
"localhost"Declared by:
services.dokuwiki.nginx¶
With this option, you can customize the nginx virtualHost which already has sensible defaults for DokuWiki.
Type: submodule
Default:
{ enableACME = true; forceSSL = true; }Example:
{ enableACME = false; serverAliases = [ "wiki.\\${config.networking.domain}" ] ; }Declared by:
services.dokuwiki.nginx.enableACME¶
Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through .
Type: boolean
Default:
trueDeclared by:
services.dokuwiki.nginx.acmeFallbackHost¶
Host which to proxy requests to if acme challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.
Type: null or string
Default:
nullDeclared by:
services.dokuwiki.nginx.acmeRoot¶
Directory for the acme challenge which is PUBLIC, don’t put certs or keys in here
Type: string
Default:
"/var/lib/acme/acme-challenge"Declared by:
services.dokuwiki.nginx.addSSL¶
Whether to enable HTTPS in addition to plain HTTP. This will set defaults for``listen`` to listen on all interfaces on the respective default ports (80, 443).
Type: boolean
Default:
falseDeclared by:
services.dokuwiki.nginx.basicAuth¶
Basic Auth protection for a vhost.
WARNING: This is implemented to store the password in plain text in the nix store.
Type: attribute set of strings
Default: ``{
}``
Example:
{ user = "password"; };Declared by:
services.dokuwiki.nginx.basicAuthFile¶
Basic Auth password file for a vhost. Can be created via: htpasswd -c <filename> <username>
Type: null or path
Default:
nullDeclared by:
services.dokuwiki.nginx.default¶
Makes this vhost the default.
Type: boolean
Default:
falseDeclared by:
services.dokuwiki.nginx.extraConfig¶
These lines go to the end of the vhost verbatim.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.dokuwiki.nginx.forceSSL¶
Whether to add a separate nginx server block that permanently redirects (301) all plain HTTP traffic to HTTPS. This will set defaults for``listen`` to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
Type: boolean
Default:
trueDeclared by:
services.dokuwiki.nginx.globalRedirect¶
If set, all requests for this host are redirected permanently to the given hostname.
Type: null or string
Default:
nullExample:
"newserver.example.org"Declared by:
services.dokuwiki.nginx.http2¶
Whether to enable HTTP 2. Note that (as of writing) due to nginx’s implementation, to disable HTTP 2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2,then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.
Type: boolean
Default:
trueDeclared by:
services.dokuwiki.nginx.listen¶
Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides
addSSLandonlySSL.Type: list of submodules
Default: ``[
]``
Example: ``[
{ addr = “195.154.1.1”; port = 443; ssl = true; }
{ addr = “192.154.1.1”; port = 80; }
]``
Declared by:
services.dokuwiki.nginx.listen.*.addr¶
services.dokuwiki.nginx.listen.*.extraParameters¶
Extra parameters of this listen directive.
Type: list of strings
Default: ``[
]``
Example:
[ "reuseport" "deferred" ]Declared by:
services.dokuwiki.nginx.listen.*.port¶
Port number.
Type: signed integer
Default:
80Declared by:
services.dokuwiki.nginx.listen.*.ssl¶
Enable SSL.
Type: boolean
Default:
falseDeclared by:
services.dokuwiki.nginx.locations¶
Declarative location config
Type: attribute set of submodules
Default: ``{
}``
Example:
{ "/" = { proxyPass = "http://localhost:3000"; }; };Declared by:
services.dokuwiki.nginx.locations.<name>.alias¶
Alias directory for requests.
Type: null or path
Default:
nullExample:
"/your/alias/directory"Declared by:
services.dokuwiki.nginx.locations.<name>.extraConfig¶
These lines go to the end of the location verbatim.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.dokuwiki.nginx.locations.<name>.index¶
Adds index directive.
Type: null or string
Default:
nullExample:
"index.php index.html"Declared by:
services.dokuwiki.nginx.locations.<name>.priority¶
Order of this location block in relation to the others in the vhost. The semantics are the same as with `lib.mkOrder`. Smaller values have a greater priority.
Type: signed integer
Default:
1000Declared by:
services.dokuwiki.nginx.locations.<name>.proxyPass¶
Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.
Type: null or string
Default:
nullExample:
"http://www.example.org/"Declared by:
services.dokuwiki.nginx.locations.<name>.proxyWebsockets¶
Whether to supporty proxying websocket connections with HTTP/1.1.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.dokuwiki.nginx.locations.<name>.return¶
Adds a return directive, for e.g. redirections.
Type: null or string
Default:
nullExample:
"301 http://example.com\\$request_uri"Declared by:
services.dokuwiki.nginx.locations.<name>.root¶
Root directory for requests.
Type: null or path
Default:
nullExample:
"/your/root/directory"Declared by:
services.dokuwiki.nginx.locations.<name>.tryFiles¶
Adds try_files directive.
Type: null or string
Default:
nullExample:
"\\$uri =404"Declared by:
services.dokuwiki.nginx.onlySSL¶
Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for
listento listen on all interfaces on port 443.Type: boolean
Default:
falseDeclared by:
services.dokuwiki.nginx.root¶
The path of the web root directory.
Type: null or path
Default:
nullExample:
"/data/webserver/docs"Declared by:
services.dokuwiki.nginx.serverAliases¶
Additional names of virtual hosts served by this virtual host configuration.
Type: list of strings
Default: ``[
]``
Example:
[ "www.example.org" "example.org" ]Declared by:
services.dokuwiki.nginx.serverName¶
Name of this virtual host. Defaults to attribute name in virtualHosts.
Type: null or string
Default:
nullExample:
"example.org"Declared by:
services.dokuwiki.nginx.sslCertificate¶
Path to server SSL certificate.
Type: path
Example:
"/var/host.cert"Declared by:
services.dokuwiki.nginx.sslCertificateKey¶
Path to server SSL certificate key.
Type: path
Example:
"/var/host.key"Declared by:
services.dokuwiki.nginx.sslTrustedCertificate¶
Path to root SSL certificate for stapling and client certificates.
Type: null or path
Default:
nullExample:
"/var/root.cert"Declared by:
services.dokuwiki.nginx.useACMEHost¶
A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the`rate limit <https://letsencrypt.org/docs/rate-limits/>`_. Alternately, you can generate a certificate through .*Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.*
Type: null or string
Default:
nullDeclared by:
services.dokuwiki.pluginsConfig¶
List of the dokuwiki (un)loaded plugins.
Type: strings concatenated with “\n”
Default:
'' $plugins['authad'] = 0; $plugins['authldap'] = 0; $plugins['authmysql'] = 0; $plugins['authpgsql'] = 0; ''Declared by:
services.dokuwiki.poolConfig¶
Options for the dokuwiki PHP pool. See the documentation on
php-fpm.conffor details on configuration directives.Type: attribute set of string or signed integer or booleans
Default:
{ pm = "dynamic"; pm.max_children = 32; pm.max_requests = 500; pm.max_spare_servers = 4; pm.min_spare_servers = 2; pm.start_servers = 2; }Declared by:
services.dokuwiki.stateDir¶
Location of the dokuwiki state directory.
Type: path
Default:
"/var/lib/dokuwiki/data"Declared by:
services.dokuwiki.superUser¶
You can set either a username, a list of usernames (“admin1,admin2”), or the name of a group by prepending an @ char to the groupname Consult documentation ` <https://www.dokuwiki.org/config:superuser>`_ for further instructions.
Type: null or string
Default:
"@admin"Declared by:
services.dokuwiki.usersFile¶
Location of the dokuwiki users file. List of users. Format: login:passwordhash:Real Name:email:groups,comma,separated Create passwordHash easily by using:$ mkpasswd -5 password `pwgen 8 1` Example: ` <https://github.com/splitbrain/dokuwiki/blob/master/conf/users.auth.php.dist>`_
Type: null or path
Default:
nullDeclared by:
services.dovecot2.enable¶
Whether to enable Dovecot 2.x POP3/IMAP server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.dovecot2.enableImap¶
Start the IMAP listener (when Dovecot is enabled).
Type: boolean
Default:
trueDeclared by:
services.dovecot2.enableLmtp¶
Start the LMTP listener (when Dovecot is enabled).
Type: boolean
Default:
falseDeclared by:
services.dovecot2.enablePAM¶
Whether to create a own Dovecot PAM service and configure PAM user logins.
Type: boolean
Default:
trueDeclared by:
services.dovecot2.enablePop3¶
Start the POP3 listener (when Dovecot is enabled).
Type: boolean
Default:
falseDeclared by:
services.dovecot2.enableQuota¶
Whether to enable the dovecot quota service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.dovecot2.configFile¶
Config file used for the whole dovecot configuration.
Type: null or path
Default:
nullDeclared by:
services.dovecot2.createMailUser¶
Whether to automatically create the user given in and the group given in .
Type: boolean
Default:
trueDeclared by:
services.dovecot2.extraConfig¶
Additional entries to put verbatim into Dovecot’s config file.
Type: strings concatenated with “\n”
Default:
""Example:
"mail_debug = yes"Declared by:
services.dovecot2.group¶
Dovecot group name.
Type: string
Default:
"dovecot2"Declared by:
services.dovecot2.mailGroup¶
Default group to store mail for virtual users.
Type: null or string
Default:
nullDeclared by:
services.dovecot2.mailLocation¶
Location that dovecot will use for mail folders. Dovecot mail_location option.
Type: string
Default:
"maildir:/var/spool/mail/%u"Example:
"maildir:~/mail:INBOX=/var/spool/mail/%u"Declared by:
services.dovecot2.mailUser¶
Default user to store mail for virtual users.
Type: null or string
Default:
nullDeclared by:
services.dovecot2.mailboxes¶
services.dovecot2.mailboxes.*.auto¶
Whether to automatically create or create and subscribe to the mailbox or not.
Type: one of “no”, “create”, “subscribe”
Default:
"no"Example:
"subscribe"Declared by:
services.dovecot2.mailboxes.*.name¶
The name of the mailbox.
Type: string matching the pattern [^”]+
Example:
"Spam"Declared by:
services.dovecot2.mailboxes.*.specialUse¶
Null if no special use flag is set. Other than that every use flag mentioned in the RFC is valid.
Type: null or one of “All”, “Archive”, “Drafts”, “Flagged”, “Junk”, “Sent”, “Trash”
Default:
nullExample:
"Junk"Declared by:
services.dovecot2.modules¶
Symlinks the contents of lib/dovecot of every given package into /etc/dovecot/modules. This will make the given modules available if a dovecot package with the module_dir patch applied is being used.
Type: list of packages
Default: ``[
]``
Example:
[ pkgs.dovecot_pigeonhole ]Declared by:
services.dovecot2.protocols¶
Additional listeners to start when Dovecot is enabled.
Type: list of strings
Default: ``[
]``
Declared by:
services.dovecot2.quotaGlobalPerUser¶
Quota limit for the user in bytes. Supports suffixes b, k, M, G, T and %.
Type: string
Default:
"100G"Example:
"10G"Declared by:
services.dovecot2.quotaPort¶
The Port the dovecot quota service binds to. If using postfix, add check_policy_service inet:localhost:12340 to your smtpd_recipient_restrictions in your postfix config.
Type: string
Default:
"12340"Declared by:
services.dovecot2.showPAMFailure¶
Show the PAM failure message on authentication error (useful for OTPW).
Type: boolean
Default:
falseDeclared by:
services.dovecot2.sieveScripts¶
Sieve scripts to be executed. Key is a sequence, e.g. ‘before2’, ‘after’ etc.
Type: attribute set of paths
Default: ``{
}``
Declared by:
services.dovecot2.sslCACert¶
Path to the server’s CA certificate key.
Type: null or string
Default:
nullDeclared by:
services.dovecot2.sslServerCert¶
Path to the server’s public key.
Type: null or string
Default:
nullDeclared by:
services.dovecot2.sslServerKey¶
Path to the server’s private key.
Type: null or string
Default:
nullDeclared by:
services.dovecot2.user¶
Dovecot user name.
Type: string
Default:
"dovecot2"Declared by:
services.drbd.enable¶
Whether to enable support for DRBD, the Distributed Replicated Block Device.
Type: boolean
Default:
falseDeclared by:
services.drbd.config¶
Contents of the
drbd.confconfiguration file.Type: strings concatenated with “\n”
Default:
""Declared by:
services.dspam.enable¶
Whether to enable the dspam spam filter.
Type: boolean
Default:
falseDeclared by:
services.dspam.domainSocket¶
Path to local domain socket which is used for communication with the daemon. Set to null to disable UNIX socket.
Type: null or path
Default:
"/run/dspam/dspam.sock"Declared by:
services.dspam.extraConfig¶
Additional dspam configuration.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.dspam.group¶
Group for the dspam daemon.
Type: string
Default:
"dspam"Declared by:
services.dspam.maintenanceInterval¶
If set, maintenance script will be run at specified (in systemd.timer format) interval
Type: null or string
Default:
nullDeclared by:
services.dspam.storageDriver¶
Storage driver backend to use for dspam.
Type: string
Default:
"hash"Declared by:
services.dspam.user¶
User for the dspam daemon.
Type: string
Default:
"dspam"Declared by:
services.duplicati.enable¶
Whether to enable Duplicati.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.duplicati.interface¶
Listening interface for the web UI Set it to “any” to listen on all available interfaces
Type: string
Default:
"127.0.0.1"Declared by:
services.duplicati.port¶
Port serving the web interface
Type: signed integer
Default:
8200Declared by:
services.duplicati.user¶
Duplicati runs as it’s own user. It will only be able to backup world-readable files. Run as root with special care.
Type: string
Default:
"duplicati"Declared by:
services.duplicity.enable¶
Whether to enable backups with duplicity.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.duplicity.exclude¶
List of paths to exclude from backups. See the FILE SELECTION section induplicity1 for details on the syntax.
Type: list of strings
Default: ``[
]``
Declared by:
services.duplicity.extraFlags¶
Extra command-line flags passed to duplicity. Seeduplicity1.
Type: list of strings
Default: ``[
]``
Example:
[ "--full-if-older-than" "1M" ]Declared by:
services.duplicity.frequency¶
Run duplicity with the given frequency (seesystemd.time7 for the format). If null, do not run automatically.
Type: null or string
Default:
"daily"Declared by:
services.duplicity.include¶
List of paths to include into the backups. See the FILE SELECTION section in duplicity1 for details on the syntax.
Type: list of strings
Default: ``[
]``
Example:
[ "/home" ]Declared by:
services.duplicity.root¶
Root directory to backup.
Type: path
Default:
"/"Declared by:
services.duplicity.secretFile¶
Path of a file containing secrets (gpg passphrase, access key…) in the format of EnvironmentFile as described bysystemd.exec5. For example:
PASSPHRASE=*...* AWS_ACCESS_KEY_ID=*...* AWS_SECRET_ACCESS_KEY=*...*Type: null or path
Default:
nullDeclared by:
services.duplicity.targetUrl¶
Target url to backup to. See the URL FORMAT section induplicity1 for supported urls.
Type: string
Example:
"s3://host:port/prefix"Declared by:
services.dwm-status.enable¶
Whether to enable dwm-status user service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.dwm-status.package¶
Which dwm-status package to use.
Type: package
Default:
"pkgs.dwm-status"Example:
"pkgs.dwm-status.override { enableAlsaUtils = false; }"Declared by:
services.dwm-status.extraConfig¶
Extra config in TOML format.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.dwm-status.order¶
List of enabled features in order.
Type: list of one of “audio”, “backlight”, “battery”, “cpu_load”, “network”, “time”s
Declared by:
services.earlyoom.enable¶
Enable early out of memory killing.
Type: boolean
Default:
falseDeclared by:
services.earlyoom.enableDebugInfo¶
Enable debugging messages.
Type: boolean
Default:
falseDeclared by:
services.earlyoom.freeMemThreshold¶
Minimum of availabe memory (in percent). If the free memory falls below this threshold and the analog is true for the killing begins.
Type: signed integer
Default:
10Declared by:
services.earlyoom.freeSwapThreshold¶
Minimum of availabe swap space (in percent). If the available swap space falls below this threshold and the analog is true for the killing begins.
Type: signed integer
Default:
10Declared by:
services.earlyoom.ignoreOOMScoreAdjust¶
Ignore oom_score_adjust values of processes. User-space implementation only.
Type: boolean
Default:
falseDeclared by:
services.earlyoom.notificationsCommand¶
Command used to send notifications.
See README for details.
Type: null or string
Default:
nullExample:
"sudo -u example_user DISPLAY=:0 DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus notify-send"Declared by:
services.earlyoom.useKernelOOMKiller¶
Use kernel OOM killer instead of own user-space implementation.
Type: boolean
Default:
falseDeclared by:
services.ecs-agent.enable¶
Whether to enable Amazon ECS agent.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.ecs-agent.package¶
The ECS agent package to use
Type: path
Default:
"pkgs.ecs-agent"Declared by:
services.ecs-agent.extra-environment¶
The environment the ECS agent should run with. See the ECS agent documentation for keys that work here.
Type: attribute set of strings
Default: ``{
}``
Declared by:
services.ejabberd.enable¶
Whether to enable ejabberd server
Type: boolean
Default:
falseDeclared by:
services.ejabberd.package¶
ejabberd server package to use
Type: package
Default:
"pkgs.ejabberd"Declared by:
services.ejabberd.configFile¶
Configuration file for ejabberd in YAML format
Type: null or path
Default:
nullDeclared by:
services.ejabberd.ctlConfig¶
Configuration of ejabberdctl
Type: strings concatenated with “\n”
Default:
""Declared by:
services.ejabberd.group¶
Group under which ejabberd is ran
Type: string
Default:
"ejabberd"Declared by:
services.ejabberd.imagemagick¶
Add ImageMagick to server’s path; allows for image thumbnailing
Type: boolean
Default:
falseDeclared by:
services.ejabberd.loadDumps¶
Configuration dumps that should be loaded on the first startup
Type: list of paths
Default: ``[
]``
Example:
[ ./myejabberd.dump ]Declared by:
services.ejabberd.logsDir¶
Location of the logfile directory of ejabberd
Type: path
Default:
"/var/log/ejabberd"Declared by:
services.ejabberd.spoolDir¶
Location of the spooldir of ejabberd
Type: path
Default:
"/var/lib/ejabberd"Declared by:
services.ejabberd.user¶
User under which ejabberd is ran
Type: string
Default:
"ejabberd"Declared by:
services.elasticsearch.enable¶
Whether to enable elasticsearch.
Type: boolean
Default:
falseDeclared by:
services.elasticsearch.package¶
Elasticsearch package to use.
Type: package
Default:
"pkgs.elasticsearch"Declared by:
services.elasticsearch.cluster_name¶
Elasticsearch name that identifies your cluster for auto-discovery.
Type: string
Default:
"elasticsearch"Declared by:
services.elasticsearch.dataDir¶
Data directory for elasticsearch.
Type: path
Default:
"/var/lib/elasticsearch"Declared by:
services.elasticsearch.extraCmdLineOptions¶
Extra command line options for the elasticsearch launcher.
Type: list of strings
Default: ``[
]``
Declared by:
services.elasticsearch.extraConf¶
Extra configuration for elasticsearch.
Type: string
Default:
""Example:
'' node.name: "elasticsearch" node.master: true node.data: false ''Declared by:
services.elasticsearch.extraJavaOptions¶
Extra command line options for Java.
Type: list of strings
Default: ``[
]``
Example:
[ "-Djava.net.preferIPv4Stack=true" ]Declared by:
services.elasticsearch.listenAddress¶
Elasticsearch listen address.
Type: string
Default:
"127.0.0.1"Declared by:
services.elasticsearch.logging¶
Elasticsearch logging configuration.
Type: string
Default:
'' logger.action.name = org.elasticsearch.action logger.action.level = info appender.console.type = Console appender.console.name = console appender.console.layout.type = PatternLayout appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%m%n rootLogger.level = info rootLogger.appenderRef.console.ref = console ''Declared by:
services.elasticsearch.plugins¶
Extra elasticsearch plugins
Type: list of packages
Default: ``[
]``
Example:
[ pkgs.elasticsearchPlugins.discovery-ec2 ]Declared by:
services.elasticsearch.port¶
Elasticsearch port to listen for HTTP traffic.
Type: signed integer
Default:
9200Declared by:
services.elasticsearch.tcp_port¶
Elasticsearch port for the node to node communication.
Type: signed integer
Default:
9300Declared by:
services.elasticsearch-curator.enable¶
Whether to enable elasticsearch curator.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.elasticsearch-curator.actionYAML¶
curator action.yaml file contents, alternatively use curator-cli which takes a simple action command
Type: unspecified
Example:
'' --- actions: 1: action: delete_indices description: >- Delete indices older than 45 days (based on index name), for logstash- prefixed indices. Ignore the error if the filter does not result in an actionable list of indices (ignore_empty_list) and exit cleanly. options: ignore_empty_list: True disable_action: False filters: - filtertype: pattern kind: prefix value: logstash- - filtertype: age source: name direction: older timestring: '%Y.%m.%d' unit: days unit_count: 45 ''Declared by:
services.elasticsearch-curator.hosts¶
a list of elasticsearch hosts to connect to
Type: list of strings
Default:
[ "localhost" ]Declared by:
services.elasticsearch-curator.interval¶
The frequency to run curator, a systemd.time such as ‘hourly’
Type: string
Default:
"hourly"Declared by:
services.elasticsearch-curator.port¶
the port that elasticsearch is listening on
Type: signed integer
Default:
9200Declared by:
services.emacs.enable¶
Whether to enable a user service for the Emacs daemon. Use
emacsclientto connect to the daemon. Iftrue,services.emacs.installis consideredtrue, whatever its value.Type: boolean
Default:
falseDeclared by:
services.emacs.package¶
emacs derivation to use.
Type: package
Default:
"pkgs.emacs"Declared by:
services.emacs.defaultEditor¶
When enabled, configures emacsclient to be the default editor using the EDITOR environment variable.
Type: boolean
Default:
falseDeclared by:
services.emacs.install¶
Whether to install a user service for the Emacs daemon. Once the service is started, use emacsclient to connect to the daemon.
The service must be manually started for each user with “systemctl –user start emacs” or globally through``services.emacs.enable``.
Type: boolean
Default:
falseDeclared by:
services.epmd.enable¶
Whether to enable socket activation for Erlang Port Mapper Daemon (epmd), which acts as a name server on all hosts involved in distributed Erlang computations.
Type: boolean
Default:
falseDeclared by:
services.epmd.package¶
The Erlang package to use to get epmd binary. That way you can re-use an Erlang runtime that is already installed for other purposes.
Type: package
Default:
*(build of erlang-22.1.7)*Declared by:
services.errbot.instances¶
services.errbot.instances.<name>.admins¶
services.errbot.instances.<name>.backend¶
Errbot backend name.
Type: string
Default:
"XMPP"Declared by:
services.errbot.instances.<name>.dataDir¶
Data directory for errbot instance.
Type: null or path
Default:
nullDeclared by:
services.errbot.instances.<name>.extraConfig¶
String to be appended to the config verbatim
Type: strings concatenated with “\n”
Default:
""Declared by:
services.errbot.instances.<name>.identity¶
Errbot identity configuration
Type: attribute set
Declared by:
services.errbot.instances.<name>.logLevel¶
Errbot log level
Type: string
Default:
"INFO"Declared by:
services.errbot.instances.<name>.plugins¶
services.etcd.enable¶
Whether to enable etcd.
Type: boolean
Default:
falseDeclared by:
services.etcd.advertiseClientUrls¶
Etcd list of this member’s client URLs to advertise to the rest of the cluster.
Type: list of strings
Default:
[ "http://127.0.0.1:2379" ]Declared by:
services.etcd.certFile¶
Cert file to use for clients
Type: null or path
Default:
nullDeclared by:
services.etcd.clientCertAuth¶
Whether to use certs for client authentication
Type: boolean
Default:
falseDeclared by:
services.etcd.dataDir¶
Etcd data directory.
Type: path
Default:
"/var/lib/etcd"Declared by:
services.etcd.discovery¶
Etcd discovery url
Type: string
Default:
""Declared by:
services.etcd.extraConf¶
Etcd extra configuration. See` <https://github.com/coreos/etcd/blob/master/Documentation/op-guide/configuration.md#configuration-flags>`_
Type: attribute set of strings
Default: ``{
}``
Example:
{ "CORS" = "*"; "NAME" = "default-name"; "MAX_RESULT_BUFFER" = "1024"; "MAX_CLUSTER_SIZE" = "9"; "MAX_RETRY_ATTEMPTS" = "3"; }Declared by:
services.etcd.initialAdvertisePeerUrls¶
Etcd list of this member’s peer URLs to advertise to rest of the cluster.
Type: list of strings
Default:
[ "http://127.0.0.1:2380" ]Declared by:
services.etcd.initialCluster¶
Etcd initial cluster configuration for bootstrapping.
Type: list of strings
Default:
[ "nixos=http://127.0.0.1:2380" ]Declared by:
services.etcd.initialClusterState¶
Etcd initial cluster configuration for bootstrapping.
Type: one of “new”, “existing”
Default:
"new"Declared by:
services.etcd.initialClusterToken¶
Etcd initial cluster token for etcd cluster during bootstrap.
Type: string
Default:
"etcd-cluster"Declared by:
services.etcd.keyFile¶
Key file to use for clients
Type: null or path
Default:
nullDeclared by:
services.etcd.listenClientUrls¶
Etcd list of URLs to listen on for client traffic.
Type: list of strings
Default:
[ "http://127.0.0.1:2379" ]Declared by:
services.etcd.listenPeerUrls¶
Etcd list of URLs to listen on for peer traffic.
Type: list of strings
Default:
[ "http://127.0.0.1:2380" ]Declared by:
services.etcd.name¶
Etcd unique node name.
Type: string
Default:
"nixos"Declared by:
services.etcd.peerCertFile¶
Cert file to use for peer to peer communication
Type: null or path
Default:
nullDeclared by:
services.etcd.peerClientCertAuth¶
Whether to check all incoming peer requests from the cluster for valid client certificates signed by the supplied CA
Type: boolean
Default:
falseDeclared by:
services.etcd.peerKeyFile¶
Key file to use for peer to peer communication
Type: null or path
Default:
nullDeclared by:
services.etcd.peerTrustedCaFile¶
Certificate authority file to use for peer to peer communication
Type: null or path
Default:
nullDeclared by:
services.etcd.trustedCaFile¶
Certificate authority file to use for clients
Type: null or path
Default:
nullDeclared by:
services.eternal-terminal.enable¶
Whether to enable Eternal Terminal server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.eternal-terminal.logSize¶
The maximum log size.
Type: signed integer
Default:
20971520Declared by:
services.eternal-terminal.port¶
The port the server should listen on. Will use the server’s default (2022) if not specified.
Make sure to open this port in the firewall if necessary.
Type: signed integer
Default:
2022Declared by:
services.eternal-terminal.silent¶
If enabled, disables all logging.
Type: boolean
Default:
falseDeclared by:
services.eternal-terminal.verbosity¶
The verbosity level (0-9).
Type: one of 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
Default:
0Declared by:
services.ethminer.enable¶
Enable ethminer ether mining.
Type: boolean
Default:
falseDeclared by:
services.ethminer.apiPort¶
Ethminer api port. minus sign puts api in read-only mode.
Type: signed integer
Default:
-3333Declared by:
services.ethminer.maxPower¶
Miner max watt usage.
Type: signed integer
Default:
113Declared by:
services.ethminer.pool¶
Mining pool address.
Type: string
Example:
"eth-us-east1.nanopool.org"Declared by:
services.ethminer.recheckInterval¶
Interval in milliseconds between farm rechecks.
Type: signed integer
Default:
2000Declared by:
services.ethminer.registerMail¶
Url encoded email address to register with pool.
Type: string
Example:
"email%40example.org"Declared by:
services.ethminer.rig¶
Mining rig name.
Type: string
Default:
"mining-rig-name"Declared by:
services.ethminer.stratumPort¶
Stratum protocol tcp port.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
9999Declared by:
services.ethminer.toolkit¶
Cuda or opencl toolkit.
Type: one of “cuda”, “opencl”
Default:
"cuda"Declared by:
services.ethminer.wallet¶
Ethereum wallet address.
Type: string
Example:
"0x0123456789abcdef0123456789abcdef01234567"Declared by:
services.exhibitor.enable¶
Whether to enable the exhibitor server.
Type: boolean
Default:
falseDeclared by:
services.exhibitor.autoManageInstances¶
Automatically manage ZooKeeper instances in the ensemble
Type: boolean
Default:
falseDeclared by:
services.exhibitor.baseDir¶
Baseline directory for exhibitor runtime config.
Type: string
Default:
"/var/exhibitor"Declared by:
services.exhibitor.configCheckMs¶
Period (ms) to check for shared config updates.
Type: signed integer
Default:
30000Declared by:
services.exhibitor.configType¶
Which configuration type you want to use. Additional config will be required depending on which type you are using.
Type: one of “file”, “s3”, “zookeeper”, “none”
Declared by:
services.exhibitor.extraConf¶
Extra Exhibitor configuration to put in the ZooKeeper config file.
Type: string
Default:
""Declared by:
services.exhibitor.fileSystemBackup¶
Enables file system backup of ZooKeeper log files
Type: boolean
Default:
falseDeclared by:
services.exhibitor.fsConfigDir¶
Directory to store Exhibitor properties (cannot be used with s3config). Exhibitor uses file system locks so you can specify a shared location so as to enable complete ensemble management.
Type: path
Declared by:
services.exhibitor.fsConfigLockPrefix¶
A prefix for a locking mechanism used in conjunction with fsconfigdir
Type: string
Default:
"exhibitor-lock-"Declared by:
services.exhibitor.fsConfigName¶
The name of the file to store config in
Type: string
Default:
"exhibitor.properties"Declared by:
services.exhibitor.headingText¶
Extra text to display in UI header
Type: null or string
Default:
nullDeclared by:
services.exhibitor.hostname¶
Hostname to use and advertise
Type: null or string
Default:
nullDeclared by:
services.exhibitor.jqueryStyle¶
Styling used for the JQuery-based UI.
Type: one of “red”, “black”, “custom”
Default:
"red"Declared by:
services.exhibitor.logLines¶
Max lines of logging to keep in memory for display.
Type: signed integer
Default:
1000Declared by:
services.exhibitor.nodeModification¶
Whether the Explorer UI will allow nodes to be modified (use with caution).
Type: boolean
Default:
trueDeclared by:
services.exhibitor.port¶
The port for exhibitor to listen on and communicate with other exhibitors.
Type: signed integer
Default:
8080Declared by:
services.exhibitor.s3Backup¶
Whether to enable backups to S3
Type: boolean
Default:
falseDeclared by:
services.exhibitor.s3Config.bucketName¶
Bucket name to store config
Type: string
Declared by:
services.exhibitor.s3Config.configPrefix¶
When using AWS S3 shared config files, the prefix to use for values such as locks
Type: string
Default:
"exhibitor-"Declared by:
services.exhibitor.s3Config.objectKey¶
S3 key name to store the config
Type: string
Declared by:
services.exhibitor.s3Credentials¶
Optional credentials to use for s3backup or s3config. Argument is the path to an AWS credential properties file with two properties: com.netflix.exhibitor.s3.access-key-id and com.netflix.exhibitor.s3.access-secret-key
Type: null or path
Default:
nullDeclared by:
services.exhibitor.s3Region¶
Optional region for S3 calls
Type: null or string
Default:
nullDeclared by:
services.exhibitor.servo¶
ZooKeeper will be queried once a minute for its state via the ‘mntr’ four letter word (this requires ZooKeeper 3.4.x+). Servo will be used to publish this data via JMX.
Type: boolean
Default:
falseDeclared by:
services.exhibitor.timeout¶
Connection timeout (ms) for ZK connections.
Type: signed integer
Default:
30000Declared by:
services.exhibitor.zkCleanupPeriod¶
How often (in milliseconds) to run the Zookeeper log cleanup task.
Type: signed integer
Default:
0Declared by:
services.exhibitor.zkClientPort¶
Zookeeper client port
Type: signed integer
Default:
2181Declared by:
services.exhibitor.zkConfigConnect¶
The initial connection string for ZooKeeper shared config storage
Type: list of strings
Example:
[ "host1:2181" "host2:2181" ]Declared by:
services.exhibitor.zkConfigExhibitorPath¶
If the ZooKeeper shared config is also running Exhibitor, the URI path for the REST call
Type: string
Default:
"/"Declared by:
services.exhibitor.zkConfigExhibitorPort¶
If the ZooKeeper shared config is also running Exhibitor, the port that Exhibitor is listening on. IMPORTANT: if this value is not set it implies that Exhibitor is not being used on the ZooKeeper shared config.
Type: null or signed integer
Declared by:
services.exhibitor.zkConfigPollMs¶
The period in ms to check for changes in the config ensemble
Type: signed integer
Default:
10000Declared by:
services.exhibitor.zkConfigRetry.retryQuantity¶
Retries connecting to the ZooKeeper config
Type: signed integer
Default:
3Declared by:
services.exhibitor.zkConfigRetry.sleepMs¶
Retry sleep time connecting to the ZooKeeper config
Type: signed integer
Default:
1000Declared by:
services.exhibitor.zkConfigZPath¶
The base ZPath that Exhibitor should use
Type: string
Example:
"/exhibitor/config"Declared by:
services.exhibitor.zkConnectPort¶
The port to use for followers to talk to each other.
Type: signed integer
Default:
2888Declared by:
services.exhibitor.zkDataDir¶
The Zookeeper data directory
Type: string
Default:
"/var/exhibitor/zkData"Declared by:
services.exhibitor.zkElectionPort¶
The port for Zookeepers to use for leader election.
Type: signed integer
Default:
3888Declared by:
services.exhibitor.zkExtraCfg¶
Extra options to pass into Zookeeper
Type: string
Default:
"initLimit=5&syncLimit=2&tickTime=2000"Declared by:
services.exhibitor.zkLogDir¶
The Zookeeper logs directory
Type: path
Default:
"/var/exhibitor/zkLogs"Declared by:
services.exhibitor.zkServersSpec¶
Zookeeper server spec for all servers in the ensemble.
Type: list of strings
Default: ``[
]``
Example:
[ "S:1:zk1.example.com" "S:2:zk2.example.com" "S:3:zk3.example.com" "O:4:zk-observer.example.com" ]Declared by:
services.exim.enable¶
Whether to enable the Exim mail transfer agent.
Type: boolean
Default:
falseDeclared by:
services.exim.package¶
The Exim derivation to use. This can be used to enable features such as LDAP or PAM support.
Type: package
Default:
"pkgs.exim"Declared by:
services.exim.config¶
Verbatim Exim configuration. This should not contain exim_user, exim_group, exim_path, or spool_directory.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.exim.group¶
Group to use when no root privileges are required.
Type: string
Default:
"exim"Declared by:
services.exim.spoolDir¶
Location of the spool directory of exim.
Type: path
Default:
"/var/spool/exim"Declared by:
services.exim.user¶
User to use when no root privileges are required. In particular, this applies when receiving messages and when doing remote deliveries. (Local deliveries run as various non-root users, typically as the owner of a local mailbox.) Specifying this value as root is not supported.
Type: string
Default:
"exim"Declared by:
services.factorio.enable¶
Whether to enable Factorio.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.factorio.autosave-interval¶
Autosave interval in minutes.
Type: null or signed integer
Default:
nullExample:
10Declared by:
services.factorio.configFile¶
The server’s configuration file.
The default file generated by this module contains lines essential to the server’s operation. Use its contents as a basis for any customizations.
Type: path
Default:
"configFile"Declared by:
services.factorio.description¶
Description of the game that will appear in the listing.
Type: null or string
Default:
""Declared by:
services.factorio.game-name¶
Name of the game as it will appear in the game listing.
Type: null or string
Default:
"Factorio Game"Declared by:
services.factorio.game-password¶
Game password.
Type: null or string
Default:
nullDeclared by:
services.factorio.lan¶
Game will be broadcast on LAN.
Type: boolean
Default:
falseDeclared by:
services.factorio.mods¶
Mods the server should install and activate.
The derivations in this list must “build” the mod by simply copying the .zip, named correctly, into the output directory. Eventually, there will be a way to pull in the most up-to-date list of derivations via nixos-channel. Until then, this is for experts only.
Type: list of packages
Default: ``[
]``
Declared by:
services.factorio.password¶
Your factorio.com login credentials. Required for games with visibility public.
Type: null or string
Default:
nullDeclared by:
services.factorio.port¶
The port to which the service should bind.
This option will also open up the UDP port in the firewall configuration.
Type: signed integer
Default:
34197Declared by:
services.factorio.public¶
Game will be published on the official Factorio matching server.
Type: boolean
Default:
falseDeclared by:
services.factorio.requireUserVerification¶
When set to true, the server will only allow clients that have a valid factorio.com account.
Type: boolean
Default:
trueDeclared by:
services.factorio.saveName¶
The name of the savegame that will be used by the server.
When not present in /var/lib/factorio/saves, a new map with default settings will be generated before starting the service.
Type: string
Default:
"default"Declared by:
services.factorio.stateDirName¶
Name of the directory under /var/lib holding the server’s data.
The configuration and map will be stored here.
Type: string
Default:
"factorio"Declared by:
services.factorio.token¶
Authentication token. May be used instead of ‘password’ above.
Type: null or string
Default:
nullDeclared by:
services.factorio.username¶
Your factorio.com login credentials. Required for games with visibility public.
Type: null or string
Default:
nullDeclared by:
services.fail2ban.enable¶
Whether to enable the fail2ban service.
Type: boolean
Default:
falseDeclared by:
services.fail2ban.package¶
The fail2ban package to use for running the fail2ban service.
Type: package
Default:
*(build of fail2ban-0.11.1)*Example:
"pkgs.fail2ban_0_11"Declared by:
services.fail2ban.packageFirewall¶
The firewall package used by fail2ban service.
Type: package
Default:
*(build of iptables-1.8.4)*Example:
"pkgs.nftables"Declared by:
services.fail2ban.banaction¶
Default banning action (e.g. iptables, iptables-new, iptables-multiport, shorewall, etc) It is used to define action_* variables. Can be overridden globally or per section within jail.local file
Type: string
Default:
"iptables-multiport"Example:
"nftables-multiport"Declared by:
services.fail2ban.banaction-allports¶
Default banning action (e.g. iptables, iptables-new, iptables-multiport, shorewall, etc) It is used to define action_* variables. Can be overridden globally or per section within jail.local file
Type: string
Default:
"iptables-allport"Example:
"nftables-allport"Declared by:
services.fail2ban.bantime-increment.enable¶
Allows to use database for searching of previously banned ip’s to increase a default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32…
Type: boolean
Default:
falseDeclared by:
services.fail2ban.bantime-increment.factor¶
“bantime-increment.factor” is a coefficient to calculate exponent growing of the formula or common multiplier, default value of factor is 1 and with default value of formula, the ban time grows by 1, 2, 4, 8, 16 …
Type: string
Default:
"1"Example:
"4"Declared by:
services.fail2ban.bantime-increment.formula¶
“bantime-increment.formula” used by default to calculate next value of ban time, default value bellow, the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32…
Type: string
Default:
"ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor"Example:
"ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"Declared by:
services.fail2ban.bantime-increment.maxtime¶
“bantime-increment.maxtime” is the max number of seconds using the ban time can reach (don’t grows further)
Type: string
Default:
"10h"Example:
"48h"Declared by:
services.fail2ban.bantime-increment.multipliers¶
“bantime-increment.multipliers” used to calculate next value of ban time instead of formula, coresponding previously ban count and given “bantime.factor” (for multipliers default is 1); following example grows ban time by 1, 2, 4, 8, 16 … and if last ban count greater as multipliers count, always used last multiplier (64 in example), for factor ‘1’ and original ban time 600 - 10.6 hours
Type: string
Default:
"1 2 4 8 16 32 64"Example:
"2 4 16 128"Declared by:
services.fail2ban.bantime-increment.overalljails¶
“bantime-increment.overalljails” (if true) specifies the search of IP in the database will be executed cross over all jails, if false (dafault), only current jail of the ban IP will be searched
Type: boolean
Default:
falseExample:
trueDeclared by:
services.fail2ban.bantime-increment.rndtime¶
“bantime-increment.rndtime” is the max number of seconds using for mixing with random time to prevent “clever” botnets calculate exact time IP can be unbanned again
Type: string
Default:
"4m"Example:
"8m"Declared by:
services.fail2ban.daemonConfig¶
The contents of Fail2ban’s main configuration file. It’s generally not necessary to change it.
Type: strings concatenated with “\n”
Default:
'' [Definition] logtarget = SYSLOG socket = /run/fail2ban/fail2ban.sock pidfile = /run/fail2ban/fail2ban.pid dbfile = /var/lib/fail2ban/fail2ban.sqlite3 ''Declared by:
services.fail2ban.ignoreIP¶
“ignoreIP” can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban will not ban a host which matches an address in this list. Several addresses can be defined using space (and/or comma) separator.
Type: list of strings
Default: ``[
]``
Example:
[ "192.168.0.0/16" "2001:DB8::42" ]Declared by:
services.fail2ban.jails¶
The configuration of each Fail2ban “jail”. A jail consists of an action (such as blocking a port using:command:iptables) that is triggered when a filter applied to a log file triggers more than a certain number of times in a certain time period. Actions are defined in
/etc/fail2ban/action.d, while filters are defined in:file:/etc/fail2ban/filter.d.Type: attribute set of strings concatenated with “\n”s
Default: ``{
}``
Example:
{ apache-nohome-iptables = '' # Block an IP address if it accesses a non-existent # home directory more than 5 times in 10 minutes, # since that indicates that it's scanning. filter = apache-nohome action = iptables-multiport[name=HTTP, port="http,https"] logpath = /var/log/httpd/error_log* findtime = 600 bantime = 600 maxretry = 5 ''; }Declared by:
services.fakeroute.enable¶
Whether to enable the fakeroute service.
Type: boolean
Default:
falseDeclared by:
services.fakeroute.route¶
Fake route that will appear after the real one to any host running a traceroute.
Type: list of strings
Default: ``[
]``
Example:
[ "216.102.187.130" "4.0.1.122" "198.116.142.34" "63.199.8.242" ]Declared by:
services.fcgiwrap.enable¶
Whether to enable fcgiwrap, a server for running CGI applications over FastCGI.
Type: boolean
Default:
falseDeclared by:
services.fcgiwrap.group¶
Group permissions for the socket.
Type: null or string
Default:
nullDeclared by:
services.fcgiwrap.preforkProcesses¶
Number of processes to prefork.
Type: signed integer
Default:
1Declared by:
services.fcgiwrap.socketAddress¶
Socket address. In case of a UNIX socket, this should be its filesystem path.
Type: string
Default:
"/run/fcgiwrap.sock"Example:
"1.2.3.4:5678"Declared by:
services.fcgiwrap.socketType¶
Socket type: ‘unix’, ‘tcp’ or ‘tcp6’.
Type: one of “unix”, “tcp”, “tcp6”
Default:
"unix"Declared by:
services.fcgiwrap.user¶
User permissions for the socket.
Type: null or string
Default:
nullDeclared by:
services.fcron.enable¶
Whether to enable the fcron daemon.
Type: boolean
Default:
falseDeclared by:
services.fcron.allow¶
Users allowed to use fcrontab and fcrondyn (one name per line,
allfor everyone).Type: list of strings
Default:
[ "all" ]Declared by:
services.fcron.deny¶
services.fcron.maxSerialJobs¶
Maximum number of serial jobs which can run simultaneously.
Type: signed integer
Default:
1Declared by:
services.fcron.queuelen¶
Number of jobs the serial queue and the lavg queue can contain.
Type: null or signed integer
Default:
nullDeclared by:
services.fcron.systab¶
The “system” crontab contents.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.felix.enable¶
Whether to enable the Apache Felix OSGi service
Type: unspecified
Default:
falseDeclared by:
services.felix.bundles¶
List of bundles that should be activated on startup
Type: list of packages
Default:
"[ pkgs.felix_remoteshell ]"Declared by:
services.felix.group¶
Group account under which Apache Felix runs.
Type: unspecified
Default:
"osgi"Declared by:
services.felix.user¶
User account under which Apache Felix runs.
Type: unspecified
Default:
"osgi"Declared by:
services.ferm.enable¶
Whether to enable Ferm Firewall. *Warning*: Enabling this service WILL disable the existing NixOS firewall! Default firewall rules provided by packages are not considered at the moment.
Type: boolean
Default:
falseDeclared by:
services.ferm.package¶
The ferm package.
Type: package
Default:
"pkgs.ferm"Declared by:
services.ferm.config¶
Verbatim ferm.conf configuration.
Type: strings concatenated with “\n”
Default:
"empty firewall, allows any traffic"Declared by:
services.firebird.enable¶
Whether to enable the Firebird super server.
Type: unspecified
Default:
falseDeclared by:
services.firebird.package¶
Which firebird derivation to use.
Type: package
Default:
"pkgs.firebirdSuper"Declared by:
services.firebird.baseDir¶
Location containing data/ and system/ directories. data/ stores the databases, system/ stores the password database security2.fdb.
Type: unspecified
Default:
"/var/db/firebird"Declared by:
services.firebird.port¶
Port Firebird uses.
Type: unspecified
Default:
"3050"Declared by:
services.firebird.user¶
User account under which firebird runs.
Type: unspecified
Default:
"firebird"Declared by:
services.firefox.syncserver.enable¶
Whether to enable a Firefox Sync Server, this give the opportunity to Firefox users to store all synchronized data on their own server. To use this server, Firefox users should visit the , and replicate the following change
services.sync.tokenServerURI: http://localhost:5000/token/1.0/sync/1.5where corresponds to the public url of the server.
Type: boolean
Default:
falseDeclared by:
services.firefox.syncserver.allowNewUsers¶
Whether to allow new-user signups on the server. Only request by existing accounts will be honored.
Type: boolean
Default:
trueDeclared by:
services.firefox.syncserver.listen.address¶
Address on which the sync server listen to.
Type: string
Default:
"127.0.0.1"Example:
"0.0.0.0"Declared by:
services.firefox.syncserver.listen.port¶
Port on which the sync server listen to.
Type: signed integer
Default:
5000Declared by:
services.firefox.syncserver.privateConfig¶
The private config file is used to extend the generated config with confidential information, such as the setting if it contains a password, and the setting is used by the server to generate cryptographically-signed authentication tokens.
If this file does not exists, then it is created with a generated settings.
Type: string
Default:
"/etc/firefox/syncserver-secret.ini"Declared by:
services.firefox.syncserver.publicUrl¶
Public URL with which firefox users can use to access the sync server.
Type: string
Default:
"http://localhost:5000/"Example:
"http://sync.example.com/"Declared by:
services.firefox.syncserver.sqlUri¶
The location of the database. This URL is composed of, where is a database name such as, , , etc., and the name of a DBAPI, such as, , , etc. The SQLAlchemy documentation provides more examples and describe the syntax of the expected URL.
Type: string
Default:
"sqlite:////var/db/firefox-sync-server/firefox-sync-server.db"Example:
"postgresql://scott:tiger@localhost/test"Declared by:
services.fireqos.enable¶
If enabled, FireQOS will be launched with the specified configuration given in `config`.
Type: boolean
Default:
falseDeclared by:
services.fireqos.config¶
The FireQOS configuration goes here.
Type: string
Default:
""Example:
'' interface wlp3s0 world-in input rate 10mbit ethernet class web commit 50kbit match tcp ports 80,443 interface wlp3s0 world-out input rate 10mbit ethernet class web commit 50kbit match tcp ports 80,443 ''Declared by:
services.flannel.enable¶
Whether to enable flannel.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.flannel.package¶
Package to use for flannel
Type: package
Default:
"pkgs.flannel.bin"Declared by:
services.flannel.backend¶
Type of backend to use and specific configurations for that backend.
Type: attribute set
Default:
{ Type = "vxlan"; }Declared by:
services.flannel.etcd.caFile¶
Etcd certificate authority file
Type: null or path
Default:
nullDeclared by:
services.flannel.etcd.certFile¶
Etcd cert file
Type: null or path
Default:
nullDeclared by:
services.flannel.etcd.endpoints¶
Etcd endpoints
Type: list of strings
Default:
[ "http://127.0.0.1:2379" ]Declared by:
services.flannel.etcd.keyFile¶
Etcd key file
Type: null or path
Default:
nullDeclared by:
services.flannel.etcd.prefix¶
Etcd key prefix
Type: string
Default:
"/coreos.com/network"Declared by:
services.flannel.iface¶
Interface to use (IP or name) for inter-host communication. Defaults to the interface for the default route on the machine.
Type: null or string
Default:
nullDeclared by:
services.flannel.kubeconfig¶
Path to kubeconfig to use for storing flannel config using the Kubernetes API
Type: null or path
Default:
nullDeclared by:
services.flannel.network¶
IPv4 network in CIDR format to use for the entire flannel network.
Type: string
Declared by:
services.flannel.nodeName¶
Needed when running with Kubernetes as backend as this cannot be auto-detected”;
Type: null or string
Default:
"nixos"Example:
"node1.example.com"Declared by:
services.flannel.publicIp¶
IP accessible by other nodes for inter-host communication. Defaults to the IP of the interface being used for communication.
Type: null or string
Default:
nullDeclared by:
services.flannel.storageBackend¶
Determines where flannel stores its configuration at runtime
Type: one of “etcd”, “kubernetes”
Default:
"etcd"Declared by:
services.flannel.subnetLen¶
The size of the subnet allocated to each host. Defaults to 24 (i.e. /24) unless the Network was configured to be smaller than a /24 in which case it is one less than the network.
Type: signed integer
Default:
24Declared by:
services.flannel.subnetMax¶
The end of IP range which the subnet allocation should start with. Defaults to the last subnet of Network.
Type: null or string
Default:
nullDeclared by:
services.flannel.subnetMin¶
The beginning of IP range which the subnet allocation should start with. Defaults to the first subnet of Network.
Type: null or string
Default:
nullDeclared by:
services.flashpolicyd.enable¶
Whether to enable the Flash Policy server. This is necessary if you want Flash applications to make connections to your server.
Type: unspecified
Default:
falseDeclared by:
services.flashpolicyd.policy¶
The policy to be served. The default is to allow connections from any domain to any port.
Type: unspecified
Default:
'' <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <site-control permitted-cross-domain-policies="master-only"/> <allow-access-from domain="*" to-ports="*" /> </cross-domain-policy> ''Declared by:
services.flatpak.enable¶
Whether to enable flatpak.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.flexget.enable¶
Whether to enable Run FlexGet Daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.flexget.config¶
The YAML configuration for FlexGet.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.flexget.homeDir¶
Where files live.
Type: path
Default:
"/var/lib/deluge"Example:
"/home/flexget"Declared by:
services.flexget.interval¶
When to perform a flexget run. See man 7 systemd.time for the format.
Type: string
Default:
"10m"Example:
"1h"Declared by:
services.flexget.systemScheduler¶
When true, execute the runs via the flexget-runner.timer. If false, you have to specify the settings yourself in the YML file.
Type: boolean
Default:
trueExample:
"false"Declared by:
services.flexget.user¶
The user under which to run flexget.
Type: string
Default:
"deluge"Example:
"some_user"Declared by:
services.fluentd.enable¶
Whether to enable fluentd.
Type: boolean
Default:
falseDeclared by:
services.fluentd.package¶
The fluentd package to use.
Type: path
Default:
"pkgs.fluentd"Declared by:
services.fluentd.config¶
Fluentd config.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.fluentd.plugins¶
A list of plugin paths to pass into fluentd. It will make plugins defined in ruby files there available in your config.
Type: list of paths
Default: ``[
]``
Declared by:
services.foldingAtHome.enable¶
Whether to enable the Folding@Home to use idle CPU time.
Type: unspecified
Default:
falseDeclared by:
services.foldingAtHome.config¶
Extra configuration. Contents will be added verbatim to the configuration file.
Type: unspecified
Default:
""Declared by:
services.foldingAtHome.nickname¶
A unique handle for statistics.
Type: unspecified
Default:
"Anonymous"Declared by:
services.foundationdb.enable¶
Whether to enable FoundationDB Server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.foundationdb.package¶
The FoundationDB package to use for this server. This must be specified by the user in order to ensure migrations and upgrades are controlled appropriately.
Type: package
Declared by:
services.foundationdb.backupProcesses¶
Number of backup_agent processes to run for snapshots.
Type: signed integer
Default:
1Declared by:
services.foundationdb.class¶
Process class
Type: null or one of “storage”, “transaction”, “stateless”
Default:
nullDeclared by:
services.foundationdb.dataDir¶
Data directory. All cluster data will be put under here.
Type: path
Default:
"/var/lib/foundationdb"Declared by:
services.foundationdb.extraReadWritePaths¶
An extra set of filesystem paths that FoundationDB can read to and write from. By default, FoundationDB runs under a heavily namespaced systemd environment without write access to most of the filesystem outside of its data and log directories. By adding paths to this list, the set of writeable paths will be expanded. This is useful for allowing e.g. backups to local files, which must be performed on behalf of the foundationdb service.
Type: list of paths
Default: ``[
]``
Declared by:
services.foundationdb.group¶
Group account under which FoundationDB runs.
Type: string
Default:
"foundationdb"Declared by:
services.foundationdb.listenAddress¶
Publicly visible IP address of the process. Port is determined by process ID
Type: string
Default:
"public"Declared by:
services.foundationdb.listenPortStart¶
Starting port number for database listening sockets. Every FDB process binds to a subsequent port, to this number reflects the start of the overall range. e.g. having 8 server processes will use all ports between 4500 and 4507.
Type: signed integer
Default:
4500Declared by:
services.foundationdb.locality¶
FoundationDB locality settings.
Type: submodule
Default:
{ dataHall = null; datacenterId = null; machineId = null; zoneId = null; }Declared by:
services.foundationdb.locality.dataHall¶
Data hall identifier key. All processes physically located in a data hall should share the id. If you are depending on data hall based replication this must be set on all processes.
Type: null or string
Default:
nullDeclared by:
services.foundationdb.locality.datacenterId¶
Data center identifier key. All processes physically located in a data center should share the id. If you are depending on data center based replication this must be set on all processes.
Type: null or string
Default:
nullDeclared by:
services.foundationdb.locality.machineId¶
Machine identifier key. All processes on a machine should share a unique id. By default, processes on a machine determine a unique id to share. This does not generally need to be set.
Type: null or string
Default:
nullDeclared by:
services.foundationdb.locality.zoneId¶
Zone identifier key. Processes that share a zone id are considered non-unique for the purposes of data replication. If unset, defaults to machine id.
Type: null or string
Default:
nullDeclared by:
services.foundationdb.logDir¶
Log directory.
Type: path
Default:
"/var/log/foundationdb"Declared by:
services.foundationdb.logSize¶
Roll over to a new log file after the current log file reaches the specified size.
Type: string
Default:
"10MiB"Declared by:
services.foundationdb.maxLogSize¶
Delete the oldest log file when the total size of all log files exceeds the specified size. If set to 0, old log files will not be deleted.
Type: string
Default:
"100MiB"Declared by:
services.foundationdb.memory¶
Maximum memory used by the process. The default value is``8GiB``. When specified without a unit,``MiB`` is assumed. This parameter does not change the memory allocation of the program. Rather, it sets a hard limit beyond which the process will kill itself and be restarted. The default value of
8GiBis double the intended memory usage in the default configuration (providing an emergency buffer to deal with memory leaks or similar problems). It is not recommended to decrease the value of this parameter below its default value. It may be increased if you wish to allocate a very large amount of storage engine memory or cache. In particular, when thestorageMemoryparameter is increased, thememoryparameter should be increased by an equal amount.Type: string
Default:
"8GiB"Declared by:
services.foundationdb.openFirewall¶
Open the firewall ports corresponding to FoundationDB processes and coordinators using .
Type: boolean
Default:
falseDeclared by:
services.foundationdb.pidfile¶
Path to pidfile for fdbmonitor.
Type: path
Default:
"/run/foundationdb.pid"Declared by:
services.foundationdb.publicAddress¶
Publicly visible IP address of the process. Port is determined by process ID
Type: string
Default:
"auto"Declared by:
services.foundationdb.restartDelay¶
Number of seconds to wait before restarting servers.
Type: signed integer
Default:
10Declared by:
services.foundationdb.serverProcesses¶
Number of fdbserver processes to run.
Type: signed integer
Default:
1Declared by:
services.foundationdb.storageMemory¶
Maximum memory used for data storage. The default value is``1GiB``. When specified without a unit,``MB`` is assumed. Clusters using the memory storage engine will be restricted to using this amount of memory per process for purposes of data storage. Memory overhead associated with storing the data is counted against this total. If you increase the``storageMemory``, you should also increase the
memoryparameter by the same amount.Type: string
Default:
"1GiB"Declared by:
services.foundationdb.tls¶
FoundationDB Transport Security Layer (TLS) settings.
Type: null or submodule
Default:
nullDeclared by:
services.foundationdb.tls.allowedPeers¶
“Peer verification string”. This may be used to adjust which TLS client certificates a server will accept, as a form of user authorization; for example, it may only accept TLS clients who offer a certificate abiding by some locality or organization name.
For more information, please see the FoundationDB documentation.
Type: string
Default:
"Check.Valid=1,Check.Unexpired=1"Declared by:
services.foundationdb.tls.certificate¶
Path to the TLS certificate file. This certificate will be offered to, and may be verified by, clients.
Type: string
Declared by:
services.foundationdb.tls.key¶
Private key file for the certificate.
Type: string
Declared by:
services.foundationdb.traceFormat¶
Trace logging format.
Type: one of “xml”, “json”
Default:
"xml"Declared by:
services.foundationdb.user¶
User account under which FoundationDB runs.
Type: string
Default:
"foundationdb"Declared by:
services.fprintd.enable¶
Whether to enable fprintd daemon and PAM module for fingerprint readers handling.
Type: boolean
Default:
falseDeclared by:
services.fprintd.package¶
fprintd package to use.
Type: package
Default:
"pkgs.fprintd"Example:
"pkgs.fprintd-thinkpad"Declared by:
services.fprot.updater.enable¶
Whether to enable automatic F-Prot virus definitions database updates.
Type: unspecified
Default:
falseDeclared by:
services.fprot.updater.frequency¶
Update virus definitions every X minutes.
Type: unspecified
Default:
30Declared by:
services.fprot.updater.licenseKeyfile¶
License keyfile. Defaults to the one supplied with installation package.
Type: unspecified
Declared by:
services.fprot.updater.productData¶
product.data file. Defaults to the one supplied with installation package.
Type: unspecified
Declared by:
services.frab.enable¶
Enable the frab service.
Type: boolean
Default:
falseDeclared by:
services.frab.database¶
Rails database configuration for Frab as Nix attribute set.
Type: attribute set
Default:
{ adapter = "sqlite3"; database = "/var/lib/frab/db.sqlite3"; pool = 5; timeout = 5000; }Example:
{ adapter = "postgresql"; database = "frab"; encoding = "utf8"; host = "localhost"; password = "supersecret"; pool = 5; username = "frabuser"; }Declared by:
services.frab.extraEnvironment¶
Additional environment variables to set for frab for further configuration. See the frab documentation for more information.
Type: attribute set
Default: ``{
}``
Example:
{ EXCEPTION_EMAIL = "frab-owner@example.com"; FRAB_CURRENCY_FORMAT = "%n%u"; FRAB_CURRENCY_UNIT = "€"; SMTP_ADDRESS = "localhost"; SMTP_AUTHENTICATION = "1"; SMTP_DOMAIN = "localdomain"; SMTP_NOTLS = "1"; SMTP_PASSWORD = "toor"; SMTP_PORT = "587"; SMTP_USER_NAME = "root"; }Declared by:
services.frab.fromEmail¶
Email address used by frab.
Type: string
Default:
"frab@localhost"Declared by:
services.frab.group¶
Group to run frab.
Type: string
Default:
"frab"Declared by:
services.frab.host¶
Hostname under which this frab instance can be reached.
Type: string
Example:
"frab.example.com"Declared by:
services.frab.listenAddress¶
Address or hostname frab should listen on.
Type: string
Default:
"localhost"Declared by:
services.frab.listenPort¶
Port frab should listen on.
Type: signed integer
Default:
3000Declared by:
services.frab.protocol¶
Either http or https, depending on how your Frab instance will be exposed to the public.
Type: string
Default:
"https"Example:
"http"Declared by:
services.frab.secretKeyBase¶
Your secret key is used for verifying the integrity of signed cookies. If you change this key, all old signed cookies will become invalid!
Make sure the secret is at least 30 characters and all random, no regular words or you’ll be exposed to dictionary attacks.
Type: string
Declared by:
services.frab.statePath¶
Directory where frab keeps its state.
Type: string
Default:
"/var/lib/frab"Declared by:
services.frab.user¶
User to run frab.
Type: string
Default:
"frab"Declared by:
services.fractalart.enable¶
Enable FractalArt for generating colorful wallpapers on login
Type: boolean
Default:
falseExample:
trueDeclared by:
services.fractalart.height¶
Screen height
Type: null or signed integer
Default:
nullExample:
1080Declared by:
services.fractalart.width¶
Screen width
Type: null or signed integer
Default:
nullExample:
1920Declared by:
services.freefall.enable¶
Whether to protect HP/Dell laptop hard drives (not SSDs) in free fall.
Type: boolean
Default:
falseDeclared by:
services.freefall.package¶
freefall derivation to use.
Type: package
Default:
"pkgs.freefall"Declared by:
services.freefall.devices¶
Device paths to all internal spinning hard drives.
Type: list of strings
Default:
[ "/dev/sda" ]Declared by:
services.freenet.enable¶
Enable the Freenet daemon
Type: boolean
Default:
falseDeclared by:
services.freenet.nice¶
Set the nice level for the Freenet daemon
Type: signed integer
Default:
10Declared by:
services.freeradius.enable¶
Whether to enable the freeradius server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.freeradius.configDir¶
The path of the freeradius server configuration directory.
Type: path
Default:
"/etc/raddb"Declared by:
services.freeswitch.enable¶
Whether to enable FreeSWITCH.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.freeswitch.enableReload¶
Issue the
reloadxmlcommand to FreeSWITCH when configuration directory changes (instead of restart). See FreeSWITCH documentation for more info. The configuration directory is exposed at/etc/freeswitch. See alsosystemd.services.*.restartIfChanged.Type: boolean
Default:
falseDeclared by:
services.freeswitch.package¶
FreeSWITCH package.
Type: package
Default:
pkgs.freeswitchExample:
pkgs.freeswitchDeclared by:
services.freeswitch.configDir¶
Override file in FreeSWITCH config template directory. Each top-level attribute denotes a file path in the configuration directory, its value is the file path. See FreeSWITCH documentation for more info. Also check available templates in FreeSWITCH repository.
Type: attribute set of paths
Default: ``{
}``
Example:
{ "freeswitch.xml" = ./freeswitch.xml; "dialplan/default.xml" = pkgs.writeText "dialplan-default.xml" '' [xml lines] ''; }Declared by:
services.freeswitch.configTemplate¶
Configuration template to use. See available templates in FreeSWITCH repository. You can also set your own configuration directory.
Type: path
Default:
${config.services.freeswitch.package}/share/freeswitch/conf/vanillaExample:
${config.services.freeswitch.package}/share/freeswitch/conf/minimalDeclared by:
services.fstrim.enable¶
Whether to enable periodic SSD TRIM of mounted partitions in background.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.fstrim.interval¶
How often we run fstrim. For most desktop and server systems a sufficient trimming frequency is once a week.
The format is described insystemd.time7.
Type: string
Default:
"weekly"Declared by:
services.fusionInventory.enable¶
Whether to enable Fusion Inventory Agent.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.fusionInventory.extraConfig¶
Configuration that is injected verbatim into the configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.fusionInventory.servers¶
The urls of the OCS/GLPI servers to connect to.
Type: list of strings
Declared by:
services.fwupd.enable¶
Whether to enable fwupd, a DBus service that allows applications to update firmware.
Type: boolean
Default:
falseDeclared by:
services.fwupd.enableTestRemote¶
Whether to enable test remote. This is used by`installed tests <https://github.com/fwupd/fwupd/blob/master/data/installed-tests/README.md>`_.
Type: boolean
Default:
falseDeclared by:
services.fwupd.package¶
Which fwupd package to use.
Type: package
Default:
*(build of fwupd-1.3.8)*Declared by:
services.fwupd.blacklistDevices¶
Allow blacklisting specific devices by their GUID
Type: list of strings
Default: ``[
]``
Example:
[ "2082b5e0-7a64-478a-b1b2-e3404fab6dad" ]Declared by:
services.fwupd.blacklistPlugins¶
Allow blacklisting specific plugins
Type: list of strings
Default: ``[
]``
Example:
[ "udev" ]Declared by:
services.fwupd.extraTrustedKeys¶
Installing a public key allows firmware signed with a matching private key to be recognized as trusted, which may require less authentication to install than for untrusted files. By default trusted firmware can be upgraded (but not downgraded) without the user or administrator password. Only very few keys are installed by default.
Type: list of paths
Default: ``[
]``
Example:
[ /etc/nixos/fwupd/myfirmware.pem ]Declared by:
services.gale.enable¶
Whether to enable the Gale messaging daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.gale.domain¶
Domain name for the Gale system.
Type: string
Default:
""Declared by:
services.gale.extraConfig¶
Additional text to be added to
/etc/gale/conf.Type: strings concatenated with “\n”
Default:
""Declared by:
services.gale.group¶
Group name for the Gale daemon.
Type: string
Default:
"gale"Declared by:
services.gale.keyPath¶
Directory containing the key pair for this Gale domain. The expected filename will be taken from the domain option with “.gpri” and “.gpub” appended.
Type: null or path
Default:
nullDeclared by:
services.gale.setuidWrapper¶
Configuration for the Gale gksign setuid wrapper.
Type: unspecified
Default:
nullDeclared by:
services.gale.user¶
Username for the Gale daemon.
Type: string
Default:
"gale"Declared by:
services.gammu-smsd.enable¶
Whether to enable gammu-smsd daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.gammu-smsd.backend.files.errorSMSPath¶
Where SMSes with error in transmission is placed
Type: path
Default:
"/var/spool/sms/error/"Declared by:
services.gammu-smsd.backend.files.inboxPath¶
Where the received SMSes are stored
Type: path
Default:
"/var/spool/sms/inbox/"Declared by:
services.gammu-smsd.backend.files.outboxPath¶
Where SMSes to be sent should be placed
Type: path
Default:
"/var/spool/sms/outbox/"Declared by:
services.gammu-smsd.backend.files.sentSMSPath¶
Where the transmitted SMSes are placed
Type: path
Default:
"/var/spool/sms/sent/"Declared by:
services.gammu-smsd.backend.service¶
Service to use to store sms data.
Type: one of “null”, “files”, “sql”
Default:
"null"Declared by:
services.gammu-smsd.backend.sql.database¶
Database name to store sms data
Type: string
Default:
nullDeclared by:
services.gammu-smsd.backend.sql.driver¶
DB driver to use
Type: one of “native_mysql”, “native_pgsql”, “odbc”, “dbi”
Declared by:
services.gammu-smsd.backend.sql.host¶
Database server address
Type: string
Default:
"localhost"Declared by:
services.gammu-smsd.backend.sql.password¶
User password used for connetion to the database
Type: null or string
Default:
nullDeclared by:
services.gammu-smsd.backend.sql.sqlDialect¶
SQL dialect to use (odbc driver only)
Type: null or string
Default:
nullDeclared by:
services.gammu-smsd.backend.sql.user¶
User name used for connection to the database
Type: null or string
Default:
nullDeclared by:
services.gammu-smsd.device.connection¶
Protocol which will be used to talk to the phone
Type: string
Default:
"at"Declared by:
services.gammu-smsd.device.group¶
Owner group of the device
Type: string
Default:
"root"Example:
"dialout"Declared by:
services.gammu-smsd.device.path¶
Device node or address of the phone
Type: path
Example:
"/dev/ttyUSB2"Declared by:
services.gammu-smsd.device.pin¶
PIN code for the simcard
Type: null or string
Default:
nullDeclared by:
services.gammu-smsd.device.synchronizeTime¶
Whether to set time from computer to the phone during starting connection
Type: boolean
Default:
trueDeclared by:
services.gammu-smsd.extraConfig.gammu¶
Extra config lines to be added into [gammu] section
Type: strings concatenated with “\n”
Default:
""Declared by:
services.gammu-smsd.extraConfig.smsd¶
Extra config lines to be added into [smsd] section
Type: strings concatenated with “\n”
Default:
""Declared by:
services.gammu-smsd.log.file¶
Path to file where information about communication will be stored
Type: string
Default:
"syslog"Declared by:
services.gammu-smsd.log.format¶
Determines what will be logged to the LogFile
Type: one of “nothing”, “text”, “textall”, “textalldate”, “errors”, “errorsdate”, “binary”
Default:
"errors"Declared by:
services.gammu-smsd.user¶
User that has access to the device
Type: string
Default:
"smsd"Declared by:
services.gateone.enable¶
Whether to enable GateOne server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.gateone.pidDir¶
Path of pid files for GateOne.
Type: path
Default:
"/run/gateone"Declared by:
services.gateone.settingsDir¶
Path of configuration files for GateOne.
Type: path
Default:
"/var/lib/gateone"Declared by:
services.gdomap.enable¶
Whether to enable GNUstep Distributed Objects name server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.geoclue2.enable¶
Whether to enable GeoClue 2 daemon, a DBus service that provides location information for accessing.
Type: boolean
Default:
falseDeclared by:
services.geoclue2.enable3G¶
Whether to enable 3G source.
Type: boolean
Default:
trueDeclared by:
services.geoclue2.enableCDMA¶
Whether to enable CDMA source.
Type: boolean
Default:
trueDeclared by:
services.geoclue2.enableDemoAgent¶
Whether to use the GeoClue demo agent. This should be overridden by desktop environments that provide their own agent.
Type: boolean
Default:
trueDeclared by:
services.geoclue2.enableModemGPS¶
Whether to enable Modem-GPS source.
Type: boolean
Default:
trueDeclared by:
services.geoclue2.enableNmea¶
Whether to fetch location from NMEA sources on local network.
Type: boolean
Default:
trueDeclared by:
services.geoclue2.enableWifi¶
Whether to enable WiFi source.
Type: boolean
Default:
trueDeclared by:
services.geoclue2.appConfig¶
Specify extra settings per application.
Type: list or attribute set of submodules
Default: ``{
}``
Example:
"com.github.app" = { isAllowed = true; isSystem = true; users = [ "300" ]; };Declared by:
services.geoclue2.appConfig.<name?>.desktopID¶
Desktop ID of the application.
Type: string
Declared by:
services.geoclue2.appConfig.<name?>.isAllowed¶
Whether the application will be allowed access to location information.
Type: boolean
Default:
nullDeclared by:
services.geoclue2.appConfig.<name?>.isSystem¶
Whether the application is a system component or not.
Type: boolean
Default:
nullDeclared by:
services.geoclue2.appConfig.<name?>.users¶
List of UIDs of all users for which this application is allowed location info access, Defaults to an empty string to allow it for all users.
Type: list of strings
Default: ``[
]``
Declared by:
services.geoclue2.geoProviderUrl¶
The url to the wifi GeoLocation Service.
Type: string
Default:
"https://location.services.mozilla.com/v1/geolocate?key=geoclue"Example:
"https://www.googleapis.com/geolocation/v1/geolocate?key=YOUR_KEY"Declared by:
services.geoclue2.submissionNick¶
A nickname to submit network data with. Must be 2-32 characters long.
Type: string
Default:
"geoclue"Declared by:
services.geoclue2.submissionUrl¶
The url to submit data to a GeoLocation Service.
Type: string
Default:
"https://location.services.mozilla.com/v1/submit?key=geoclue"Declared by:
services.geoclue2.submitData¶
Whether to submit data to a GeoLocation Service.
Type: boolean
Default:
falseDeclared by:
services.geoip-updater.enable¶
Whether to enable periodic downloading of GeoIP databases from maxmind.com. You might want to enable this if you, for instance, use ntopng or Wireshark.
Type: boolean
Default:
falseDeclared by:
services.geoip-updater.databaseDir¶
Directory that will contain GeoIP databases.
Type: path
Default:
"/var/lib/geoip-databases"Declared by:
services.geoip-updater.databases¶
Which GeoIP databases to update. The full URL is https://geolite.maxmind.com/download/geoip/database/ +``the_database``.
Type: list of strings
Default:
[ "GeoLiteCountry/GeoIP.dat.gz" "GeoIPv6.dat.gz" "GeoLiteCity.dat.xz" "GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz" "asnum/GeoIPASNum.dat.gz" "asnum/GeoIPASNumv6.dat.gz" "GeoLite2-Country.mmdb.gz" "GeoLite2-City.mmdb.gz" ]Declared by:
services.geoip-updater.interval¶
Update the GeoIP databases at this time / interval. The format is described insystemd.time7. To prevent load spikes on maxmind.com, the timer interval is randomized by an additional delay of 3600 seconds. Setting a shorter interval than this is not recommended.
Type: string
Default:
"weekly"Declared by:
services.gitDaemon.enable¶
Enable Git daemon, which allows public hosting of git repositories without any access controls. This is mostly intended for read-only access.
You can allow write access by setting daemon.receivepack configuration item of the repository to true. This is solely meant for a closed LAN setting where everybody is friendly.
If you need any access controls, use something else.
Type: boolean
Default:
falseDeclared by:
services.gitDaemon.basePath¶
Remap all the path requests as relative to the given path. For example, if you set base-path to /srv/git, then if you later try to pull git://example.com/hello.git, Git daemon will interpret the path as /srv/git/hello.git.
Type: string
Default:
""Example:
"/srv/git/"Declared by:
services.gitDaemon.exportAll¶
Publish all directories that look like Git repositories (have the objects and refs subdirectories), even if they do not have the git-daemon-export-ok file.
If disabled, you need to touch .git/git-daemon-export-ok in each repository you want the daemon to publish.
Warning: enabling this without a repository whitelist or basePath publishes every git repository you have.
Type: boolean
Default:
falseDeclared by:
services.gitDaemon.group¶
Group under which Git daemon would be running.
Type: string
Default:
"git"Declared by:
services.gitDaemon.listenAddress¶
Listen on a specific IP address or hostname.
Type: string
Default:
""Example:
"example.com"Declared by:
services.gitDaemon.options¶
Extra configuration options to be passed to Git daemon.
Type: string
Default:
""Declared by:
services.gitDaemon.port¶
Port to listen on.
Type: signed integer
Default:
9418Declared by:
services.gitDaemon.repositories¶
A whitelist of paths of git repositories, or directories containing repositories all of which would be published. Paths must not end in “/”.
Warning: leaving this empty and enabling exportAll publishes all repositories in your filesystem or basePath if specified.
Type: list of strings
Default: ``[
]``
Example:
[ "/srv/git" "/home/user/git/repo2" ]Declared by:
services.gitDaemon.user¶
User under which Git daemon would be running.
Type: string
Default:
"git"Declared by:
services.gitea.enable¶
Enable Gitea Service.
Type: boolean
Default:
falseDeclared by:
services.gitea.package¶
gitea derivation to use
Type: package
Default:
"pkgs.gitea"Declared by:
services.gitea.appName¶
Application name.
Type: string
Default:
"gitea: Gitea Service"Declared by:
services.gitea.cookieSecure¶
Marks session cookies as “secure” as a hint for browsers to only send them via HTTPS. This option is recommend, if gitea is being served over HTTPS.
Type: boolean
Default:
falseDeclared by:
services.gitea.database.createDatabase¶
Whether to create a local database automatically.
Type: boolean
Default:
trueDeclared by:
services.gitea.database.host¶
Database host address.
Type: string
Default:
"127.0.0.1"Declared by:
services.gitea.database.name¶
Database name.
Type: string
Default:
"gitea"Declared by:
services.gitea.database.password¶
The password corresponding to . Warning: this is stored in cleartext in the Nix store! Use instead.
Type: string
Default:
""Declared by:
services.gitea.database.passwordFile¶
A file containing the password corresponding to.
Type: null or path
Default:
nullExample:
"/run/keys/gitea-dbpassword"Declared by:
services.gitea.database.path¶
Path to the sqlite3 database file.
Type: string
Default:
"/var/lib/gitea/data/gitea.db"Declared by:
services.gitea.database.port¶
Database host port.
Type: signed integer
Default:
3306Declared by:
services.gitea.database.socket¶
Path to the unix socket file to use for authentication.
Type: null or path
Default:
"null"Example:
"/run/mysqld/mysqld.sock"Declared by:
services.gitea.database.type¶
Database engine to use.
Type: one of “sqlite3”, “mysql”, “postgres”
Default:
"sqlite3"Example:
"mysql"Declared by:
services.gitea.database.user¶
Database user.
Type: string
Default:
"gitea"Declared by:
services.gitea.disableRegistration¶
By default any user can create an account on this
giteainstance. This can be disabled by using this option.Note: please keep in mind that this should be added after the initial deploy unless services.gitea.useWizard is
trueas the first registered user will be the administrator if no install wizard is used.Type: boolean
Default:
falseExample:
trueDeclared by:
services.gitea.domain¶
Domain name of your server.
Type: string
Default:
"localhost"Declared by:
services.gitea.dump.enable¶
Enable a timer that runs gitea dump to generate backup-files of the current gitea database and repositories.
Type: boolean
Default:
falseDeclared by:
services.gitea.dump.interval¶
Run a gitea dump at this interval. Runs by default at 04:31 every day.
The format is described insystemd.time7.
Type: string
Default:
"04:31"Example:
"hourly"Declared by:
services.gitea.extraConfig¶
Configuration lines appended to the generated gitea configuration file.
Type: string
Default:
""Declared by:
services.gitea.httpAddress¶
HTTP listen address.
Type: string
Default:
"0.0.0.0"Declared by:
services.gitea.httpPort¶
HTTP listen port.
Type: signed integer
Default:
3000Declared by:
services.gitea.log.level¶
General log level.
Type: one of “Trace”, “Debug”, “Info”, “Warn”, “Error”, “Critical”
Default:
"Trace"Declared by:
services.gitea.log.rootPath¶
Root path for log files.
Type: string
Default:
"/var/lib/gitea/log"Declared by:
services.gitea.mailerPasswordFile¶
Path to a file containing the SMTP password.
Type: null or string
Default:
nullExample:
"/var/lib/secrets/gitea/mailpw"Declared by:
services.gitea.repositoryRoot¶
Path to the git repositories.
Type: string
Default:
"/var/lib/gitea/repositories"Declared by:
services.gitea.rootUrl¶
Full public URL of gitea server.
Type: string
Default:
"http://localhost:3000/"Declared by:
services.gitea.stateDir¶
gitea data directory.
Type: string
Default:
"/var/lib/gitea"Declared by:
services.gitea.staticRootPath¶
Upper level of template and static files path.
Type: string
Default:
"\\${pkgs.gitea.data}"Example:
"/var/lib/gitea/data"Declared by:
services.gitea.useWizard¶
Do not generate a configuration and use gitea’ installation wizard instead. The first registered user will be administrator.
Type: boolean
Default:
falseDeclared by:
services.gitea.user¶
User account under which gitea runs.
Type: string
Default:
"gitea"Declared by:
services.gitlab.enable¶
Enable the gitlab service.
Type: boolean
Default:
falseDeclared by:
services.gitlab.packages.gitaly¶
Reference to the gitaly package
Type: package
Default:
"pkgs.gitaly"Declared by:
services.gitlab.packages.gitlab¶
Reference to the gitlab package
Type: package
Default:
"pkgs.gitlab"Example:
"pkgs.gitlab-ee"Declared by:
services.gitlab.packages.gitlab-shell¶
Reference to the gitlab-shell package
Type: package
Default:
"pkgs.gitlab-shell"Declared by:
services.gitlab.packages.gitlab-workhorse¶
Reference to the gitlab-workhorse package
Type: package
Default:
"pkgs.gitlab-workhorse"Declared by:
services.gitlab.backupPath¶
Gitlab path for backups.
Type: string
Default:
"/var/gitlab/state/backup"Declared by:
services.gitlab.databaseCreateLocally¶
Whether a database should be automatically created on the local host. Set this to
falseif you plan on provisioning a local database yourself. This has no effect if is customized.Type: boolean
Default:
trueDeclared by:
services.gitlab.databaseHost¶
Gitlab database hostname. An empty string means use local unix socket connection.
Type: string
Default:
""Declared by:
services.gitlab.databaseName¶
Gitlab database name.
Type: string
Default:
"gitlab"Declared by:
services.gitlab.databasePasswordFile¶
File containing the Gitlab database user password.
This should be a string, not a nix path, since nix paths are copied into the world-readable nix store.
Type: null or path
Default:
nullDeclared by:
services.gitlab.databasePool¶
Database connection pool size.
Type: signed integer
Default:
5Declared by:
services.gitlab.databaseUsername¶
Gitlab database user.
Type: string
Default:
"gitlab"Declared by:
services.gitlab.extraConfig¶
Extra options to be added under``production`` in:file:config/gitlab.yml, as a nix attribute set.
Options containing secret data should be set to an attribute set containing the attribute
_secret- a string pointing to a file containing the value the option should be set to. See the example to get a better picture of this: in the resulting:file:config/gitlab.yml file, the``production.omniauth.providers[0].args.client_options.secret`` key will be set to the contents of the:file:/var/keys/gitlab_oidc_secret file.Type: attribute set
Default: ``{
}``
Example:
{ gitlab = { default_projects_features = { builds = false; }; }; omniauth = { enabled = true; auto_sign_in_with_provider = "openid_connect"; allow_single_sign_on = ["openid_connect"]; block_auto_created_users = false; providers = [ { name = "openid_connect"; label = "OpenID Connect"; args = { name = "openid_connect"; scope = ["openid" "profile"]; response_type = "code"; issuer = "https://keycloak.example.com/auth/realms/My%20Realm"; discovery = true; client_auth_method = "query"; uid_field = "preferred_username"; client_options = { identifier = "gitlab"; secret = { _secret = "/var/keys/gitlab_oidc_secret"; }; redirect_uri = "https://git.example.com/users/auth/openid_connect/callback"; }; }; } ]; }; };Declared by:
services.gitlab.extraDatabaseConfig¶
services.gitlab.extraGitlabRb¶
Extra configuration to be placed in config/extra-gitlab.rb. This can be used to add configuration not otherwise exposed through this module’s options.
Type: string
Default:
""Example:
'' if Rails.env.production? Rails.application.config.action_mailer.delivery_method = :sendmail ActionMailer::Base.delivery_method = :sendmail ActionMailer::Base.sendmail_settings = { location: "/run/wrappers/bin/sendmail", arguments: "-i -t" } end ''Declared by:
services.gitlab.group¶
Group to run gitlab and all related services.
Type: string
Default:
"gitlab"Declared by:
services.gitlab.host¶
Gitlab host name. Used e.g. for copy-paste URLs.
Type: string
Default:
"nixos"Declared by:
services.gitlab.https¶
Whether gitlab prints URLs with https as scheme.
Type: boolean
Default:
falseDeclared by:
services.gitlab.initialRootEmail¶
Initial email address of the root account if this is a new install.
Type: string
Default:
"admin@local.host"Declared by:
services.gitlab.initialRootPasswordFile¶
File containing the initial password of the root account if this is a new install.
This should be a string, not a nix path, since nix paths are copied into the world-readable nix store.
Type: null or path
Default:
nullDeclared by:
services.gitlab.port¶
Gitlab server port for copy-paste URLs, e.g. 80 or 443 if you’re service over https.
Type: signed integer
Default:
8080Declared by:
services.gitlab.secrets.dbFile¶
A file containing the secret used to encrypt variables in the DB. If you change or lose this key you will be unable to access variables stored in database.
Make sure the secret is at least 30 characters and all random, no regular words or you’ll be exposed to dictionary attacks.
This should be a string, not a nix path, since nix paths are copied into the world-readable nix store.
Type: null or path
Default:
nullDeclared by:
services.gitlab.secrets.jwsFile¶
A file containing the secret used to encrypt session keys. If you change or lose this key, users will be disconnected.
Make sure the secret is an RSA private key in PEM format. You can generate one with
openssl genrsa 2048
This should be a string, not a nix path, since nix paths are copied into the world-readable nix store.
Type: null or path
Default:
nullDeclared by:
services.gitlab.secrets.otpFile¶
A file containing the secret used to encrypt secrets for OTP tokens. If you change or lose this key, users which have 2FA enabled for login won’t be able to login anymore.
Make sure the secret is at least 30 characters and all random, no regular words or you’ll be exposed to dictionary attacks.
This should be a string, not a nix path, since nix paths are copied into the world-readable nix store.
Type: null or path
Default:
nullDeclared by:
services.gitlab.secrets.secretFile¶
A file containing the secret used to encrypt variables in the DB. If you change or lose this key you will be unable to access variables stored in database.
Make sure the secret is at least 30 characters and all random, no regular words or you’ll be exposed to dictionary attacks.
This should be a string, not a nix path, since nix paths are copied into the world-readable nix store.
Type: null or path
Default:
nullDeclared by:
services.gitlab.smtp.enable¶
Enable gitlab mail delivery over SMTP.
Type: boolean
Default:
falseDeclared by:
services.gitlab.smtp.enableStartTLSAuto¶
Whether to try to use StartTLS.
Type: boolean
Default:
trueDeclared by:
services.gitlab.smtp.address¶
Address of the SMTP server for Gitlab.
Type: string
Default:
"localhost"Declared by:
services.gitlab.smtp.authentication¶
Authentitcation type to use, see http://api.rubyonrails.org/classes/ActionMailer/Base.html
Type: null or string
Default:
nullDeclared by:
services.gitlab.smtp.domain¶
HELO domain to use for outgoing mail.
Type: string
Default:
"localhost"Declared by:
services.gitlab.smtp.opensslVerifyMode¶
How OpenSSL checks the certificate, see http://api.rubyonrails.org/classes/ActionMailer/Base.html
Type: string
Default:
"peer"Declared by:
services.gitlab.smtp.passwordFile¶
File containing the password of the SMTP server for Gitlab.
This should be a string, not a nix path, since nix paths are copied into the world-readable nix store.
Type: null or path
Default:
nullDeclared by:
services.gitlab.smtp.port¶
Port of the SMTP server for Gitlab.
Type: signed integer
Default:
465Declared by:
services.gitlab.smtp.username¶
Username of the SMTP server for Gitlab.
Type: null or string
Default:
nullDeclared by:
services.gitlab.statePath¶
Gitlab state directory. Configuration, repositories and logs, among other things, are stored here.
The directory will be created automatically if it doesn’t exist already. Its parent directories must be owned by either
rootor the user set in.Type: string
Default:
"/var/gitlab/state"Declared by:
services.gitlab.user¶
User to run gitlab and all related services.
Type: string
Default:
"gitlab"Declared by:
services.gitlab-runner.enable¶
Whether to enable Gitlab Runner.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.gitlab-runner.package¶
Gitlab Runner package to use
Type: package
Default:
"pkgs.gitlab-runner"Example:
pkgs.gitlab-runner_1_11Declared by:
services.gitlab-runner.packages¶
Packages to add to PATH for the gitlab-runner process.
Type: list of packages
Default:
"[ pkgs.bash pkgs.docker-machine ]"Declared by:
services.gitlab-runner.configFile¶
Configuration file for gitlab-runner. Use this option in favor of configOptions to avoid placing CI tokens in the nix store.
takes precedence over .
Warning: Not using will potentially result in secrets leaking into the WORLD-READABLE nix store.
Type: null or path
Default:
nullDeclared by:
services.gitlab-runner.configOptions¶
Configuration for gitlab-runner will take precedence over this option.
Warning: all Configuration, especially CI token, will be stored in a WORLD-READABLE file in the Nix Store.
If you want to protect your CI token use instead.
Type: attribute set
Example: ``{ concurrent = 2; runners = [
{ builds_dir = “”; docker = { cache_dir = “”; disable_cache = true; host = “”; image = “nixos/nix:1.11”; privileged = true; } ; executor = “docker”; name = “docker-nix-1.11”; token = “TOKEN”; url = “https://CI/”; }
}``
Declared by:
services.gitlab-runner.gracefulTermination¶
Finish all remaining jobs before stopping, restarting or reconfiguring. If not set gitlab-runner will stop immediatly without waiting for jobs to finish, which will lead to failed builds.
Type: boolean
Default:
falseDeclared by:
services.gitlab-runner.gracefulTimeout¶
Time to wait until a graceful shutdown is turned into a forceful one.
Type: string
Default:
"infinity"Example:
"5min 20s"Declared by:
services.gitlab-runner.workDir¶
The working directory used
Type: path
Default:
"/var/lib/gitlab-runner"Declared by:
services.gitolite.enable¶
Enable gitolite management under the``gitolite`` user. After switching to a configuration with Gitolite enabled, you can then run
git clone gitolite@host:gitolite-admin.gitto manage it further.Type: boolean
Default:
falseDeclared by:
services.gitolite.enableGitAnnex¶
Enable git-annex support. Uses the
extraGitoliteRcoption to apply the necessary configuration.Type: boolean
Default:
falseDeclared by:
services.gitolite.adminPubkey¶
Initial administrative public key for Gitolite. This should be an SSH Public Key. Note that this key will only be used once, upon the first initialization of the Gitolite user. The key string cannot have any line breaks in it.
Type: string
Declared by:
services.gitolite.commonHooks¶
A list of custom git hooks that get copied to
~/.gitolite/hooks/common.Type: list of paths
Default: ``[
]``
Declared by:
services.gitolite.dataDir¶
Gitolite home directory (used to store all the repositories).
Type: string
Default:
"/var/lib/gitolite"Declared by:
services.gitolite.extraGitoliteRc¶
Extra configuration to append to the default
~/.gitolite.rc.This should be Perl code that modifies the
%RCconfiguration variable. The default~/.gitolite.rccontent is generated by invokinggitolite print-default-rc, and extra configuration from this option is appended to it. The result is placed to Nix store, and the~/.gitolite.rcfile becomes a symlink to it.If you already have a customized (or otherwise changed)``~/.gitolite.rc`` file, NixOS will refuse to replace it with a symlink, and the `gitolite-init` initialization service will fail. In this situation, in order to use this option, you will need to take any customizations you may have in``~/.gitolite.rc``, convert them to appropriate Perl statements, add them to this option, and remove the file.
See also the
enableGitAnnexoption.Type: strings concatenated with “\n”
Default:
""Example:
$RC{UMASK} = 0027; $RC{SITE_INFO} = 'This is our private repository host'; push( @{$RC{ENABLE}}, 'Kindergarten' ); # enable the command/feature @{$RC{ENABLE}} = grep { $_ ne 'desc' } @{$RC{ENABLE}}; # disable the command/featureDeclared by:
services.gitolite.group¶
Primary group of the Gitolite user account.
Type: string
Default:
"gitolite"Declared by:
services.gitolite.user¶
Gitolite user account. This is the username of the gitolite endpoint.
Type: string
Default:
"gitolite"Declared by:
services.gitweb.extraConfig¶
Verbatim configuration text appended to the generated gitweb.conf file.
Type: strings concatenated with “\n”
Default:
""Example:
'' $feature{'highlight'}{'default'} = [1]; $feature{'ctags'}{'default'} = [1]; $feature{'avatar'}{'default'} = ['gravatar']; ''Declared by:
services.gitweb.gitwebTheme¶
Use an alternative theme for gitweb, strongly inspired by GitHub.
Type: boolean
Default:
falseDeclared by:
services.gitweb.projectroot¶
Path to git projects (bare repositories) that should be served by gitweb. Must not end with a slash.
Type: path
Default:
"/srv/git"Declared by:
services.glusterfs.enable¶
Whether to enable GlusterFS Daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.glusterfs.enableGlustereventsd¶
Whether to enable the GlusterFS Events Daemon
Type: boolean
Default:
trueDeclared by:
services.glusterfs.extraFlags¶
services.glusterfs.killMode¶
The systemd KillMode to use for glusterd.
glusterd spawns other daemons like gsyncd. If you want these to stop when glusterd is stopped (e.g. to ensure that NixOS config changes are reflected even for these sub-daemons), set this to ‘control-group’. If however you want running volume processes (glusterfsd) and thus gluster mounts not be interrupted when glusterd is restarted (for example, when you want to restart them manually at a later time), set this to ‘process’.
Type: one of “control-group”, “process”, “mixed”, “none”
Default:
"control-group"Declared by:
services.glusterfs.logLevel¶
Log level used by the GlusterFS daemon
Type: one of “DEBUG”, “INFO”, “WARNING”, “ERROR”, “CRITICAL”, “TRACE”, “NONE”
Default:
"INFO"Declared by:
services.glusterfs.stopKillTimeout¶
The systemd TimeoutStopSec to use.
After this time after having been asked to shut down, glusterd (and depending on the killMode setting also its child processes) are killed by systemd.
The default is set low because GlusterFS (as of 3.10) is known to not tell its children (like gsyncd) to terminate at all.
Type: string
Default:
"5s"Declared by:
services.glusterfs.tlsSettings¶
Make the server communicate via TLS. This means it will only connect to other gluster servers having certificates signed by the same CA.
Enabling this will create a file
/var/lib/glusterd/secure-access. Disabling will delete this file again.See also: https://gluster.readthedocs.io/en/latest/Administrator%20Guide/SSL/
Type: null or submodule
Default:
nullDeclared by:
services.glusterfs.tlsSettings.caCert¶
Path certificate authority used to sign the cluster certificates.
Type: path
Default:
nullDeclared by:
services.glusterfs.tlsSettings.tlsKeyPath¶
Path to the private key used for TLS.
Type: string
Default:
nullDeclared by:
services.glusterfs.tlsSettings.tlsPem¶
Path to the certificate used for TLS.
Type: path
Default:
nullDeclared by:
services.glusterfs.useRpcbind¶
Enable use of rpcbind. This is required for Gluster’s NFS functionality.
You may want to turn it off to reduce the attack surface for DDoS reflection attacks.
See https://davelozier.com/glusterfs-and-rpcbind-portmap-ddos-reflection-attacks/ and https://bugzilla.redhat.com/show_bug.cgi?id=1426842 for details.
Type: boolean
Default:
trueDeclared by:
services.gnome3.at-spi2-core.enable¶
Whether to enable at-spi2-core, a service for the Assistive Technologies available on the GNOME platform.
Enable this if you get the error or warning``The name org.a11y.Bus was not provided by any .service files``.
Type: boolean
Default:
falseDeclared by:
services.gnome3.chrome-gnome-shell.enable¶
Whether to enable Chrome GNOME Shell native host connector, a DBus service allowing to install GNOME Shell extensions from a web browser. .
Type: boolean
Default:
falseExample:
trueDeclared by:
services.gnome3.core-os-services.enable¶
Whether to enable essential services for GNOME3.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.gnome3.core-shell.enable¶
Whether to enable GNOME Shell services.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.gnome3.core-utilities.enable¶
Whether to enable GNOME core utilities.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.gnome3.evolution-data-server.enable¶
Whether to enable Evolution Data Server, a collection of services for storing addressbooks and calendars.
Type: boolean
Default:
falseDeclared by:
services.gnome3.games.enable¶
Whether to enable GNOME games.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.gnome3.glib-networking.enable¶
Whether to enable network extensions for GLib.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.gnome3.gnome-initial-setup.enable¶
Whether to enable GNOME Initial Setup, a Simple, easy, and safe way to prepare a new system.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.gnome3.gnome-keyring.enable¶
Whether to enable GNOME Keyring daemon, a service designed to take care of the user’s security credentials, such as user names and passwords.
Type: boolean
Default:
falseDeclared by:
services.gnome3.gnome-online-accounts.enable¶
Whether to enable GNOME Online Accounts daemon, a service that provides a single sign-on framework for the GNOME desktop.
Type: boolean
Default:
falseDeclared by:
services.gnome3.gnome-online-miners.enable¶
Whether to enable GNOME Online Miners, a service that crawls through your online content.
Type: boolean
Default:
falseDeclared by:
services.gnome3.gnome-remote-desktop.enable¶
Whether to enable Remote Desktop support using Pipewire.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.gnome3.gnome-settings-daemon.enable¶
Whether to enable GNOME Settings Daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.gnome3.rygel.enable¶
Whether to enable Rygel UPnP Mediaserver.
You will need to also allow UPnP connections in firewall, see the following comment.
Type: boolean
Default:
falseDeclared by:
services.gnome3.sushi.enable¶
Whether to enable Sushi, a quick previewer for nautilus.
Type: boolean
Default:
falseDeclared by:
services.gnome3.tracker.enable¶
Whether to enable Tracker services, a search engine, search tool and metadata storage system.
Type: boolean
Default:
falseDeclared by:
services.gnome3.tracker-miners.enable¶
Whether to enable Tracker miners, indexing services for Tracker search engine and metadata storage system.
Type: boolean
Default:
falseDeclared by:
services.gnunet.enable¶
Whether to run the GNUnet daemon. GNUnet is GNU’s anonymous peer-to-peer communication and file sharing framework.
Type: boolean
Default:
falseDeclared by:
services.gnunet.package¶
Overridable attribute of the gnunet package to use.
Type: package
Default:
"pkgs.gnunet"Example:
pkgs.gnunet_gitDeclared by:
services.gnunet.extraOptions¶
Additional options that will be copied verbatim in `gnunet.conf’. See `gnunet.conf(5)’ for details.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.gnunet.fileSharing.quota¶
Maximum file system usage (in MiB) for file sharing.
Type: signed integer
Default:
1024Declared by:
services.gnunet.load.hardNetUpBandwidth¶
Hard bandwidth limit (in bits per second) when uploading data.
Type: signed integer
Default:
0Declared by:
services.gnunet.load.maxNetDownBandwidth¶
Maximum bandwidth usage (in bits per second) for GNUnet when downloading data.
Type: signed integer
Default:
50000Declared by:
services.gnunet.load.maxNetUpBandwidth¶
Maximum bandwidth usage (in bits per second) for GNUnet when downloading data.
Type: signed integer
Default:
50000Declared by:
services.gnunet.tcp.port¶
The TCP port for use by GNUnet.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
2086Declared by:
services.gnunet.udp.port¶
The UDP port for use by GNUnet.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
2086Declared by:
services.go-shadowsocks2.server.enable¶
Whether to enable go-shadowsocks2 server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.go-shadowsocks2.server.listenAddress¶
Server listen address or URL
Type: string
Example:
"ss://AEAD_CHACHA20_POLY1305:your-password@:8488"Declared by:
services.gocd-agent.enable¶
Whether to enable gocd-agent.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.gocd-agent.packages¶
Packages to add to PATH for the Go.CD agent process.
Type: list of packages
Default:
"[ pkgs.stdenv pkgs.jre pkgs.git config.programs.ssh.package pkgs.nix ]"Declared by:
services.gocd-agent.agentConfig¶
Agent registration configuration.
Type: string
Default:
""Example:
'' agent.auto.register.resources=ant,java agent.auto.register.environments=QA,Performance agent.auto.register.hostname=Agent01 ''Declared by:
services.gocd-agent.environment¶
Additional environment variables to be passed to the Go.CD agent process. As a base environment, Go.CD agent receives NIX_PATH from, NIX_REMOTE is set to “daemon”.
Type: attribute set of strings
Default: ``{
}``
Declared by:
services.gocd-agent.extraGroups¶
List of extra groups that the “gocd-agent” user should be a part of.
Type: list of strings
Default: ``[
]``
Example:
[ "wheel" "docker" ]Declared by:
services.gocd-agent.extraOptions¶
Specifies additional command line arguments to pass to Go.CD agent java process. Example contains debug and gcLog arguments.
Type: unspecified
Default: ``[
]``
Example:
[ "-X debug" "-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5006" "-verbose:gc" "-Xloggc:go-agent-gc.log" "-XX:+PrintGCTimeStamps" "-XX:+PrintTenuringDistribution" "-XX:+PrintGCDetails" "-XX:+PrintGC" ]Declared by:
services.gocd-agent.goServer¶
URL of the GoCD Server to attach the Go.CD Agent to.
Type: string
Default:
"https://127.0.0.1:8154/go"Declared by:
services.gocd-agent.group¶
If the default user “gocd-agent” is configured then this is the primary group of that user.
Type: string
Default:
"gocd-agent"Declared by:
services.gocd-agent.initialJavaHeapSize¶
Specifies the initial java heap memory size for the Go.CD agent java process.
Type: string
Default:
"128m"Declared by:
services.gocd-agent.maxJavaHeapMemory¶
Specifies the java maximum heap memory size for the Go.CD agent java process.
Type: string
Default:
"256m"Declared by:
services.gocd-agent.startupOptions¶
Specifies startup command line arguments to pass to Go.CD agent java process.
Type: unspecified
Default:
[ "-Xms128m" "-Xmx256m" "-Djava.io.tmpdir=/tmp" "-Dcruise.console.publish.interval=10" "-Djava.security.egd=file:/dev/./urandom" ]Declared by:
services.gocd-agent.user¶
User the Go.CD agent should execute under.
Type: string
Default:
"gocd-agent"Declared by:
services.gocd-agent.workDir¶
Specifies the working directory in which the Go.CD agent java archive resides.
Type: string
Default:
"/var/lib/go-agent"Declared by:
services.gocd-server.enable¶
Whether to enable gocd-server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.gocd-server.packages¶
Packages to add to PATH for the Go.CD server’s process.
Type: list of packages
Default:
"[ pkgs.stdenv pkgs.jre pkgs.git config.programs.ssh.package pkgs.nix ]"Declared by:
services.gocd-server.environment¶
Additional environment variables to be passed to the gocd-server process. As a base environment, gocd-server receives NIX_PATH from, NIX_REMOTE is set to “daemon”.
Type: attribute set of strings
Default: ``{
}``
Declared by:
services.gocd-server.extraGroups¶
List of extra groups that the “gocd-server” user should be a part of.
Type: unspecified
Default: ``[
]``
Example:
[ "wheel" "docker" ]Declared by:
services.gocd-server.extraOptions¶
Specifies additional command line arguments to pass to Go.CD server’s java process. Example contains debug and gcLog arguments.
Type: unspecified
Default: ``[
]``
Example:
[ "-X debug" "-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005" "-verbose:gc" "-Xloggc:go-server-gc.log" "-XX:+PrintGCTimeStamps" "-XX:+PrintTenuringDistribution" "-XX:+PrintGCDetails" "-XX:+PrintGC" ]Declared by:
services.gocd-server.group¶
If the default user “gocd-server” is configured then this is the primary group of that user.
Type: string
Default:
"gocd-server"Declared by:
services.gocd-server.initialJavaHeapSize¶
Specifies the initial java heap memory size for the Go.CD server’s java process.
Type: string
Default:
"512m"Declared by:
services.gocd-server.listenAddress¶
Specifies the bind address on which the Go.CD server HTTP interface listens.
Type: string
Default:
"0.0.0.0"Example:
"localhost"Declared by:
services.gocd-server.maxJavaHeapMemory¶
Specifies the java maximum heap memory size for the Go.CD server’s java process.
Type: string
Default:
"1024m"Declared by:
services.gocd-server.port¶
Specifies port number on which the Go.CD server HTTP interface listens.
Type: signed integer
Default:
8153Declared by:
services.gocd-server.sslPort¶
Specifies port number on which the Go.CD server HTTPS interface listens.
Type: signed integer
Default:
8154Declared by:
services.gocd-server.startupOptions¶
Specifies startup command line arguments to pass to Go.CD server java process.
Type: unspecified
Default:
[ "-Xms512m" "-Xmx1024m" "-Dcruise.listen.host=0.0.0.0" "-Duser.language=en" "-Djruby.rack.request.size.threshold.bytes=30000000" "-Duser.country=US" "-Dcruise.config.dir=/var/lib/go-server/conf" "-Dcruise.config.file=/var/lib/go-server/conf/cruise-config.xml" "-Dcruise.server.port=8153" "-Dcruise.server.ssl.port=8154" ]Declared by:
services.gocd-server.user¶
User the Go.CD server should execute under.
Type: string
Default:
"gocd-server"Declared by:
services.gocd-server.workDir¶
Specifies the working directory in which the Go.CD server java archive resides.
Type: string
Default:
"/var/lib/go-server"Declared by:
services.gogoclient.enable¶
Enable the gogoCLIENT IPv6 tunnel.
Type: boolean
Default:
falseDeclared by:
services.gogoclient.autorun¶
Whether to automatically start the tunnel.
Type: unspecified
Default:
trueDeclared by:
services.gogoclient.password¶
Path to a file (as a string), containing your gogoNET password, if any.
Type: string
Default:
""Declared by:
services.gogoclient.server¶
The Gateway6 server to be used.
Type: unspecified
Default:
"anonymous.freenet6.net"Example:
"broker.freenet6.net"Declared by:
services.gogoclient.username¶
Your Gateway6 login name, if any.
Type: unspecified
Default:
""Declared by:
services.gogs.enable¶
Enable Go Git Service.
Type: boolean
Default:
falseDeclared by:
services.gogs.appName¶
Application name.
Type: string
Default:
"Gogs: Go Git Service"Declared by:
services.gogs.cookieSecure¶
Marks session cookies as “secure” as a hint for browsers to only send them via HTTPS. This option is recommend, if Gogs is being served over HTTPS.
Type: boolean
Default:
falseDeclared by:
services.gogs.database.host¶
Database host address.
Type: string
Default:
"127.0.0.1"Declared by:
services.gogs.database.name¶
Database name.
Type: string
Default:
"gogs"Declared by:
services.gogs.database.password¶
The password corresponding to . Warning: this is stored in cleartext in the Nix store! Use instead.
Type: string
Default:
""Declared by:
services.gogs.database.passwordFile¶
A file containing the password corresponding to.
Type: null or path
Default:
nullExample:
"/run/keys/gogs-dbpassword"Declared by:
services.gogs.database.path¶
Path to the sqlite3 database file.
Type: string
Default:
"/var/lib/gogs/data/gogs.db"Declared by:
services.gogs.database.port¶
Database host port.
Type: signed integer
Default:
3306Declared by:
services.gogs.database.type¶
Database engine to use.
Type: one of “sqlite3”, “mysql”, “postgres”
Default:
"sqlite3"Example:
"mysql"Declared by:
services.gogs.database.user¶
Database user.
Type: string
Default:
"gogs"Declared by:
services.gogs.domain¶
Domain name of your server.
Type: string
Default:
"localhost"Declared by:
services.gogs.extraConfig¶
Configuration lines appended to the generated Gogs configuration file.
Type: string
Default:
""Declared by:
services.gogs.group¶
Group account under which Gogs runs.
Type: string
Default:
"gogs"Declared by:
services.gogs.httpAddress¶
HTTP listen address.
Type: string
Default:
"0.0.0.0"Declared by:
services.gogs.httpPort¶
HTTP listen port.
Type: signed integer
Default:
3000Declared by:
services.gogs.repositoryRoot¶
Path to the git repositories.
Type: string
Default:
"/var/lib/gogs/repositories"Declared by:
services.gogs.rootUrl¶
Full public URL of Gogs server.
Type: string
Default:
"http://localhost:3000/"Declared by:
services.gogs.stateDir¶
Gogs data directory.
Type: string
Default:
"/var/lib/gogs"Declared by:
services.gogs.staticRootPath¶
Upper level of template and static files path.
Type: string
Default:
"\\${pkgs.gogs.data}"Example:
"/var/lib/gogs/data"Declared by:
services.gogs.useWizard¶
Do not generate a configuration and use Gogs’ installation wizard instead. The first registered user will be administrator.
Type: boolean
Default:
falseDeclared by:
services.gogs.user¶
User account under which Gogs runs.
Type: string
Default:
"gogs"Declared by:
services.gollum.enable¶
Enable the Gollum service.
Type: boolean
Default:
falseDeclared by:
services.gollum.address¶
IP address on which the web server will listen.
Type: string
Default:
"0.0.0.0"Declared by:
services.gollum.allowUploads¶
Enable uploads of external files
Type: null or one of “dir”, “page”
Default:
nullDeclared by:
services.gollum.branch¶
Git branch to serve
Type: string
Default:
"master"Example:
"develop"Declared by:
services.gollum.emoji¶
Parse and interpret emoji tags
Type: boolean
Default:
falseDeclared by:
services.gollum.extraConfig¶
Content of the configuration file
Type: strings concatenated with “\n”
Default:
""Declared by:
services.gollum.mathjax¶
Enable support for math rendering using MathJax
Type: boolean
Default:
falseDeclared by:
services.gollum.port¶
Port on which the web server will run.
Type: signed integer
Default:
4567Declared by:
services.gollum.stateDir¶
Specifies the path of the repository directory. If it does not exist, Gollum will create it on startup.
Type: path
Default:
"/var/lib/gollum"Declared by:
services.gotify.enable¶
Whether to enable Gotify webserver.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.gotify.port¶
Port the server listens to.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Declared by:
services.gotify.stateDirectoryName¶
The name of the directory below
/var/libwhere gotify stores its runtime data.Type: string
Default:
"gotify-server"Declared by:
services.gpm.enable¶
Whether to enable GPM, the General Purpose Mouse daemon, which enables mouse support in virtual consoles.
Type: boolean
Default:
falseDeclared by:
services.gpm.protocol¶
Mouse protocol to use.
Type: string
Default:
"ps/2"Declared by:
services.gpsd.enable¶
Whether to enable `gpsd’, a GPS service daemon.
Type: boolean
Default:
falseDeclared by:
services.gpsd.debugLevel¶
The debugging level.
Type: signed integer
Default:
0Declared by:
services.gpsd.device¶
A device may be a local serial device for GPS input, or a URL of the form:
[{dgpsip|ntrip}://][user:passwd@]host[:port][/stream]in which case it specifies an input source for DGPS or ntrip data.Type: string
Default:
"/dev/ttyUSB0"Declared by:
services.gpsd.nowait¶
don’t wait for client connects to poll GPS
Type: boolean
Default:
falseDeclared by:
services.gpsd.port¶
The port where to listen for TCP connections.
Type: signed integer
Default:
2947Declared by:
services.gpsd.readonly¶
Whether to enable the broken-device-safety, otherwise known as read-only mode. Some popular bluetooth and USB receivers lock up or become totally inaccessible when probed or reconfigured. This switch prevents gpsd from writing to a receiver. This means that gpsd cannot configure the receiver for optimal performance, but it also means that gpsd cannot break the receiver. A better solution would be for Bluetooth to not be so fragile. A platform independent method to identify serial-over-Bluetooth devices would also be nice.
Type: boolean
Default:
trueDeclared by:
services.grafana.enable¶
Whether to enable grafana.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.grafana.package¶
Package to use.
Type: package
Default:
"pkgs.grafana"Declared by:
services.grafana.addr¶
Listening address.
Type: string
Default:
"127.0.0.1"Declared by:
services.grafana.analytics.reporting.enable¶
Whether to allow anonymous usage reporting to stats.grafana.net
Type: boolean
Default:
trueDeclared by:
services.grafana.auth.anonymous.enable¶
Whether to allow anonymous access
Type: boolean
Default:
falseDeclared by:
services.grafana.auth.anonymous.org_name¶
Which organization to allow anonymous access to
Type: string
Default:
"Main Org."Declared by:
services.grafana.auth.anonymous.org_role¶
Which role anonymous users have in the organization
Type: string
Default:
"Viewer"Declared by:
services.grafana.certFile¶
Cert file for ssl.
Type: string
Default:
""Declared by:
services.grafana.certKey¶
Cert key for ssl.
Type: string
Default:
""Declared by:
services.grafana.dataDir¶
Data directory.
Type: path
Default:
"/var/lib/grafana"Declared by:
services.grafana.database.connMaxLifetime¶
Sets the maximum amount of time (in seconds) a connection may be reused. For MySQL this setting should be shorter than the `wait_timeout’ variable.
Type: signed integer or one of “unlimited”
Default:
"unlimited"Example:
14400Declared by:
services.grafana.database.host¶
Database host.
Type: string
Default:
"127.0.0.1:3306"Declared by:
services.grafana.database.name¶
Database name.
Type: string
Default:
"grafana"Declared by:
services.grafana.database.password¶
Database password. This option is mutual exclusive with the passwordFile option.
Type: string
Default:
""Declared by:
services.grafana.database.passwordFile¶
File that containts the database password. This option is mutual exclusive with the password option.
Type: null or path
Default:
nullDeclared by:
services.grafana.database.path¶
Database path.
Type: path
Default:
"/var/lib/grafana/data/grafana.db"Declared by:
services.grafana.database.type¶
Database type.
Type: one of “mysql”, “sqlite3”, “postgres”
Default:
"sqlite3"Declared by:
services.grafana.database.user¶
Database user.
Type: string
Default:
"root"Declared by:
services.grafana.domain¶
The public facing domain name used to access grafana from a browser.
Type: string
Default:
"localhost"Declared by:
services.grafana.extraOptions¶
Extra configuration options passed as env variables as specified in`documentation <http://docs.grafana.org/installation/configuration/>`_, but without GF_ prefix
Type: attribute set of string or paths
Default: ``{
}``
Declared by:
services.grafana.port¶
Listening port.
Type: signed integer
Default:
3000Declared by:
services.grafana.protocol¶
Which protocol to listen.
Type: one of “http”, “https”, “socket”
Default:
"http"Declared by:
services.grafana.provision.enable¶
Whether to enable provision.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.grafana.provision.dashboards¶
services.grafana.provision.dashboards.*.disableDeletion¶
Disable deletion when JSON file is removed
Type: boolean
Default:
falseDeclared by:
services.grafana.provision.dashboards.*.folder¶
Add dashboards to the specified folder
Type: string
Default:
""Declared by:
services.grafana.provision.dashboards.*.name¶
Provider name
Type: string
Default:
"default"Declared by:
services.grafana.provision.dashboards.*.options.path¶
Path grafana will watch for dashboards
Type: path
Declared by:
services.grafana.provision.dashboards.*.orgId¶
Organization ID
Type: signed integer
Default:
1Declared by:
services.grafana.provision.dashboards.*.type¶
Dashboard provider type
Type: string
Default:
"file"Declared by:
services.grafana.provision.dashboards.*.updateIntervalSeconds¶
How often Grafana will scan for changed dashboards
Type: signed integer
Default:
10Declared by:
services.grafana.provision.datasources¶
services.grafana.provision.datasources.*.access¶
Access mode. proxy or direct (Server or Browser in the UI). Required
Type: one of “proxy”, “direct”
Default:
"proxy"Declared by:
services.grafana.provision.datasources.*.basicAuth¶
Enable/disable basic auth
Type: null or boolean
Default:
nullDeclared by:
services.grafana.provision.datasources.*.basicAuthPassword¶
Basic auth password
Type: null or string
Default:
nullDeclared by:
services.grafana.provision.datasources.*.basicAuthUser¶
Basic auth username
Type: null or string
Default:
nullDeclared by:
services.grafana.provision.datasources.*.database¶
Database name, if used
Type: null or string
Default:
nullDeclared by:
services.grafana.provision.datasources.*.editable¶
Allow users to edit datasources from the UI.
Type: boolean
Default:
falseDeclared by:
services.grafana.provision.datasources.*.isDefault¶
Mark as default datasource. Max one per org
Type: boolean
Default:
falseDeclared by:
services.grafana.provision.datasources.*.jsonData¶
Datasource specific configuration
Type: null or attribute set
Default:
nullDeclared by:
services.grafana.provision.datasources.*.name¶
Name of the datasource. Required
Type: string
Declared by:
services.grafana.provision.datasources.*.orgId¶
Org id. will default to orgId 1 if not specified
Type: signed integer
Default:
1Declared by:
services.grafana.provision.datasources.*.password¶
Database password, if used
Type: null or string
Default:
nullDeclared by:
services.grafana.provision.datasources.*.secureJsonData¶
Datasource specific secure configuration
Type: null or attribute set
Default:
nullDeclared by:
services.grafana.provision.datasources.*.type¶
Datasource type. Required
Type: one of “graphite”, “prometheus”, “cloudwatch”, “elasticsearch”, “influxdb”, “opentsdb”, “mysql”, “mssql”, “postgres”, “loki”
Declared by:
services.grafana.provision.datasources.*.url¶
Url of the datasource
Type: string
Declared by:
services.grafana.provision.datasources.*.user¶
Database user, if used
Type: null or string
Default:
nullDeclared by:
services.grafana.provision.datasources.*.version¶
Version
Type: signed integer
Default:
1Declared by:
services.grafana.provision.datasources.*.withCredentials¶
Enable/disable with credentials headers
Type: boolean
Default:
falseDeclared by:
services.grafana.rootUrl¶
Full public facing url.
Type: string
Default:
"%(protocol)s://%(domain)s:%(http_port)s/"Declared by:
services.grafana.security.adminPassword¶
Default admin password. This option is mutual exclusive with the adminPasswordFile option.
Type: string
Default:
"admin"Declared by:
services.grafana.security.adminPasswordFile¶
Default admin password. This option is mutual exclusive with the
adminPasswordoption.Type: null or path
Default:
nullDeclared by:
services.grafana.security.adminUser¶
Default admin username.
Type: string
Default:
"admin"Declared by:
services.grafana.security.secretKey¶
Secret key used for signing.
Type: string
Default:
"SW2YcwTIb9zpOOhoPsMm"Declared by:
services.grafana.security.secretKeyFile¶
Secret key used for signing.
Type: null or path
Default:
nullDeclared by:
services.grafana.smtp.enable¶
Whether to enable smtp.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.grafana.smtp.fromAddress¶
Email address used for sending
Type: string
Default:
"admin@grafana.localhost"Declared by:
services.grafana.smtp.host¶
Host to connect to
Type: string
Default:
"localhost:25"Declared by:
services.grafana.smtp.password¶
Password used for authentication. This option is mutual exclusive with the passwordFile option.
Type: string
Default:
""Declared by:
services.grafana.smtp.passwordFile¶
Password used for authentication. This option is mutual exclusive with the password option.
Type: null or path
Default:
nullDeclared by:
services.grafana.smtp.user¶
User used for authentication
Type: string
Default:
""Declared by:
services.grafana.staticRootPath¶
Root path for static assets.
Type: string
Default:
"\\${pkgs.grafana}/share/grafana/public"Declared by:
services.grafana.users.allowOrgCreate¶
Whether user is allowed to create organizations.
Type: boolean
Default:
falseDeclared by:
services.grafana.users.allowSignUp¶
Disable user signup / registration
Type: boolean
Default:
falseDeclared by:
services.grafana.users.autoAssignOrg¶
Whether to automatically assign new users to default org.
Type: boolean
Default:
trueDeclared by:
services.grafana.users.autoAssignOrgRole¶
Default role new users will be auto assigned.
Type: one of “Viewer”, “Editor”
Default:
"Viewer"Declared by:
services.grafana_reporter.enable¶
Whether to enable grafana_reporter.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.grafana_reporter.addr¶
Listening address.
Type: string
Default:
"127.0.0.1"Declared by:
services.grafana_reporter.grafana.addr¶
Grafana address.
Type: string
Default:
"127.0.0.1"Declared by:
services.grafana_reporter.grafana.port¶
Grafana port.
Type: signed integer
Default:
3000Declared by:
services.grafana_reporter.grafana.protocol¶
Grafana protocol.
Type: one of “http”, “https”
Default:
"http"Declared by:
services.grafana_reporter.port¶
Listening port.
Type: signed integer
Default:
8686Declared by:
services.grafana_reporter.templateDir¶
Optional template directory to use custom tex templates
Type: string
Default:
"\\${pkgs.grafana_reporter}"Declared by:
services.graphite.api.enable¶
Whether to enable graphite api. Graphite api is lightweight alternative to graphite web, with api and without dashboard. It’s advised to use grafana as alternative dashboard and influxdb as alternative to graphite carbon.
For more information visit` <https://graphite-api.readthedocs.org/en/latest/>`_
Type: boolean
Default:
falseDeclared by:
services.graphite.api.package¶
Package to use for graphite api.
Type: package
Default:
"pkgs.python27Packages.graphite_api"Declared by:
services.graphite.api.extraConfig¶
Extra configuration for graphite api.
Type: strings concatenated with “\n”
Default:
'' whisper: directories: - /var/db/graphite/whisper ''Example:
'' allowed_origins: - dashboard.example.com cheat_times: true influxdb: host: localhost port: 8086 user: influxdb pass: influxdb db: metrics cache: CACHE_TYPE: 'filesystem' CACHE_DIR: '/tmp/graphite-api-cache' ''Declared by:
services.graphite.api.finders¶
List of finder plugins to load.
Type: list of packages
Default: ``[
]``
Example:
[ pkgs.python27Packages.influxgraph ]Declared by:
services.graphite.api.functions¶
List of functions to load.
Type: list of strings
Default:
[ "graphite_api.functions.SeriesFunctions" "graphite_api.functions.PieFunctions" ]Declared by:
services.graphite.api.listenAddress¶
Graphite web service listen address.
Type: string
Default:
"127.0.0.1"Declared by:
services.graphite.api.port¶
Graphite api service port.
Type: signed integer
Default:
8080Declared by:
services.graphite.beacon.enable¶
Whether to enable graphite beacon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.graphite.beacon.config¶
services.graphite.carbon.enableAggregator¶
Whether to enable carbon aggregator, the carbon buffering service.
Type: boolean
Default:
falseDeclared by:
services.graphite.carbon.enableCache¶
Whether to enable carbon cache, the graphite storage daemon.
Type: boolean
Default:
falseDeclared by:
services.graphite.carbon.enableRelay¶
Whether to enable carbon relay, the carbon replication and sharding service.
Type: boolean
Default:
falseDeclared by:
services.graphite.carbon.aggregationRules¶
Defines if and how received metrics will be aggregated.
Type: null or string
Default:
nullExample:
'' <env>.applications.<app>.all.requests (60) = sum <env>.applications.<app>.*.requests <env>.applications.<app>.all.latency (60) = avg <env>.applications.<app>.*.latency ''Declared by:
services.graphite.carbon.blacklist¶
Any metrics received which match one of the experssions will be dropped.
Type: null or string
Default:
nullExample:
''^some\\.noisy\\.metric\\.prefix\\..*''Declared by:
services.graphite.carbon.config¶
Content of carbon configuration file.
Type: string
Default:
'' [cache] # Listen on localhost by default for security reasons UDP_RECEIVER_INTERFACE = 127.0.0.1 PICKLE_RECEIVER_INTERFACE = 127.0.0.1 LINE_RECEIVER_INTERFACE = 127.0.0.1 CACHE_QUERY_INTERFACE = 127.0.0.1 # Do not log every update LOG_UPDATES = False LOG_CACHE_HITS = False ''Declared by:
services.graphite.carbon.relayRules¶
Relay rules are used to send certain metrics to a certain backend.
Type: null or string
Default:
nullExample:
'' [example] pattern = ^mydata\.foo\..+ servers = 10.1.2.3, 10.1.2.4:2004, myserver.mydomain.com ''Declared by:
services.graphite.carbon.rewriteRules¶
Regular expression patterns that can be used to rewrite metric names in a search and replace fashion.
Type: null or string
Default:
nullExample:
'' [post] _sum$ = _avg$ = ''Declared by:
services.graphite.carbon.storageAggregation¶
Defines how to aggregate data to lower-precision retentions.
Type: null or string
Default:
nullExample:
'' [all_min] pattern = \.min$ xFilesFactor = 0.1 aggregationMethod = min ''Declared by:
services.graphite.carbon.storageSchemas¶
Defines retention rates for storing metrics.
Type: null or string
Default:
""Example:
'' [apache_busyWorkers] pattern = ^servers\.www.*\.workers\.busyWorkers$ retentions = 15s:7d,1m:21d,15m:5y ''Declared by:
services.graphite.carbon.whitelist¶
Only metrics received which match one of the experssions will be persisted.
Type: null or string
Default:
nullExample:
".*"Declared by:
services.graphite.dataDir¶
Data directory for graphite.
Type: path
Default:
"/var/db/graphite"Declared by:
services.graphite.pager.enable¶
Whether to enable graphite-pager service. For more information visit` <https://github.com/seatgeek/graphite-pager>`_
Type: boolean
Default:
falseDeclared by:
services.graphite.pager.alerts¶
Alerts configuration for graphite-pager.
Type: strings concatenated with “\n”
Default:
'' alerts: - target: constantLine(100) warning: 90 critical: 200 name: Test ''Example:
'' pushbullet_key: pushbullet_api_key alerts: - target: stats.seatgeek.app.deal_quality.venue_info_cache.hit warning: .5 critical: 1 name: Deal quality venue cache hits ''Declared by:
services.graphite.pager.graphiteUrl¶
URL to your graphite service.
Type: string
Default:
"http://127.0.0.1:8080"Declared by:
services.graphite.pager.redisUrl¶
Redis connection string.
Type: string
Default:
"redis://localhost:6379/"Declared by:
services.graphite.seyren.enable¶
Whether to enable seyren service.
Type: boolean
Default:
falseDeclared by:
services.graphite.seyren.extraConfig¶
Extra seyren configuration. See` <https://github.com/scobal/seyren#config>`_
Type: attribute set of strings
Default: ``{
}``
Example:
{ GRAPHITE_USERNAME = "user"; GRAPHITE_PASSWORD = "pass"; }Declared by:
services.graphite.seyren.graphiteUrl¶
Host where graphite service runs.
Type: string
Default:
"http://127.0.0.1:8080"Declared by:
services.graphite.seyren.mongoUrl¶
Mongodb connection string.
Type: string
Default:
"mongodb://127.0.0.1:27017/seyren"Declared by:
services.graphite.seyren.port¶
Seyren listening port.
Type: signed integer
Default:
8081Declared by:
services.graphite.seyren.seyrenUrl¶
Host where seyren is accessible.
Type: string
Default:
"http://localhost:8081/"Declared by:
services.graphite.web.enable¶
Whether to enable graphite web frontend.
Type: boolean
Default:
falseDeclared by:
services.graphite.web.extraConfig¶
Graphite webapp settings. See:` <http://graphite.readthedocs.io/en/latest/config-local-settings.html>`_
Type: string
Default:
""Declared by:
services.graphite.web.listenAddress¶
Graphite web frontend listen address.
Type: string
Default:
"127.0.0.1"Declared by:
services.graphite.web.port¶
Graphite web frontend port.
Type: signed integer
Default:
8080Declared by:
services.graylog.enable¶
Whether to enable Graylog.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.graylog.package¶
Graylog package to use.
Type: package
Default:
"pkgs.graylog"Example:
pkgs.graylogDeclared by:
services.graylog.elasticsearchHosts¶
List of valid URIs of the http ports of your elastic nodes. If one or more of your elasticsearch hosts require authentication, include the credentials in each node URI that requires authentication
Type: list of strings
Example:
[ "http://node1:9200" "http://user:password@node2:19200" ]Declared by:
services.graylog.extraConfig¶
Any other configuration options you might want to add
Type: strings concatenated with “\n”
Default:
""Declared by:
services.graylog.isMaster¶
Whether this is the master instance of your Graylog cluster
Type: boolean
Default:
trueDeclared by:
services.graylog.messageJournalDir¶
The directory which will be used to store the message journal. The directory must be exclusively used by Graylog and must not contain any other files than the ones created by Graylog itself
Type: string
Default:
"/var/lib/graylog/data/journal"Declared by:
services.graylog.mongodbUri¶
MongoDB connection string. See http://docs.mongodb.org/manual/reference/connection-string/ for details
Type: string
Default:
"mongodb://localhost/graylog"Declared by:
services.graylog.nodeIdFile¶
Path of the file containing the graylog node-id
Type: string
Default:
"/var/lib/graylog/server/node-id"Declared by:
services.graylog.passwordSecret¶
You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters. Generate one by using for example: pwgen -N 1 -s 96
Type: string
Declared by:
services.graylog.plugins¶
services.graylog.rootPasswordSha2¶
You MUST specify a hash password for the root user (which you only need to initially set up the system and in case you lose connectivity to your authentication backend) This password cannot be changed using the API or via the web interface. If you need to change it, modify it here. Create one by using for example: echo -n yourpassword | shasum -a 256 and use the resulting hash value as string for the option
Type: string
Example:
"e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e952"Declared by:
services.graylog.rootUsername¶
Name of the default administrator user
Type: string
Default:
"admin"Declared by:
services.graylog.user¶
User account under which graylog runs
Type: string
Default:
"graylog"Example:
graylogDeclared by:
services.greenclip.enable¶
Whether to enable Greenclip daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.greenclip.package¶
greenclip derivation to use.
Type: package
Default:
"pkgs.haskellPackages.greenclip"Declared by:
services.grocy.enable¶
Whether to enable grocy.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.grocy.dataDir¶
Home directory of the
grocyuser which contains the application’s state.Type: string
Default:
"/var/lib/grocy"Declared by:
services.grocy.hostName¶
FQDN for the grocy instance.
Type: string
Declared by:
services.grocy.nginx.enableSSL¶
Whether or not to enable SSL (with ACME and let’s encrypt) for the grocy vhost.
Type: boolean
Default:
trueDeclared by:
services.grocy.phpfpm.settings¶
Options for grocy’s PHPFPM pool.
Type: attribute set of signed integer or string or booleans
Default:
{ catch_workers_output = true; listen.owner = "nginx"; php_admin_flag[log_errors] = true; php_admin_value[error_log] = "stderr"; pm = "dynamic"; pm.max_children = "32"; pm.max_requests = "500"; pm.max_spare_servers = "4"; pm.min_spare_servers = "2"; pm.start_servers = "2"; }Declared by:
services.grocy.settings.calendar.firstDayOfWeek¶
Which day of the week (0=Sunday, 1=Monday etc.) should be the first day.
Type: null or one of 0, 1, 2, 3, 4, 5, 6
Default:
nullDeclared by:
services.grocy.settings.calendar.showWeekNumber¶
Show the number of the weeks in the calendar views.
Type: boolean
Default:
trueDeclared by:
services.grocy.settings.culture¶
Display language of the frontend.
Type: one of “de”, “en”, “da”, “en_GB”, “es”, “fr”, “hu”, “it”, “nl”, “no”, “pl”, “pt_BR”, “ru”, “sk_SK”, “sv_SE”, “tr”
Default:
"en"Declared by:
services.grocy.settings.currency¶
ISO 4217 code for the currency to display.
Type: string
Default:
"USD"Example:
"EUR"Declared by:
services.gsignond.enable¶
Whether to enable gSignOn daemon, a DBus service which performs user authentication on behalf of its clients.
Type: boolean
Default:
falseDeclared by:
services.gsignond.plugins¶
services.gvfs.enable¶
Whether to enable GVfs, a userspace virtual filesystem.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.gvfs.package¶
Which GVfs package to use.
Type: package
Default:
*(build of gvfs-1.42.2)*Declared by:
services.gvpe.enable¶
Whether to run gvpe
Type: unspecified
Default:
falseDeclared by:
services.gvpe.configFile¶
GVPE config file, if already present
Type: unspecified
Default:
nullExample:
"/root/my-gvpe-conf"Declared by:
services.gvpe.configText¶
GVPE config contents
Type: unspecified
Default:
nullExample:
'' tcp-port = 655 udp-port = 655 mtu = 1480 ifname = vpn0 node = alpha hostname = alpha.example.org connect = always enable-udp = true enable-tcp = true on alpha if-up = if-up-0 on alpha pid-file = /var/gvpe/gvpe.pid ''Declared by:
services.gvpe.customIFSetup¶
Additional commands to apply in ifup script
Type: unspecified
Default:
""Declared by:
services.gvpe.ipAddress¶
IP address to assign to GVPE interface
Type: unspecified
Default:
nullDeclared by:
services.gvpe.nodename¶
GVPE node name
Type: unspecified
Default:
nullDeclared by:
services.gvpe.subnet¶
IP subnet assigned to GVPE network
Type: unspecified
Default:
nullExample:
"10.0.0.0/8"Declared by:
services.hadoop.package¶
Type: package
Default:
"pkgs.hadoop"Example:
pkgs.hadoopDeclared by:
services.hadoop.coreSite¶
Hadoop core-site.xml definition
Type: unspecified
Default: ``{
}``
Example:
{ fs.defaultFS = "hdfs://localhost"; }Declared by:
services.hadoop.hdfs.datanode.enabled¶
Whether to run the Hadoop YARN DataNode
Type: boolean
Default:
falseDeclared by:
services.hadoop.hdfs.namenode.enabled¶
Whether to run the Hadoop YARN NameNode
Type: boolean
Default:
falseDeclared by:
services.hadoop.hdfsSite¶
Hadoop hdfs-site.xml definition
Type: unspecified
Default: ``{
}``
Example:
{ dfs.nameservices = "namenode1"; }Declared by:
services.hadoop.mapredSite¶
Hadoop mapred-site.xml definition
Type: unspecified
Default: ``{
}``
Example:
{ mapreduce.map.cpu.vcores = "1"; }Declared by:
services.hadoop.yarn.nodemanager.enabled¶
Whether to run the Hadoop YARN NodeManager
Type: boolean
Default:
falseDeclared by:
services.hadoop.yarn.resourcemanager.enabled¶
Whether to run the Hadoop YARN ResourceManager
Type: boolean
Default:
falseDeclared by:
services.hadoop.yarnSite¶
Hadoop yarn-site.xml definition
Type: unspecified
Default: ``{
}``
Example:
{ yarn.resourcemanager.ha.id = "resourcemanager1"; }Declared by:
services.hail.enable¶
Enables the Hail Auto Update Service. Hail can automatically deploy artifacts built by a Hydra Continous Integration server. A common use case is to provide continous deployment for single services or a full NixOS configuration.
Type: boolean
Default:
falseDeclared by:
services.hail.package¶
Hail package to use.
Type: package
Default:
"pkgs.haskellPackages.hail"Declared by:
services.hail.hydraJobUri¶
The URI of the Hydra Job.
Type: string
Declared by:
services.hail.netrc¶
The netrc file to use when fetching data from Hydra.
Type: null or path
Default:
nullDeclared by:
services.hail.profile¶
The name of the Nix profile used by Hail.
Type: string
Default:
"hail-profile"Declared by:
services.haka.enable¶
Whether to enable Haka.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.haka.package¶
Which Haka derivation to use.
Type: package
Default:
"pkgs.haka"Declared by:
services.haka.configFile¶
Specify which configuration file Haka uses. It can be absolute path or a path relative to the sample directory of the haka git repo.
Type: string
Default:
"empty.lua"Example:
"/srv/haka/myfilter.lua"Declared by:
services.haka.dump.enable¶
Whether to enable dump.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.haka.dump.input¶
Path to file where incoming packets are dumped
Type: path
Default:
"/tmp/input.pcap"Example:
"/path/to/file.pcap"Declared by:
services.haka.dump.output¶
Path to file where outgoing packets are dumped
Type: path
Default:
"/tmp/output.pcap"Example:
"/path/to/file.pcap"Declared by:
services.haka.interfaces¶
Specify which interface(s) Haka listens to. Use ‘any’ to listen to all interfaces.
Type: list of strings
Default:
[ "eth0" ]Example:
[ "any" ]Declared by:
services.haka.nfqueue¶
Whether to enable nfqueue.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.haka.pcap¶
Whether to enable pcap
Type: boolean
Default:
trueDeclared by:
services.haka.threads¶
The number of threads that will be used. All system threads are used by default.
Type: signed integer
Default:
0Example:
4Declared by:
services.hans.clients¶
Each attribute of this option defines a systemd service that runs hans. Many or none may be defined. The name of each service is``hans-name*`` where *name is the name of the corresponding attribute name.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ foo = { server = "192.0.2.1"; extraConfig = "-v"; } }Declared by:
services.hans.clients.<name>.extraConfig¶
Additional command line parameters
Type: string
Default:
""Example:
"-v"Declared by:
services.hans.clients.<name>.passwordFile¶
File that containts password
Type: string
Default:
""Declared by:
services.hans.clients.<name>.server¶
IP address of server running hans
Type: string
Default:
""Example:
"192.0.2.1"Declared by:
services.hans.server.enable¶
enable hans server
Type: boolean
Default:
falseDeclared by:
services.hans.server.extraConfig¶
Additional command line parameters
Type: string
Default:
""Example:
"-v"Declared by:
services.hans.server.ip¶
The assigned ip range
Type: string
Default:
""Example:
"198.51.100.0"Declared by:
services.hans.server.passwordFile¶
File that containts password
Type: string
Default:
""Declared by:
services.hans.server.respondToSystemPings¶
Force hans respond to ordinary pings
Type: boolean
Default:
falseDeclared by:
services.haproxy.enable¶
Whether to enable HAProxy, the reliable, high performance TCP/HTTP load balancer.
Type: boolean
Default:
falseDeclared by:
services.haproxy.config¶
Contents of the HAProxy configuration file,:file:haproxy.conf.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.hardware.bolt.enable¶
Whether to enable Bolt, a userspace daemon to enable security levels for Thunderbolt 3 on GNU/Linux.
Bolt is used by GNOME 3 to handle Thunderbolt settings.
Type: boolean
Default:
falseDeclared by:
services.hardware.lcd.client.enable¶
Enable the LCD panel client (LCDproc)
Type: boolean
Default:
falseDeclared by:
services.hardware.lcd.client.extraConfig¶
Additional configuration added verbatim to the client config.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.hardware.lcd.client.restartForever¶
Try restarting the client forever.
Type: boolean
Default:
trueDeclared by:
services.hardware.lcd.server.enable¶
Enable the LCD panel server (LCDd)
Type: boolean
Default:
falseDeclared by:
services.hardware.lcd.server.extraConfig¶
Additional configuration added verbatim to the server config.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.hardware.lcd.server.openPorts¶
Open the ports in the firewall
Type: boolean
Default:
falseDeclared by:
services.hardware.lcd.server.usbGroup¶
The group to use for settings permissions. This group must exist or you will have to create it.
Type: string
Default:
"dialout"Declared by:
services.hardware.lcd.server.usbPermissions¶
Set group-write permissions on a USB device.
A USB connected LCD panel will most likely require having its permissions modified for lcdd to write to it. Enabling this option sets group-write permissions on the device identified by and. In order to find the values, you can run the lsusb command. Example output:
Bus 005 Device 002: ID 0403:c630 Future Technology Devices International, Ltd lcd2usb interfaceIn this case the vendor id is 0403 and the product id is c630.
Type: boolean
Default:
falseDeclared by:
services.hardware.lcd.server.usbPid¶
The product ID of the USB device to claim.
Type: string
Default:
""Declared by:
services.hardware.lcd.server.usbVid¶
The vendor ID of the USB device to claim.
Type: string
Default:
""Declared by:
services.hardware.lcd.serverHost¶
Host on which LCDd is listening.
Type: string
Default:
"localhost"Declared by:
services.hardware.lcd.serverPort¶
Port on which LCDd is listening.
Type: signed integer
Default:
13666Declared by:
services.hardware.pommed.enable¶
Whether to use the pommed tool to handle Apple laptop keyboard hotkeys.
Type: boolean
Default:
falseDeclared by:
services.hardware.pommed.configFile¶
The path to the
pommed.conffile. Leave to null to use the default config file (/etc/pommed.conf.mactel). See the files/etc/pommed.conf.macteland:file:/etc/pommed.conf.pmac for examples to build on.Type: null or path
Default:
nullDeclared by:
services.haveged.enable¶
Whether to enable to haveged entropy daemon, which refills /dev/random when low.
Type: boolean
Default:
falseDeclared by:
services.haveged.refill_threshold¶
The number of bits of available entropy beneath which haveged should refill the entropy pool.
Type: signed integer
Default:
1024Declared by:
services.hbase.enable¶
Whether to run HBase.
Type: boolean
Default:
falseDeclared by:
services.hbase.package¶
HBase package to use.
Type: package
Default:
"pkgs.hbase"Example:
pkgs.hbaseDeclared by:
services.hbase.dataDir¶
Specifies location of HBase database files. This location should be writable and readable for the user the HBase service runs as (hbase by default).
Type: path
Default:
"/var/lib/hbase"Declared by:
services.hbase.group¶
Group account under which HBase runs.
Type: string
Default:
"hbase"Declared by:
services.hbase.logDir¶
Specifies the location of HBase log files.
Type: path
Default:
"/var/log/hbase"Declared by:
services.hbase.user¶
User account under which HBase runs.
Type: string
Default:
"hbase"Declared by:
services.hdapsd.enable¶
Whether to enable Hard Drive Active Protection System Daemon, devices are detected and managed automatically by udev and systemd .
Type: boolean
Default:
falseExample:
trueDeclared by:
services.headphones.enable¶
Whether to enable the headphones server.
Type: boolean
Default:
falseDeclared by:
services.headphones.configFile¶
Path to config file.
Type: path
Default:
"/var/lib/headphones/config.ini"Declared by:
services.headphones.dataDir¶
Path where to store data files.
Type: path
Default:
"/var/lib/headphones"Declared by:
services.headphones.group¶
Group to run the service as
Type: string
Default:
"headphones"Declared by:
services.headphones.host¶
Host to listen on.
Type: string
Default:
"localhost"Declared by:
services.headphones.port¶
Port to bind to.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
8181Declared by:
services.headphones.user¶
User to run the service as
Type: string
Default:
"headphones"Declared by:
services.heapster.enable¶
Whether to enable heapster monitoring
Type: boolean
Default:
falseDeclared by:
services.heapster.package¶
Package to use by heapster
Type: package
Default:
"pkgs.heapster"Declared by:
services.heapster.extraOpts¶
Heapster extra options
Type: strings concatenated with ” “
Default:
""Declared by:
services.heapster.sink¶
Heapster metic sink
Type: string
Example:
"influxdb:http://localhost:8086"Declared by:
services.heapster.source¶
Heapster metric source
Type: string
Example:
"kubernetes:https://kubernetes.default"Declared by:
services.heartbeat.enable¶
Whether to enable heartbeat.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.heartbeat.extraConfig¶
Any other configuration options you want to add
Type: strings concatenated with “\n”
Default:
'' heartbeat.monitors: - type: http urls: ["http://localhost:9200"] schedule: '@every 10s' ''Declared by:
services.heartbeat.name¶
Name of the beat
Type: string
Default:
"heartbeat"Declared by:
services.heartbeat.stateDir¶
The state directory. heartbeat’s own logs and other data are stored here.
Type: string
Default:
"/var/lib/heartbeat"Declared by:
services.heartbeat.tags¶
services.heyefi.enable¶
Whether to enable heyefi.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.heyefi.cardMacaddress¶
An Eye-Fi card MAC address.
Type: unspecified
Default:
""Declared by:
services.heyefi.uploadDir¶
The directory to upload the files to.
Type: unspecified
Example:
"/home/username/pictures"Declared by:
services.heyefi.uploadKey¶
An Eye-Fi card’s upload key.
Type: unspecified
Default:
""Declared by:
services.heyefi.user¶
heyefi will be run under this user (user must exist, this can be your user name).
Type: unspecified
Default:
"root"Declared by:
services.hitch.enable¶
Whether to enable Hitch Server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.hitch.backend¶
The host and port Hitch connects to when receiving a connection in the form [HOST]:PORT
Type: string
Declared by:
services.hitch.ciphers¶
The list of ciphers to use
Type: string
Default:
"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"Declared by:
services.hitch.extraConfig¶
Additional configuration lines
Type: strings concatenated with “\n”
Default:
""Declared by:
services.hitch.frontend¶
The port and interface of the listen endpoint in the + form [HOST]:PORT[+CERT].
Type: string or list of strings
Default:
"\[127.0.0.1]:443"Declared by:
services.hitch.group¶
The group to run as
Type: string
Default:
"hitch"Declared by:
services.hitch.ocsp-stapling.enabled¶
Whether to enable OCSP Stapling
Type: boolean
Default:
trueDeclared by:
services.hitch.user¶
The user to run as
Type: string
Default:
"hitch"Declared by:
services.hologram-agent.enable¶
Whether to enable the Hologram agent for AWS instance credentials
Type: boolean
Default:
falseDeclared by:
services.hologram-agent.dialAddress¶
Hologram server and port.
Type: string
Default:
"localhost:3100"Declared by:
services.hologram-agent.httpPort¶
Port for metadata service to listen on.
Type: string
Default:
"80"Declared by:
services.hologram-server.enable¶
Whether to enable the Hologram server for AWS instance credentials
Type: boolean
Default:
falseDeclared by:
services.hologram-server.enableLdapRoles¶
Whether to assign user roles based on the user’s LDAP group memberships
Type: boolean
Default:
falseDeclared by:
services.hologram-server.awsAccount¶
AWS account number
Type: string
Declared by:
services.hologram-server.awsDefaultRole¶
AWS default role
Type: string
Declared by:
services.hologram-server.cacheTimeoutSeconds¶
How often (in seconds) to refresh the LDAP cache
Type: signed integer
Default:
3600Declared by:
services.hologram-server.groupClassAttr¶
The objectclass attribute to search for groups when enableLdapRoles is true
Type: string
Default:
"groupOfNames"Declared by:
services.hologram-server.ldapBaseDN¶
The base DN for your Hologram users
Type: string
Declared by:
services.hologram-server.ldapBindDN¶
DN of account to use to query the LDAP server
Type: string
Declared by:
services.hologram-server.ldapBindPassword¶
Password of account to use to query the LDAP server
Type: string
Declared by:
services.hologram-server.ldapHost¶
Address of the LDAP server to use
Type: string
Declared by:
services.hologram-server.ldapInsecure¶
Whether to connect to LDAP over SSL or not
Type: boolean
Default:
falseDeclared by:
services.hologram-server.ldapUserAttr¶
The LDAP attribute for usernames
Type: string
Default:
"cn"Declared by:
services.hologram-server.listenAddress¶
Address and port to listen on
Type: string
Default:
"0.0.0.0:3100"Declared by:
services.hologram-server.roleAttr¶
Which LDAP group attribute to search for authorized role ARNs
Type: string
Default:
"businessCategory"Declared by:
services.hologram-server.statsAddress¶
Address of statsd server
Type: string
Default:
""Declared by:
services.home-assistant.enable¶
Whether to enable Home Assistant.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.home-assistant.package¶
Home Assistant package to use. Override
extraPackagesorextraComponentsin order to add additional dependencies. If you specify and do not set tofalse, overridingextraComponentswill have no effect.Type: package
Default:
"pkgs.home-assistant"Example:
pkgs.home-assistant.override { extraPackages = ps: with ps; [ colorlog ]; }Declared by:
services.home-assistant.applyDefaultConfig¶
Setting this option enables a few configuration options for HA based on NixOS configuration (such as time zone) to avoid having to manually specify configuration we already have.
Currently one side effect of enabling this is that the
httpcomponent will be enabled.This only takes effect if
config != nullin order to ensure that a manually managedconfiguration.yamlis not overwritten.Type: boolean
Default:
trueDeclared by:
services.home-assistant.autoExtraComponents¶
If set to
true, the components used inconfigare set as the specified package’sextraComponents. This in turn adds all packaged dependencies to the derivation. You might still see import errors in your log. In this case, you will need to package the necessary dependencies yourself or ask for someone else to package them. If a dependency is packaged but not automatically added to this list, you might need to specify it inextraPackages.Type: boolean
Default:
trueDeclared by:
services.home-assistant.config¶
Your
configuration.yamlas a Nix attribute set. Beware that setting this option will delete your previousconfiguration.yaml.`Secrets <https://www.home-assistant.io/docs/configuration/secrets/>`_ are encoded as strings as shown in the example.Type: null or attribute set
Default:
nullExample:
{ homeassistant = { name = "Home"; latitude = "!secret latitude"; longitude = "!secret longitude"; elevation = "!secret elevation"; unit_system = "metric"; time_zone = "UTC"; }; frontend = { }; http = { }; feedreader.urls = [ "https://nixos.org/blogs.xml" ]; }Declared by:
services.home-assistant.configDir¶
The config directory, where your
configuration.yamlis located.Type: path
Default:
"/var/lib/hass"Declared by:
services.home-assistant.configWritable¶
Whether to make
configuration.yamlwritable. This only has an effect if is set. This will allow you to edit it from Home Assistant’s web interface. However, bear in mind that it will be overwritten at every start of the service.Type: boolean
Default:
falseDeclared by:
services.home-assistant.lovelaceConfig¶
Your
ui-lovelace.yamlas a Nix attribute set. Setting this option will automatically add``lovelace.mode = “yaml”;`` to your . Beware that setting this option will delete your previousui-lovelace.yamlType: null or attribute set
Default:
nullExample:
{ title = "My Awesome Home"; views = [ { title = "Example"; cards = [ { type = "markdown"; title = "Lovelace"; content = "Welcome to your **Lovelace UI**."; } ]; } ]; }Declared by:
services.home-assistant.lovelaceConfigWritable¶
Whether to make
ui-lovelace.yamlwritable. This only has an effect if is set. This will allow you to edit it from Home Assistant’s web interface. However, bear in mind that it will be overwritten at every start of the service.Type: boolean
Default:
falseDeclared by:
services.home-assistant.openFirewall¶
Whether to open the firewall for the specified port.
Type: boolean
Default:
falseDeclared by:
services.home-assistant.port¶
The port on which to listen.
Type: signed integer
Default:
8123Declared by:
services.hoogle.enable¶
Whether to enable Haskell documentation server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.hoogle.packages¶
The Haskell packages to generate documentation for.
The option value is a function that takes the package set specified in the
haskellPackagesoption as its sole parameter and returns a list of packages.Type: unspecified
Default:
"hp: \[]"Example:
"hp: with hp; [ text lens ]"Declared by:
services.hoogle.haskellPackages¶
Which haskell package set to use.
Type: unspecified
Default:
"pkgs.haskellPackages"Declared by:
services.hoogle.home¶
Url for hoogle logo
Type: string
Default:
"https://hoogle.haskell.org"Declared by:
services.hoogle.port¶
Port number Hoogle will be listening to.
Type: signed integer
Default:
8080Declared by:
services.hostapd.enable¶
Enable putting a wireless interface into infrastructure mode, allowing other wireless devices to associate with the wireless interface and do wireless networking. A simple access point will,, and, as well as DHCP on the wireless interface to provide IP addresses to the associated stations, and NAT (from the wireless interface to an upstream interface).
Type: unspecified
Default:
falseDeclared by:
services.hostapd.channel¶
Channel number (IEEE 802.11) Please note that some drivers do not use this value from:command:hostapd and the channel will need to be configured separately with iwconfig.
Type: signed integer
Default:
7Example:
11Declared by:
services.hostapd.driver¶
Which driver hostapd will use. Most applications will probably use the default.
Type: string
Default:
"nl80211"Example:
"hostapd"Declared by:
services.hostapd.extraConfig¶
Extra configuration options to put in hostapd.conf.
Type: strings concatenated with “\n”
Default:
""Example:
'' auth_algo=0 ieee80211n=1 ht_capab=[HT40-][SHORT-GI-40][DSSS_CCK-40] ''Declared by:
services.hostapd.group¶
Members of this group can control hostapd.
Type: string
Default:
"wheel"Example:
"network"Declared by:
services.hostapd.hwMode¶
Operation mode. (a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.11g).
Type: one of “a”, “b”, “g”
Default:
"g"Declared by:
services.hostapd.interface¶
The interfaces hostapd will use.
Type: unspecified
Default:
""Example:
"wlp2s0"Declared by:
services.hostapd.noScan¶
Do not scan for overlapping BSSs in HT40+/- mode. Caution: turning this on will violate regulatory requirements!
Type: unspecified
Default:
falseDeclared by:
services.hostapd.ssid¶
SSID to be used in IEEE 802.11 management frames.
Type: string
Default:
"nixos"Example:
"mySpecialSSID"Declared by:
services.hostapd.wpa¶
Enable WPA (IEEE 802.11i/D3.0) to authenticate with the access point.
Type: unspecified
Default:
trueDeclared by:
services.hostapd.wpaPassphrase¶
WPA-PSK (pre-shared-key) passphrase. Clients will need this passphrase to associate with this access point. Warning: This passphrase will get put into a world-readable file in the Nix store!
Type: string
Default:
"my_sekret"Example:
"any_64_char_string"Declared by:
services.hound.enable¶
Whether to enable the hound code search daemon.
Type: boolean
Default:
falseDeclared by:
services.hound.package¶
Package for running hound.
Type: package
Default:
"pkgs.hound"Declared by:
services.hound.config¶
The full configuration of the Hound daemon. Note the dbpath should be an absolute path to a writable location on disk.
Type: string
Example:
'' { "max-concurrent-indexers" : 2, "dbpath" : "''${services.hound.home}/data", "repos" : { "nixpkgs": { "url" : "https://www.github.com/NixOS/nixpkgs.git" } } } ''Declared by:
services.hound.extraGroups¶
List of extra groups that the “hound” user should be a part of.
Type: list of strings
Default: ``[
]``
Example:
[ "dialout" ]Declared by:
services.hound.group¶
Group the hound daemon should execute under.
Type: string
Default:
"hound"Declared by:
services.hound.home¶
The path to use as hound’s $HOME. If the default user “hound” is configured then this is the home of the “hound” user.
Type: path
Default:
"/var/lib/hound"Declared by:
services.hound.listen¶
Listen on this IP:port / :port
Type: string
Default:
"0.0.0.0:6080"Example:
"127.0.0.1:6080 or just :6080"Declared by:
services.hound.user¶
User the hound daemon should execute under.
Type: string
Default:
"hound"Declared by:
services.htpdate.enable¶
Enable htpdate daemon.
Type: boolean
Default:
falseDeclared by:
services.htpdate.extraOptions¶
Additional command line arguments to pass to htpdate.
Type: string
Default:
""Declared by:
services.htpdate.proxy¶
HTTP proxy used for requests.
Type: string
Default:
""Example:
"127.0.0.1:8118"Declared by:
services.htpdate.servers¶
HTTP servers to use for time synchronization.
Type: list of strings
Default:
[ "www.google.com" ]Declared by:
services.httpd.enable¶
Whether to enable the Apache HTTP Server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.httpd.enableMellon¶
Whether to enable the mod_auth_mellon module.
Type: boolean
Default:
falseDeclared by:
services.httpd.enablePHP¶
Whether to enable the PHP module.
Type: boolean
Default:
falseDeclared by:
services.httpd.enablePerl¶
Whether to enable the Perl module (mod_perl).
Type: boolean
Default:
falseDeclared by:
services.httpd.package¶
Overridable attribute of the Apache HTTP Server package to use.
Type: package
Default:
"pkgs.apacheHttpd"Declared by:
services.httpd.adminAddr¶
E-mail address of the server administrator.
Type: string
Example:
"admin@example.org"Declared by:
services.httpd.configFile¶
Override the configuration file used by Apache. By default, NixOS generates one automatically.
Type: path
Default:
"confFile"Example:
pkgs.writeText "httpd.conf" "# my custom config file ..."Declared by:
services.httpd.extraConfig¶
Configuration lines appended to the generated Apache configuration file. Note that this mechanism will not work when is overridden.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.httpd.extraModules¶
Additional Apache modules to be used. These can be specified as a string in the case of modules distributed with Apache, or as an attribute set specifying the``name`` and
pathof the module.Type: list of unspecifieds
Default: ``[
]``
Example:
[ "proxy_connect" { name = "jk"; path = "${pkgs.tomcat_connectors}/modules/mod_jk.so"; } ]Declared by:
services.httpd.group¶
Group under which httpd runs.
Type: string
Default:
"wwwrun"Declared by:
services.httpd.logDir¶
Directory for Apache’s log files. It is created automatically.
Type: path
Default:
"/var/log/httpd"Declared by:
services.httpd.logFormat¶
Log format for log files. Possible values are: combined, common, referer, agent. See ` <https://httpd.apache.org/docs/2.4/logs.html>`_ for more details.
Type: string
Default:
"common"Example:
"combined"Declared by:
services.httpd.logPerVirtualHost¶
If enabled, each virtual host gets its own:file:access.log and:file:error.log, namely suffixed by the of the virtual host.
Type: boolean
Default:
trueDeclared by:
services.httpd.maxClients¶
Maximum number of httpd processes (prefork)
Type: signed integer
Default:
150Example:
8Declared by:
services.httpd.maxRequestsPerChild¶
Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited.
Type: signed integer
Default:
0Example:
500Declared by:
services.httpd.multiProcessingModule¶
Multi-processing module to be used by Apache. Available modules are
prefork(the default; handles each request in a separate child process),``worker`` (hybrid approach that starts a number of child processes each running a number of threads) andevent(a recent variant of``worker`` that handles persistent connections more efficiently).Type: one of “event”, “prefork”, “worker”
Default:
"prefork"Example:
"worker"Declared by:
services.httpd.phpOptions¶
Options appended to the PHP configuration file
php.ini.Type: strings concatenated with “\n”
Default:
""Example:
'' date.timezone = "CET" ''Declared by:
services.httpd.phpPackage¶
Overridable attribute of the PHP package to use.
Type: package
Default:
"pkgs.php"Declared by:
services.httpd.sslCiphers¶
Cipher Suite available for negotiation in SSL proxy handshake.
Type: string
Default:
"HIGH:!aNULL:!MD5:!EXP"Declared by:
services.httpd.sslProtocols¶
Allowed SSL/TLS protocol versions.
Type: string
Default:
"All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"Example:
"All -SSLv2 -SSLv3"Declared by:
services.httpd.user¶
User account under which httpd runs.
Type: string
Default:
"wwwrun"Declared by:
services.httpd.virtualHosts¶
Specification of the virtual hosts served by Apache. Each element should be an attribute set specifying the configuration of the virtual host.
Type: attribute set of submodules
Default:
{ localhost = { documentRoot = "\\${pkgs.apacheHttpd.out}/htdocs"; } ; }Example:
{ "foo.example.com" = { forceSSL = true; documentRoot = "/var/www/foo.example.com" }; "bar.example.com" = { addSSL = true; documentRoot = "/var/www/bar.example.com"; }; }Declared by:
services.httpd.virtualHosts.<name>.enableACME¶
Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through .
Type: boolean
Default:
falseDeclared by:
services.httpd.virtualHosts.<name>.enableUserDir¶
Whether to enable serving
~/public_htmlas``/~*username*``.Type: boolean
Default:
falseDeclared by:
services.httpd.virtualHosts.<name>.acmeRoot¶
Directory for the acme challenge which is PUBLIC, don’t put certs or keys in here
Type: string
Default:
"/var/lib/acme/acme-challenges"Declared by:
services.httpd.virtualHosts.<name>.addSSL¶
Whether to enable HTTPS in addition to plain HTTP. This will set defaults for``listen`` to listen on all interfaces on the respective default ports (80, 443).
Type: boolean
Default:
falseDeclared by:
services.httpd.virtualHosts.<name>.adminAddr¶
E-mail address of the server administrator.
Type: null or string
Default:
nullExample:
"admin@example.org"Declared by:
services.httpd.virtualHosts.<name>.documentRoot¶
The path of Apache’s document root directory. If left undefined, an empty directory in the Nix store will be used as root.
Type: null or path
Default:
nullExample:
"/data/webserver/docs"Declared by:
services.httpd.virtualHosts.<name>.extraConfig¶
These lines go to httpd.conf verbatim. They will go after directories and directory aliases defined by default.
Type: strings concatenated with “\n”
Default:
""Example:
'' <Directory /home> Options FollowSymlinks AllowOverride All </Directory> ''Declared by:
services.httpd.virtualHosts.<name>.forceSSL¶
Whether to add a separate nginx server block that permanently redirects (301) all plain HTTP traffic to HTTPS. This will set defaults for``listen`` to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
Type: boolean
Default:
falseDeclared by:
services.httpd.virtualHosts.<name>.globalRedirect¶
If set, all requests for this host are redirected permanently to the given URL.
Type: null or string
Default:
nullExample:
"http://newserver.example.org/"Declared by:
services.httpd.virtualHosts.<name>.hostName¶
Canonical hostname for the server.
Type: string
Default:
"‹name›"Declared by:
services.httpd.virtualHosts.<name>.http2¶
Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. However, if you use the prefork mpm, there will be severe restrictions. Refer to ` <https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config>`_ for details.
Type: boolean
Default:
falseDeclared by:
services.httpd.virtualHosts.<name>.listen¶
services.httpd.virtualHosts.<name>.listen.*.ip¶
IP to listen on. 0.0.0.0 for IPv4 only, * for all.
Type: string
Default:
"\*"Declared by:
services.httpd.virtualHosts.<name>.listen.*.port¶
Port to listen on
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Declared by:
services.httpd.virtualHosts.<name>.listen.*.ssl¶
Whether to enable SSL (https) support.
Type: boolean
Default:
falseDeclared by:
services.httpd.virtualHosts.<name>.locations¶
Declarative location config. See ` <https://httpd.apache.org/docs/2.4/mod/core.html#location>`_ for details.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ "/" = { proxyPass = "http://localhost:3000"; }; "/foo/bar.png" = { alias = "/home/eelco/some-file.png"; }; };Declared by:
services.httpd.virtualHosts.<name>.locations.<name>.alias¶
Alias directory for requests. See ` <https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias>`_.
Type: null or path
Default:
nullExample:
"/your/alias/directory"Declared by:
services.httpd.virtualHosts.<name>.locations.<name>.extraConfig¶
These lines go to the end of the location verbatim.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.httpd.virtualHosts.<name>.locations.<name>.index¶
Adds DirectoryIndex directive. See ` <https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryindex>`_.
Type: null or string
Default:
nullExample:
"index.php index.html"Declared by:
services.httpd.virtualHosts.<name>.locations.<name>.priority¶
Order of this location block in relation to the others in the vhost. The semantics are the same as with `lib.mkOrder`. Smaller values have a greater priority.
Type: signed integer
Default:
1000Declared by:
services.httpd.virtualHosts.<name>.locations.<name>.proxyPass¶
Sets up a simple reverse proxy as described by ` <https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html#simple>`_.
Type: null or string
Default:
nullExample:
"http://www.example.org/"Declared by:
services.httpd.virtualHosts.<name>.logFormat¶
Log format for Apache’s log files. Possible values are: combined, common, referer, agent.
Type: string
Default:
"common"Example:
"combined"Declared by:
services.httpd.virtualHosts.<name>.onlySSL¶
Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for
listento listen on all interfaces on port 443.Type: boolean
Default:
falseDeclared by:
services.httpd.virtualHosts.<name>.robotsEntries¶
Specification of pages to be ignored by web crawlers. See ` <http://www.robotstxt.org/>`_ for details.
Type: strings concatenated with “\n”
Default:
""Example:
"Disallow: /foo/"Declared by:
services.httpd.virtualHosts.<name>.servedDirs¶
services.httpd.virtualHosts.<name>.servedFiles¶
This option provides a simple way to serve individual, static files.
Note
This option has been deprecated and will be removed in a future version of NixOS. You can achieve the same result by making use of the
locations.<name>.aliasoption.Type: list of attribute sets
Default: ``[
]``
Example: ``[
{ file = “/home/eelco/some-file.png”; urlPath = “/foo/bar.png”; }
]``
Declared by:
services.httpd.virtualHosts.<name>.serverAliases¶
Additional names of virtual hosts served by this virtual host configuration.
Type: list of strings
Default: ``[
]``
Example:
[ "www.example.org" "www.example.org:8080" "example.org" ]Declared by:
services.httpd.virtualHosts.<name>.sslServerCert¶
Path to server SSL certificate.
Type: path
Example:
"/var/host.cert"Declared by:
services.httpd.virtualHosts.<name>.sslServerChain¶
Path to server SSL chain file.
Type: null or path
Default:
nullExample:
"/var/ca.pem"Declared by:
services.httpd.virtualHosts.<name>.sslServerKey¶
Path to server SSL certificate key.
Type: path
Example:
"/var/host.key"Declared by:
services.httpd.virtualHosts.<name>.useACMEHost¶
A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the`rate limit <https://letsencrypt.org/docs/rate-limits/>`_. Alternately, you can generate a certificate through .*Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.*
Type: null or string
Default:
nullDeclared by:
services.hydra.enable¶
Whether to run Hydra services.
Type: boolean
Default:
falseDeclared by:
services.hydra.package¶
The Hydra package.
Type: path
Default:
"pkgs.hydra"Declared by:
services.hydra.buildMachinesFiles¶
List of files containing build machines.
Type: list of paths
Default: ``[
]``
Example:
[ "/etc/nix/machines" "/var/lib/hydra/provisioner/machines" ]Declared by:
services.hydra.dbi¶
The DBI string for Hydra database connection.
Type: string
Default:
"dbi:Pg:dbname=hydra;user=hydra;"Example:
"dbi:Pg:dbname=hydra;host=postgres.example.org;user=foo;"Declared by:
services.hydra.debugServer¶
Whether to run the server in debug mode.
Type: boolean
Default:
falseDeclared by:
services.hydra.extraConfig¶
Extra lines for the Hydra configuration.
Type: strings concatenated with “\n”
Declared by:
services.hydra.extraEnv¶
services.hydra.gcRootsDir¶
Directory that holds Hydra garbage collector roots.
Type: path
Default:
"/nix/var/nix/gcroots/hydra"Declared by:
services.hydra.hydraURL¶
The base URL for the Hydra webserver instance. Used for links in emails.
Type: string
Declared by:
services.hydra.listenHost¶
The hostname or address to listen on or
*to listen on all interfaces.Type: string
Default:
"\*"Example:
"localhost"Declared by:
services.hydra.logo¶
Path to a file containing the logo of your Hydra instance.
Type: null or path
Default:
nullDeclared by:
services.hydra.minimumDiskFree¶
Threshold of minimum disk space (GiB) to determine if the queue runner should run or not.
Type: signed integer
Default:
0Declared by:
services.hydra.minimumDiskFreeEvaluator¶
Threshold of minimum disk space (GiB) to determine if the evaluator should run or not.
Type: signed integer
Default:
0Declared by:
services.hydra.notificationSender¶
Sender email address used for email notifications.
Type: string
Declared by:
services.hydra.port¶
TCP port the web server should listen to.
Type: signed integer
Default:
3000Declared by:
services.hydra.smtpHost¶
Hostname of the SMTP server to use to send email.
Type: null or string
Default:
nullExample:
[ "localhost" ]Declared by:
services.hydra.tracker¶
Piece of HTML that is included on all pages.
Type: string
Default:
""Declared by:
services.hydra.useSubstitutes¶
Whether to use binary caches for downloading store paths. Note that binary substitutions trigger (a potentially large number of) additional HTTP requests that slow down the queue monitor thread significantly. Also, this Hydra instance will serve those downloaded store paths to its users with its own signature attached as if it had built them itself, so don’t enable this feature unless your active binary caches are absolute trustworthy.
Type: boolean
Default:
falseDeclared by:
services.hydron.enable¶
Whether to enable hydron.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.hydron.dataDir¶
Location where hydron runs and stores data.
Type: path
Default:
"/var/lib/hydron"Example:
"/home/okina/hydron"Declared by:
services.hydron.fetchTags¶
Fetch tags for imported images and webm from gelbooru.
Type: boolean
Default:
trueDeclared by:
services.hydron.importPaths¶
Paths that hydron will recursively import.
Type: list of paths
Default: ``[
]``
Example:
[ "/home/okina/Pictures" ]Declared by:
services.hydron.interval¶
How often we run hydron import and possibly fetch tags. Runs by default every week.
The format is described insystemd.time7.
Type: string
Default:
"weekly"Example:
"06:00"Declared by:
services.hydron.listenAddress¶
Listen on a specific IP address and port.
Type: null or string
Default:
nullExample:
"127.0.0.1:8010"Declared by:
services.hydron.password¶
Password for the hydron database.
Type: string
Default:
"hydron"Example:
"dumbpass"Declared by:
services.hydron.passwordFile¶
Password file for the hydron database.
Type: path
Default:
"/run/keys/hydron-password-file"Example:
"/home/okina/hydron/keys/pass"Declared by:
services.hydron.postgresArgs¶
Postgresql connection arguments.
Type: string
Example:
'' { "driver": "postgres", "connection": "user=hydron password=dumbpass dbname=hydron sslmode=disable" } ''Declared by:
services.hydron.postgresArgsFile¶
Postgresql connection arguments file.
Type: path
Default:
"/run/keys/hydron-postgres-args"Example:
"/home/okina/hydron/keys/postgres"Declared by:
services.hylafax.enable¶
Whether to enable HylaFAX server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.hylafax.areaCode¶
Area code for server and all modems.
Type: null or string
Default:
nullExample:
"30"Declared by:
services.hylafax.autostart¶
Autostart the HylaFAX queue manager at system start. If this is
false, the queue manager will still be started if there are pending jobs or if a user tries to connect to it.Type: boolean
Default:
trueExample:
falseDeclared by:
services.hylafax.commonModemConfig¶
Attribute set of default values for modem config files
etc/config.*. Values can be either strings or integers (which will be added to the config file verbatimly) or lists thereof (which will be translated to multiple lines with the same configuration key). Boolean values are translated to “Yes” or “No”. The default contains some reasonable configuration to yield an operational system.Think twice before changing paths of fax-processing scripts.
Type: attribute set of list of string or signed integer convertible to it or boolean convertible to its or string or signed integer convertible to it or boolean convertible to it convertible to its
Example:
{ InternationalPrefix = "00"; LongDistancePrefix = "0"; }Declared by:
services.hylafax.countryCode¶
Country code for server and all modems.
Type: null or string
Default:
nullExample:
"49"Declared by:
services.hylafax.faxcron.enable.frequency¶
Purge old files from the spooling area with:file:faxcron with the given frequency (see systemd.time(7)).
Type: null or string
Default:
nullExample:
"daily"Declared by:
services.hylafax.faxcron.enable.spoolInit¶
Whether to enable Purge old files from the spooling area with:file:faxcron each time the spooling area is initialized. .
Type: boolean
Default:
falseExample:
trueDeclared by:
services.hylafax.faxcron.infoDays¶
Set the expiration time for data in the remote machine information directory in days.
Type: signed integer
Default:
30Declared by:
services.hylafax.faxcron.logDays¶
Set the expiration time for session trace log files in days.
Type: signed integer
Default:
30Declared by:
services.hylafax.faxcron.rcvDays¶
Set the expiration time for files in the received facsimile queue in days.
Type: signed integer
Default:
7Declared by:
services.hylafax.faxqConfig¶
Attribute set of lines for the global faxq config file
etc/config. Values can be either strings or integers (which will be added to the config file verbatimly) or lists thereof (which will be translated to multiple lines with the same configuration key). Boolean values are translated to “Yes” or “No”. The default contains some reasonable configuration to yield an operational system.Type: attribute set of list of string or signed integer convertible to it or boolean convertible to its or string or signed integer convertible to it or boolean convertible to it convertible to its
Example:
{ InternationalPrefix = "00"; LongDistancePrefix = "0"; }Declared by:
services.hylafax.faxqclean.enable.frequency¶
Purge old files from the spooling area with:file:faxcron with the given frequency (see systemd.time(7)).
Type: null or string
Default:
nullExample:
"daily"Declared by:
services.hylafax.faxqclean.enable.spoolInit¶
Whether to enable Purge old files from the spooling area with:file:faxqclean each time the spooling area is initialized. .
Type: boolean
Default:
falseExample:
trueDeclared by:
services.hylafax.faxqclean.archiving¶
Enable or suppress job archiving:
neverdisables job archiving,``as-flagged`` archives jobs that have been flagged for archiving by sendfax,``always`` forces archiving of all jobs. See also sendfax(1) and faxqclean(8).Type: one of “never”, “as-flagged”, “always”
Default:
"as-flagged"Example:
"always"Declared by:
services.hylafax.faxqclean.docqMinutes¶
Set the document age threshold (in minutes) that controls how long unreferenced files may reside in the docq directory.
Type: signed integer
Default:
60Example:
24*60Declared by:
services.hylafax.faxqclean.doneqMinutes¶
Set the job age threshold (in minutes) that controls how long jobs may reside in the doneq directory.
Type: signed integer
Default:
15Example:
24*60Declared by:
services.hylafax.hfaxdConfig¶
Attribute set of lines for the global hfaxd config file
etc/hfaxd.conf. Values can be either strings or integers (which will be added to the config file verbatimly) or lists thereof (which will be translated to multiple lines with the same configuration key). Boolean values are translated to “Yes” or “No”. The default contains some reasonable configuration to yield an operational system.Type: attribute set of list of string or signed integer convertible to it or boolean convertible to its or string or signed integer convertible to it or boolean convertible to it convertible to its
Example:
{ RecvqProtection = "0400"; }Declared by:
services.hylafax.internationalPrefix¶
International prefix for server and all modems.
Type: null or string
Default:
nullExample:
"00"Declared by:
services.hylafax.longDistancePrefix¶
Long distance prefix for server and all modems.
Type: null or string
Default:
nullExample:
"0"Declared by:
services.hylafax.modems¶
Description of installed modems. At least on modem must be defined to enable the HylaFAX server.
Type: list or attribute set of submodules
Default: ``{
}``
Example:
{ ttyS1 = { config = { FAXNumber = "123456"; LocalIdentifier = "Smith"; } ; type = "cirrus"; } ; }Declared by:
services.hylafax.modems.<name?>.config¶
Attribute set of values for the given modem. Values can be either strings or integers (which will be added to the config file verbatimly) or lists thereof (which will be translated to multiple lines with the same configuration key). Boolean values are translated to “Yes” or “No”. The default contains some reasonable configuration to yield an operational system.
Options defined here override options in for this modem.
Type: attribute set of list of string or signed integer convertible to it or boolean convertible to its or string or signed integer convertible to it or boolean convertible to it convertible to its
Example:
{ AreaCode = "49"; FAXNumber = "123456"; LocalCode = "30"; LocalIdentifier = "LostInBerlin"; }Declared by:
services.hylafax.modems.<name?>.name¶
Name of modem device, will be searched for in
/dev.Type: string
Example:
"ttyS1"Declared by:
services.hylafax.modems.<name?>.type¶
Name of modem configuration file, will be searched for in
configin the spooling area directory.Type: string
Example:
"cirrus"Declared by:
services.hylafax.sendmailPath¶
Path to
sendmailprogram. The default uses the local sendmail wrapper (see ), otherwise thefalsebinary to cause an error if used.Type: path
Example:
''${pkgs.postfix}/bin/sendmailDeclared by:
services.hylafax.spoolAreaPath¶
The spooling area will be created/maintained at the location given here.
Type: path
Default:
"/var/spool/fax"Declared by:
services.hylafax.spoolExtraInit¶
Additional shell code that is executed within the spooling area directory right after its setup.
Type: strings concatenated with “\n”
Default:
""Example:
"chmod 0755 . # everyone may read my faxes"Declared by:
services.hylafax.userAccessFile¶
The
hosts.hfaxdfile entry in the spooling area will be symlinked to the location given here. This file must exist and be readable only by theuucpuser. See hosts.hfaxd(5) for details. This configuration permits access for all users:environment.etc."hosts.hfaxd" = { mode = "0600"; user = "uucp"; text = ".*"; };Note that host-based access can be controlled with; by default, only 127.0.0.1 is permitted to connect.Type: path
Default:
"/etc/hosts.hfaxd"Declared by:
services.i2p.enable¶
Whether to enable I2P router.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.i2pd.enable¶
Enables I2Pd as a running service upon activation. Please read http://i2pd.readthedocs.io/en/latest/ for further configuration help.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.i2pd.enableIPv4¶
Whether to enable IPv4 connectivity.
Type: boolean
Default:
trueExample:
trueDeclared by:
services.i2pd.enableIPv6¶
Whether to enable IPv6 connectivity.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.i2pd.address¶
Your external IP or hostname.
Type: null or string
Default:
nullDeclared by:
services.i2pd.addressbook.defaulturl¶
AddressBook subscription URL for initial setup
Type: string
Default:
"http://joajgazyztfssty4w2on5oaqksz6tqoxbduy553y34mf4byv6gpq.b32.i2p/export/alive-hosts.txt"Declared by:
services.i2pd.addressbook.subscriptions¶
AddressBook subscription URLs
Type: list of strings
Default:
[ "http://inr.i2p/export/alive-hosts.txt" "http://i2p-projekt.i2p/hosts.txt" "http://stats.i2p/cgi-bin/newhosts.txt" ]Declared by:
services.i2pd.bandwidth¶
Set a router bandwidth limit integer in KBps. If not set, i2pd defaults to 32KBps.
Type: null or signed integer
Default:
nullDeclared by:
services.i2pd.dataDir¶
Alternative path to storage of i2pd data (RI, keys, peer profiles, …)
Type: null or string
Default:
nullDeclared by:
services.i2pd.exploratory.inbound.length¶
Guaranteed minimum hops for exploratory tunnels.
Type: signed integer
Default:
3Declared by:
services.i2pd.exploratory.inbound.quantity¶
Number of simultaneous exploratory tunnels.
Type: signed integer
Default:
5Declared by:
services.i2pd.exploratory.outbound.length¶
Guaranteed minimum hops for exploratory tunnels.
Type: signed integer
Default:
3Declared by:
services.i2pd.exploratory.outbound.quantity¶
Number of simultaneous exploratory tunnels.
Type: signed integer
Default:
5Declared by:
services.i2pd.family¶
Specify a family the router belongs to.
Type: null or string
Default:
nullDeclared by:
services.i2pd.floodfill¶
If the router is declared to be unreachable and needs introduction nodes.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.i2pd.ifname¶
Network interface to bind to.
Type: null or string
Default:
nullDeclared by:
services.i2pd.ifname4¶
IPv4 interface to bind to.
Type: null or string
Default:
nullDeclared by:
services.i2pd.ifname6¶
IPv6 interface to bind to.
Type: null or string
Default:
nullDeclared by:
services.i2pd.inTunnels¶
Serve something on I2P network at port and delegate requests to address inPort.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.i2pd.inTunnels.<name>.enable¶
Whether to enable ‹name›.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.i2pd.inTunnels.<name>.accessList¶
I2P nodes that are allowed to connect to this service.
Type: list of strings
Default: ``[
]``
Declared by:
services.i2pd.inTunnels.<name>.address¶
Bind address for ‹name› endpoint.
Type: string
Default:
"127.0.0.1"Declared by:
services.i2pd.inTunnels.<name>.crypto.tagsToSend¶
Number of ElGamal/AES tags to send.
Type: signed integer
Default:
40Declared by:
services.i2pd.inTunnels.<name>.destination¶
Remote endpoint, I2P hostname or b32.i2p address.
Type: string
Declared by:
services.i2pd.inTunnels.<name>.inPort¶
Service port. Default to the tunnel’s listen port.
Type: signed integer
Default:
0Declared by:
services.i2pd.inTunnels.<name>.inbound.length¶
Guaranteed minimum hops for ‹name› tunnels.
Type: signed integer
Default:
3Declared by:
services.i2pd.inTunnels.<name>.inbound.quantity¶
Number of simultaneous ‹name› tunnels.
Type: signed integer
Default:
5Declared by:
services.i2pd.inTunnels.<name>.keys¶
Keyset used for tunnel identity.
Type: string
Default:
"‹name›-keys.dat"Declared by:
services.i2pd.inTunnels.<name>.name¶
The endpoint name.
Type: string
Default:
"‹name›"Declared by:
services.i2pd.inTunnels.<name>.outbound.length¶
Guaranteed minimum hops for ‹name› tunnels.
Type: signed integer
Default:
3Declared by:
services.i2pd.inTunnels.<name>.outbound.quantity¶
Number of simultaneous ‹name› tunnels.
Type: signed integer
Default:
5Declared by:
services.i2pd.inTunnels.<name>.port¶
Bind port for ‹name› endoint.
Type: signed integer
Default:
0Declared by:
services.i2pd.limits.coreSize¶
Maximum size of corefile in Kb (0 - use system limit).
Type: signed integer
Default:
0Declared by:
services.i2pd.limits.ntcpHard¶
Maximum number of active transit sessions.
Type: signed integer
Default:
0Declared by:
services.i2pd.limits.ntcpSoft¶
Threshold to start probabalistic backoff with ntcp sessions (default: use system limit).
Type: signed integer
Default:
0Declared by:
services.i2pd.limits.ntcpThreads¶
Maximum number of threads used by NTCP DH worker.
Type: signed integer
Default:
1Declared by:
services.i2pd.limits.openFiles¶
Maximum number of open files (0 - use system default).
Type: signed integer
Default:
0Declared by:
services.i2pd.limits.transittunnels¶
Maximum number of active transit sessions.
Type: signed integer
Default:
2500Declared by:
services.i2pd.logCLFTime¶
Whether to enable Full CLF-formatted date and time to log.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.i2pd.logLevel¶
The log level. i2pd defaults to “info” but that generates copious amounts of log messages.
We default to “error” which is similar to the default log level of tor.
Type: one of “debug”, “info”, “warn”, “error”
Default:
"error"Declared by:
services.i2pd.nat¶
Whether to enable NAT bypass.
Type: boolean
Default:
trueExample:
trueDeclared by:
services.i2pd.netid¶
I2P overlay netid.
Type: signed integer
Default:
2Declared by:
services.i2pd.notransit¶
Tells the router to not accept transit tunnels during startup.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.i2pd.ntcp¶
Whether to enable ntcp.
Type: boolean
Default:
trueExample:
trueDeclared by:
services.i2pd.ntcp2.enable¶
Whether to enable NTCP2..
Type: boolean
Default:
trueExample:
trueDeclared by:
services.i2pd.ntcp2.port¶
Port to listen for incoming NTCP2 connections (0=auto).
Type: signed integer
Default:
0Declared by:
services.i2pd.ntcp2.published¶
Whether to enable NTCP2 publication.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.i2pd.ntcpProxy¶
Proxy URL for NTCP transport.
Type: null or string
Default:
nullDeclared by:
services.i2pd.outTunnels¶
Connect to someone as a client and establish a local accept endpoint
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.i2pd.outTunnels.<name>.enable¶
Whether to enable ‹name›.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.i2pd.outTunnels.<name>.address¶
Bind address for ‹name› endpoint.
Type: string
Default:
"127.0.0.1"Declared by:
services.i2pd.outTunnels.<name>.crypto.tagsToSend¶
Number of ElGamal/AES tags to send.
Type: signed integer
Default:
40Declared by:
services.i2pd.outTunnels.<name>.destination¶
Remote endpoint, I2P hostname or b32.i2p address.
Type: string
Declared by:
services.i2pd.outTunnels.<name>.destinationPort¶
Connect to particular port at destination.
Type: null or signed integer
Default:
nullDeclared by:
services.i2pd.outTunnels.<name>.inbound.length¶
Guaranteed minimum hops for ‹name› tunnels.
Type: signed integer
Default:
3Declared by:
services.i2pd.outTunnels.<name>.inbound.quantity¶
Number of simultaneous ‹name› tunnels.
Type: signed integer
Default:
5Declared by:
services.i2pd.outTunnels.<name>.keys¶
Keyset used for tunnel identity.
Type: string
Default:
"‹name›-keys.dat"Declared by:
services.i2pd.outTunnels.<name>.name¶
The endpoint name.
Type: string
Default:
"‹name›"Declared by:
services.i2pd.outTunnels.<name>.outbound.length¶
Guaranteed minimum hops for ‹name› tunnels.
Type: signed integer
Default:
3Declared by:
services.i2pd.outTunnels.<name>.outbound.quantity¶
Number of simultaneous ‹name› tunnels.
Type: signed integer
Default:
5Declared by:
services.i2pd.outTunnels.<name>.port¶
Bind port for ‹name› endoint.
Type: signed integer
Default:
0Declared by:
services.i2pd.port¶
I2P listen port. If no one is given the router will pick between 9111 and 30777.
Type: null or signed integer
Default:
nullDeclared by:
services.i2pd.precomputation.elgamal¶
Whenever to use precomputated tables for ElGamal.:command:i2pd defaults to
falseto save 64M of memory (and looses some performance).We default to
trueas that is what most users want anyway.Type: boolean
Default:
trueExample:
trueDeclared by:
services.i2pd.proto.bob.enable¶
Whether to enable bob.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.i2pd.proto.bob.address¶
Bind address for bob endpoint.
Type: string
Default:
"127.0.0.1"Declared by:
services.i2pd.proto.bob.name¶
The endpoint name.
Type: string
Default:
"bob"Declared by:
services.i2pd.proto.bob.port¶
Bind port for bob endoint.
Type: signed integer
Default:
2827Declared by:
services.i2pd.proto.http.enable¶
Whether to enable http.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.i2pd.proto.http.address¶
Bind address for http endpoint.
Type: string
Default:
"127.0.0.1"Declared by:
services.i2pd.proto.http.auth¶
Whether to enable Webconsole authentication.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.i2pd.proto.http.hostname¶
Expected hostname for WebUI.
Type: null or string
Default:
nullDeclared by:
services.i2pd.proto.http.name¶
The endpoint name.
Type: string
Default:
"http"Declared by:
services.i2pd.proto.http.pass¶
Password for webconsole access.
Type: string
Default:
"i2pd"Declared by:
services.i2pd.proto.http.port¶
Bind port for http endoint.
Type: signed integer
Default:
7070Declared by:
services.i2pd.proto.http.strictHeaders¶
Enable strict host checking on WebUI.
Type: null or boolean
Default:
nullDeclared by:
services.i2pd.proto.http.user¶
Username for webconsole access
Type: string
Default:
"i2pd"Declared by:
services.i2pd.proto.httpProxy.enable¶
Whether to enable httpproxy.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.i2pd.proto.httpProxy.address¶
Bind address for httpproxy endpoint.
Type: string
Default:
"127.0.0.1"Declared by:
services.i2pd.proto.httpProxy.inbound.length¶
Guaranteed minimum hops for httpproxy tunnels.
Type: signed integer
Default:
3Declared by:
services.i2pd.proto.httpProxy.inbound.quantity¶
Number of simultaneous httpproxy tunnels.
Type: signed integer
Default:
5Declared by:
services.i2pd.proto.httpProxy.keys¶
File to persist HTTPPROXY keys.
Type: null or string
Default:
"httpproxy-keys.dat"Declared by:
services.i2pd.proto.httpProxy.latency.max¶
Max latency for tunnels.
Type: null or signed integer
Default:
nullDeclared by:
services.i2pd.proto.httpProxy.latency.min¶
Min latency for tunnels.
Type: null or signed integer
Default:
nullDeclared by:
services.i2pd.proto.httpProxy.name¶
The endpoint name.
Type: string
Default:
"httpproxy"Declared by:
services.i2pd.proto.httpProxy.outbound.length¶
Guaranteed minimum hops for httpproxy tunnels.
Type: signed integer
Default:
3Declared by:
services.i2pd.proto.httpProxy.outbound.quantity¶
Number of simultaneous httpproxy tunnels.
Type: signed integer
Default:
5Declared by:
services.i2pd.proto.httpProxy.outproxy¶
Upstream outproxy bind address.
Type: null or string
Default:
nullDeclared by:
services.i2pd.proto.httpProxy.port¶
Bind port for httpproxy endoint.
Type: signed integer
Default:
4444Declared by:
services.i2pd.proto.i2cp.enable¶
Whether to enable i2cp.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.i2pd.proto.i2cp.address¶
Bind address for i2cp endpoint.
Type: string
Default:
"127.0.0.1"Declared by:
services.i2pd.proto.i2cp.name¶
The endpoint name.
Type: string
Default:
"i2cp"Declared by:
services.i2pd.proto.i2cp.port¶
Bind port for i2cp endoint.
Type: signed integer
Default:
7654Declared by:
services.i2pd.proto.i2pControl.enable¶
Whether to enable i2pcontrol.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.i2pd.proto.i2pControl.address¶
Bind address for i2pcontrol endpoint.
Type: string
Default:
"127.0.0.1"Declared by:
services.i2pd.proto.i2pControl.name¶
The endpoint name.
Type: string
Default:
"i2pcontrol"Declared by:
services.i2pd.proto.i2pControl.port¶
Bind port for i2pcontrol endoint.
Type: signed integer
Default:
7650Declared by:
services.i2pd.proto.sam.enable¶
Whether to enable sam.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.i2pd.proto.sam.address¶
Bind address for sam endpoint.
Type: string
Default:
"127.0.0.1"Declared by:
services.i2pd.proto.sam.name¶
The endpoint name.
Type: string
Default:
"sam"Declared by:
services.i2pd.proto.sam.port¶
Bind port for sam endoint.
Type: signed integer
Default:
7656Declared by:
services.i2pd.proto.socksProxy.enable¶
Whether to enable socksproxy.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.i2pd.proto.socksProxy.address¶
Bind address for socksproxy endpoint.
Type: string
Default:
"127.0.0.1"Declared by:
services.i2pd.proto.socksProxy.inbound.length¶
Guaranteed minimum hops for socksproxy tunnels.
Type: signed integer
Default:
3Declared by:
services.i2pd.proto.socksProxy.inbound.quantity¶
Number of simultaneous socksproxy tunnels.
Type: signed integer
Default:
5Declared by:
services.i2pd.proto.socksProxy.keys¶
File to persist SOCKSPROXY keys.
Type: null or string
Default:
"socksproxy-keys.dat"Declared by:
services.i2pd.proto.socksProxy.latency.max¶
Max latency for tunnels.
Type: null or signed integer
Default:
nullDeclared by:
services.i2pd.proto.socksProxy.latency.min¶
Min latency for tunnels.
Type: null or signed integer
Default:
nullDeclared by:
services.i2pd.proto.socksProxy.name¶
The endpoint name.
Type: string
Default:
"socksproxy"Declared by:
services.i2pd.proto.socksProxy.outbound.length¶
Guaranteed minimum hops for socksproxy tunnels.
Type: signed integer
Default:
3Declared by:
services.i2pd.proto.socksProxy.outbound.quantity¶
Number of simultaneous socksproxy tunnels.
Type: signed integer
Default:
5Declared by:
services.i2pd.proto.socksProxy.outproxy¶
Upstream outproxy bind address.
Type: string
Default:
"127.0.0.1"Declared by:
services.i2pd.proto.socksProxy.outproxyEnable¶
Whether to enable SOCKS outproxy.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.i2pd.proto.socksProxy.outproxyPort¶
Upstream outproxy bind port.
Type: signed integer
Default:
4444Declared by:
services.i2pd.proto.socksProxy.port¶
Bind port for socksproxy endoint.
Type: signed integer
Default:
4447Declared by:
services.i2pd.reseed.file¶
Full path to SU3 file to reseed from.
Type: null or string
Default:
nullDeclared by:
services.i2pd.reseed.floodfill¶
Path to router info of floodfill to reseed from.
Type: null or string
Default:
nullDeclared by:
services.i2pd.reseed.proxy¶
URL for reseed proxy, supports http/socks.
Type: null or string
Default:
nullDeclared by:
services.i2pd.reseed.verify¶
Whether to enable SU3 signature verification.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.i2pd.reseed.zipfile¶
Path to local .zip file to reseed from.
Type: null or string
Default:
nullDeclared by:
services.i2pd.ssu¶
Whether to enable ssu.
Type: boolean
Default:
trueExample:
trueDeclared by:
services.i2pd.trust.enable¶
Whether to enable Explicit trust options.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.i2pd.trust.family¶
Router Familiy to trust for first hops.
Type: null or string
Default:
nullDeclared by:
services.i2pd.trust.routers¶
services.i2pd.upnp.enable¶
Whether to enable UPnP service discovery.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.i2pd.upnp.name¶
Name i2pd appears in UPnP forwardings list.
Type: string
Default:
"I2Pd"Declared by:
services.i2pd.websocket.enable¶
Whether to enable websockets.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.i2pd.websocket.address¶
Bind address for websockets endpoint.
Type: string
Default:
"127.0.0.1"Declared by:
services.i2pd.websocket.name¶
The endpoint name.
Type: string
Default:
"websockets"Declared by:
services.i2pd.websocket.port¶
Bind port for websockets endoint.
Type: signed integer
Default:
7666Declared by:
services.icecast.enable¶
Whether to enable Icecast server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.icecast.admin.password¶
Password used for all administration functions.
Type: string
Declared by:
services.icecast.admin.user¶
Username used for all administration functions.
Type: string
Default:
"admin"Declared by:
services.icecast.extraConf¶
icecast.xml content.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.icecast.group¶
Group privileges for the server.
Type: string
Default:
"nogroup"Declared by:
services.icecast.hostname¶
DNS name or IP address that will be used for the stream directory lookups or possibily the playlist generation if a Host header is not provided.
Type: string
Default:
nullDeclared by:
services.icecast.listen.address¶
Address Icecast will listen on.
Type: string
Default:
"::"Declared by:
services.icecast.listen.port¶
TCP port that will be used to accept client connections.
Type: signed integer
Default:
8000Declared by:
services.icecast.logDir¶
Base directory used for logging.
Type: path
Default:
"/var/log/icecast"Declared by:
services.icecast.user¶
User privileges for the server.
Type: string
Default:
"nobody"Declared by:
services.icingaweb2.enable¶
Whether to enable the icingaweb2 web interface.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.icingaweb2.authentications¶
authentication.ini contents. Will automatically be converted to a .ini file.
If the value is null, no authentication.ini is created and you can modify it manually (e.g. via the web interface).
Type: null or attribute set
Default:
nullExample:
{ icingaweb = { backend = "db"; resource = "icingaweb_db"; } ; }Declared by:
services.icingaweb2.generalConfig¶
config.ini contents. Will automatically be converted to a .ini file. If you don’t set global.module_path, the module will take care of it.
If the value is null, no config.ini is created and you can modify it manually (e.g. via the web interface). Note that you need to update module_path manually.
Type: null or attribute set
Default:
nullExample:
{ general = { config_resource = "icingaweb_db"; showStacktraces = 1; } ; logging = { level = "CRITICAL"; log = "syslog"; } ; }Declared by:
services.icingaweb2.groupBackends¶
groups.ini contents. Will automatically be converted to a .ini file.
If the value is null, no groups.ini is created and you can modify it manually (e.g. via the web interface).
Type: null or attribute set
Default:
nullExample:
{ icingaweb = { backend = "db"; resource = "icingaweb_db"; } ; }Declared by:
services.icingaweb2.modulePackages¶
Name-package attrset of Icingaweb 2 modules packages to enable.
If you enable modules manually (e.g. via the web ui), they will not be touched.
Type: attribute set of packages
Default: ``{
}``
Example:
{ "snow" = icingaweb2Modules.theme-snow; }Declared by:
services.icingaweb2.modules.doc.enable¶
Whether to enable the icingaweb2 doc module.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.icingaweb2.modules.migrate.enable¶
Whether to enable the icingaweb2 migrate module.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.icingaweb2.modules.monitoring.enable¶
Whether to enable the icingaweb2 monitoring module.
Type: boolean
Default:
trueDeclared by:
services.icingaweb2.modules.monitoring.backends¶
Monitoring backends to define
Type: attribute set of submodules
Default:
{ icinga = { resource = "icinga_ido"; } ; }Declared by:
services.icingaweb2.modules.monitoring.backends.<name>.disabled¶
Disable this backend
Type: boolean
Default:
falseDeclared by:
services.icingaweb2.modules.monitoring.backends.<name>.resource¶
Name of the IDO resource
Type: string
Declared by:
services.icingaweb2.modules.monitoring.generalConfig.mutable¶
Make config.ini of the monitoring module mutable (e.g. via the web interface).
Type: boolean
Default:
falseDeclared by:
services.icingaweb2.modules.monitoring.generalConfig.protectedVars¶
List of string patterns for custom variables which should be excluded from user’s view.
Type: list of strings
Default:
[ "\*pw*" "\*pass*" "community" ]Declared by:
services.icingaweb2.modules.monitoring.mutableBackends¶
Make backends.ini of the monitoring module mutable (e.g. via the web interface).
Type: boolean
Default:
falseDeclared by:
services.icingaweb2.modules.monitoring.mutableTransports¶
Make commandtransports.ini of the monitoring module mutable (e.g. via the web interface).
Type: boolean
Default:
trueDeclared by:
services.icingaweb2.modules.monitoring.transports¶
services.icingaweb2.modules.monitoring.transports.<name>.host¶
Host for the api or remote transport
Type: string
Declared by:
services.icingaweb2.modules.monitoring.transports.<name>.instance¶
Assign a icinga instance to this transport
Type: null or string
Default:
nullDeclared by:
services.icingaweb2.modules.monitoring.transports.<name>.password¶
Password for the api transport
Type: string
Declared by:
services.icingaweb2.modules.monitoring.transports.<name>.path¶
Path to the socket for local or remote transports
Type: string
Declared by:
services.icingaweb2.modules.monitoring.transports.<name>.port¶
Port to connect to for the api or remote transport
Type: null or string
Default:
nullDeclared by:
services.icingaweb2.modules.monitoring.transports.<name>.resource¶
SSH identity resource for the remote transport
Type: string
Declared by:
services.icingaweb2.modules.monitoring.transports.<name>.type¶
Type of this transport
Type: one of “api”, “local”, “remote”
Default:
"api"Declared by:
services.icingaweb2.modules.monitoring.transports.<name>.username¶
Username for the api or remote transport
Type: string
Declared by:
services.icingaweb2.modules.setup.enable¶
Whether to enable the icingaweb2 setup module.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.icingaweb2.modules.test.enable¶
Whether to enable the icingaweb2 test module.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.icingaweb2.modules.translation.enable¶
Whether to enable the icingaweb2 translation module.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.icingaweb2.pool¶
Name of existing PHP-FPM pool that is used to run Icingaweb2. If not specified, a pool will automatically created with default values.
Type: string
Default:
"icingaweb2"Declared by:
services.icingaweb2.resources¶
resources.ini contents. Will automatically be converted to a .ini file.
If the value is null, no resources.ini is created and you can modify it manually (e.g. via the web interface). Note that if you set passwords here, they will go into the nix store.
Type: null or attribute set
Default:
nullExample:
{ icingaweb_db = { db = "mysql"; dbname = "icingaweb2"; host = "localhost"; password = "icingaweb2"; type = "db"; username = "icingaweb2"; } ; }Declared by:
services.icingaweb2.roles¶
roles.ini contents. Will automatically be converted to a .ini file.
If the value is null, no roles.ini is created and you can modify it manually (e.g. via the web interface).
Type: null or attribute set
Default:
nullExample:
{ Administrators = { permissions = "\*"; users = "admin"; } ; }Declared by:
services.icingaweb2.timezone¶
PHP-compliant timezone specification
Type: string
Default:
"UTC"Example:
"Europe/Berlin"Declared by:
services.icingaweb2.virtualHost¶
Name of the nginx virtualhost to use and setup. If null, no virtualhost is set up.
Type: null or string
Default:
"icingaweb2"Declared by:
services.ihaskell.enable¶
Autostart an IHaskell notebook service.
Type: unspecified
Default:
falseDeclared by:
services.ihaskell.extraPackages¶
Extra packages available to ghc when running ihaskell. The value must be a function which receives the attrset defined in
haskellPackagesas the sole argument.Type: unspecified
Default:
"<function>"Example:
haskellPackages: [ haskellPackages.wreq haskellPackages.lens ]Declared by:
services.ihatemoney.enable¶
Whether to enable ihatemoney webapp. Note that this will set uwsgi to emperor mode running as root.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.ihatemoney.enableAdminDashboard¶
Whether to enable ihatemoney admin dashboard.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.ihatemoney.enableDemoProject¶
Whether to enable access to the demo project in ihatemoney.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.ihatemoney.enablePublicProjectCreation¶
Whether to enable permission to create projects in ihatemoney by anyone.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.ihatemoney.adminHashedPassword¶
The hashed password of the administrator. To obtain it, run
ihatemoney generate_password_hashType: null or string
Default:
nullDeclared by:
services.ihatemoney.backend¶
The database engine to use for ihatemoney. If
postgresqlis selected, then a database called``ihatemoney`` will be created. If you disable this option, it will however not be removed.Type: one of “sqlite”, “postgresql”
Default:
"sqlite"Declared by:
services.ihatemoney.defaultSender.email¶
The email of the sender of ihatemoney emails
Type: string
Default:
"ihatemoney@nixos"Declared by:
services.ihatemoney.defaultSender.name¶
The display name of the sender of ihatemoney emails
Type: string
Default:
"Budget manager"Declared by:
services.ihatemoney.extraConfig¶
Extra configuration appended to ihatemoney’s configuration file. It is a python file, so pay attention to indentation.
Type: string
Default:
""Declared by:
services.ihatemoney.uwsgiConfig¶
Additionnal configuration of the UWSGI vassal running ihatemoney. It should notably specify on which interfaces and ports the vassal should listen.
Type: attribute set
Example:
{ http = ":8000"; }Declared by:
services.illum.enable¶
Enable illum, a daemon for controlling screen brightness with brightness buttons.
Type: boolean
Default:
falseDeclared by:
services.incron.enable¶
Whether to enable the incron daemon.
Note that commands run under incrontab only support common Nix profiles for the PATH provided variable.
Type: boolean
Default:
falseDeclared by:
services.incron.allow¶
Users allowed to use incrontab.
If empty then no user will be allowed to have their own incrontab. If
nullthen will defer to . If both and are null then all users will be allowed to have their own incrontab.Type: null or list of strings
Default:
nullDeclared by:
services.incron.deny¶
Users forbidden from using incrontab.
Type: null or list of strings
Default:
nullDeclared by:
services.incron.extraPackages¶
Extra packages available to the system incrontab.
Type: list of packages
Default: ``[
]``
Example:
[ pkgs.rsync ]Declared by:
services.incron.systab¶
The system incrontab contents.
Type: strings concatenated with “\n”
Default:
""Example:
'' /var/mail IN_CLOSE_WRITE abc $@/$# /tmp IN_ALL_EVENTS efg $@/$# $& ''Declared by:
services.infinoted.enable¶
Whether to enable infinoted.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.infinoted.package¶
Package providing infinoted
Type: package
Default:
"pkgs.libinfinity"Declared by:
services.infinoted.certificateChain¶
Chain of CA-certificates to which our `certificateFile` is relative. Optional for TLS.
Type: null or path
Default:
nullDeclared by:
services.infinoted.certificateFile¶
Server certificate to use for TLS
Type: null or path
Default:
nullDeclared by:
services.infinoted.extraConfig¶
Additional configuration to append to infinoted.conf
Type: strings concatenated with “\n”
Default:
'' [autosave] interval=10 ''Declared by:
services.infinoted.group¶
What to call the primary group of the dedicated user under which infinoted is run
Type: string
Default:
"infinoted"Declared by:
services.infinoted.keyFile¶
Private key to use for TLS
Type: null or path
Default:
nullDeclared by:
services.infinoted.passwordFile¶
File to read server-wide password from
Type: null or path
Default:
nullDeclared by:
services.infinoted.plugins¶
Plugins to enable
Type: list of strings
Default:
[ "note-text" "note-chat" "logging" "autosave" ]Declared by:
services.infinoted.port¶
Port to listen on
Type: signed integer
Default:
6523Declared by:
services.infinoted.rootDirectory¶
Root of the directory structure to serve
Type: path
Default:
"/var/lib/infinoted/documents/"Declared by:
services.infinoted.securityPolicy¶
How strictly to enforce clients connection with TLS.
Type: one of “no-tls”, “allow-tls”, “require-tls”
Default:
"require-tls"Declared by:
services.infinoted.user¶
What to call the dedicated user under which infinoted is run
Type: string
Default:
"infinoted"Declared by:
services.influxdb.enable¶
Whether to enable the influxdb server
Type: boolean
Default:
falseDeclared by:
services.influxdb.package¶
Which influxdb derivation to use
Type: package
Default:
"pkgs.influxdb"Declared by:
services.influxdb.dataDir¶
Data directory for influxd data files.
Type: path
Default:
"/var/db/influxdb"Declared by:
services.influxdb.extraConfig¶
services.influxdb.group¶
Group under which influxdb runs
Type: string
Default:
"influxdb"Declared by:
services.influxdb.user¶
User account under which influxdb runs
Type: string
Default:
"influxdb"Declared by:
services.interception-tools.enable¶
Whether to enable the interception tools service.
Type: boolean
Default:
falseDeclared by:
services.interception-tools.plugins¶
A list of interception tools plugins that will be made available to use inside the udevmon configuration.
Type: list of packages
Default:
[ *(build of interception-tools-caps2esc-0.1.0)* ]Declared by:
services.interception-tools.udevmonConfig¶
String of udevmon YAML configuration, or path to a udevmon YAML configuration file.
Type: string or path
Default:
'' - JOB: "intercept -g $DEVNODE | caps2esc | uinput -d $DEVNODE" DEVICE: EVENTS: EV_KEY: [KEY_CAPSLOCK, KEY_ESC] ''Example:
'' - JOB: "intercept -g $DEVNODE | y2z | x2y | uinput -d $DEVNODE" DEVICE: EVENTS: EV_KEY: [KEY_X, KEY_Y] ''Declared by:
services.iodine.clients¶
Each attribute of this option defines a systemd service that runs iodine. Many or none may be defined. The name of each service is``iodine-name*`` where *name is the name of the corresponding attribute name.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ foo = { server = "tunnel.mdomain.com"; relay = "8.8.8.8"; extraConfig = "-v"; } }Declared by:
services.iodine.clients.<name>.extraConfig¶
Additional command line parameters
Type: string
Default:
""Example:
"-l 192.168.1.10 -p 23"Declared by:
services.iodine.clients.<name>.passwordFile¶
File that contains password
Type: string
Default:
""Declared by:
services.iodine.clients.<name>.relay¶
DNS server to use as a intermediate relay to the iodined server
Type: string
Default:
""Example:
"8.8.8.8"Declared by:
services.iodine.clients.<name>.server¶
Domain or Subdomain of server running iodined
Type: string
Default:
""Example:
"tunnel.mydomain.com"Declared by:
services.iodine.server.enable¶
enable iodined server
Type: boolean
Default:
falseDeclared by:
services.iodine.server.domain¶
Domain or subdomain of which nameservers point to us
Type: string
Default:
""Example:
"tunnel.mydomain.com"Declared by:
services.iodine.server.extraConfig¶
Additional command line parameters
Type: string
Default:
""Example:
"-l 192.168.1.10 -p 23"Declared by:
services.iodine.server.ip¶
The assigned ip address or ip range
Type: string
Default:
""Example:
"172.16.10.1/24"Declared by:
services.iodine.server.passwordFile¶
File that contains password
Type: string
Default:
""Declared by:
services.iperf3.enable¶
Whether to enable iperf3 network throughput testing server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.iperf3.affinity¶
CPU affinity for the process.
Type: null or unsigned integer, meaning >=0
Default:
nullDeclared by:
services.iperf3.authorizedUsersFile¶
Path to the configuration file containing authorized users credentials to run iperf tests.
Type: null or path
Default:
nullDeclared by:
services.iperf3.bind¶
Bind to the specific interface associated with the given address.
Type: null or string
Default:
nullDeclared by:
services.iperf3.debug¶
Emit debugging output.
Type: boolean
Default:
falseDeclared by:
services.iperf3.extraFlags¶
services.iperf3.forceFlush¶
Force flushing output at every interval.
Type: boolean
Default:
falseDeclared by:
services.iperf3.openFirewall¶
Open ports in the firewall for iperf3.
Type: boolean
Default:
falseDeclared by:
services.iperf3.port¶
Server port to listen on for iperf3 client requsts.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
5201Declared by:
services.iperf3.rsaPrivateKey¶
Path to the RSA private key (not password-protected) used to decrypt authentication credentials from the client.
Type: null or path
Default:
nullDeclared by:
services.iperf3.verbose¶
Give more detailed output.
Type: boolean
Default:
falseDeclared by:
services.ipfs.enable¶
Whether to enable Interplanetary File System (WARNING: may cause severe network degredation).
Type: boolean
Default:
falseExample:
trueDeclared by:
services.ipfs.enableGC¶
Whether to enable automatic garbage collection
Type: boolean
Default:
falseDeclared by:
services.ipfs.apiAddress¶
Where IPFS exposes its API to
Type: string
Default:
"/ip4/127.0.0.1/tcp/5001"Declared by:
services.ipfs.autoMount¶
Whether IPFS should try to mount /ipfs and /ipns at startup.
Type: boolean
Default:
falseDeclared by:
services.ipfs.dataDir¶
The data dir for IPFS
Type: string
Default:
"/var/lib/ipfs"Declared by:
services.ipfs.defaultMode¶
systemd service that is enabled by default
Type: one of “online”, “offline”, “norouting”
Default:
"online"Declared by:
services.ipfs.emptyRepo¶
If set to true, the repo won’t be initialized with help files
Type: boolean
Default:
falseDeclared by:
services.ipfs.extraConfig¶
Attrset of daemon configuration to set using ipfs config, every time the daemon starts. These are applied last, so may override configuration set by other options in this module. Keep in mind that this configuration is stateful; i.e., unsetting anything in here does not reset the value to the default!
Type: attribute set
Default: ``{
}``
Example:
{ Bootstrap = [ "/ip4/128.199.219.111/tcp/4001/ipfs/QmSoLSafTMBsPKadTEgaXctDQVcqN88CNLHXMkTNwMKPnu" "/ip4/162.243.248.213/tcp/4001/ipfs/QmSoLueR4xBeUbY9WZ9xGUUxunbKWcrNFTDAadQJmocnWm" ] ; Datastore = { StorageMax = "100GB"; } ; Discovery = { MDNS = { Enabled = false; } ; } ; Swarm = { AddrFilters = null; } ; }Declared by:
services.ipfs.extraFlags¶
services.ipfs.gatewayAddress¶
Where the IPFS Gateway can be reached
Type: string
Default:
"/ip4/127.0.0.1/tcp/8080"Declared by:
services.ipfs.group¶
Group under which the IPFS daemon runs
Type: string
Default:
"ipfs"Declared by:
services.ipfs.ipfsMountDir¶
Where to mount the IPFS namespace to
Type: string
Default:
"/ipfs"Declared by:
services.ipfs.ipnsMountDir¶
Where to mount the IPNS namespace to
Type: string
Default:
"/ipns"Declared by:
services.ipfs.localDiscovery¶
Whether to enable local discovery for the ipfs daemon. This will allow ipfs to scan ports on your local network. Some hosting services will ban you if you do this.
Type: boolean
Default:
trueDeclared by:
services.ipfs.serviceFdlimit¶
The fdlimit for the IPFS systemd unit or
nullto have the daemon attempt to manage itType: null or signed integer
Default:
nullExample:
65536Declared by:
services.ipfs.swarmAddress¶
Where IPFS listens for incoming p2p connections
Type: list of strings
Default:
[ "/ip4/0.0.0.0/tcp/4001" "/ip6/::/tcp/4001" ]Declared by:
services.ipfs.user¶
User under which the IPFS daemon runs
Type: string
Default:
"ipfs"Declared by:
services.ircdHybrid.enable¶
Enable IRCD.
Type: unspecified
Default:
falseDeclared by:
services.ircdHybrid.adminEmail¶
IRCD server administrator e-mail.
Type: unspecified
Default:
"<bit-bucket@example.com>"Example:
"<name@domain.tld>"Declared by:
services.ircdHybrid.certificate¶
IRCD server SSL certificate. There are some limitations - read manual.
Type: unspecified
Default:
nullExample:
/root/certificates/irc.pemDeclared by:
services.ircdHybrid.description¶
IRCD server description.
Type: unspecified
Default:
"Hybrid-7 IRC server."Declared by:
services.ircdHybrid.extraIPs¶
services.ircdHybrid.extraPort¶
Extra port to avoid filtering.
Type: unspecified
Default:
"7117"Declared by:
services.ircdHybrid.rsaKey¶
IRCD server RSA key.
Type: unspecified
Default:
nullExample:
/root/certificates/irc.keyDeclared by:
services.ircdHybrid.serverName¶
IRCD server name.
Type: unspecified
Default:
"hades.arpa"Declared by:
services.ircdHybrid.sid¶
IRCD server unique ID in a net of servers.
Type: unspecified
Default:
"0NL"Declared by:
services.irkerd.enable¶
Whether to enable irker, an IRC notification daemon.
Type: boolean
Default:
falseDeclared by:
services.irkerd.listenAddress¶
Specifies the bind address on which the irker daemon listens. The default is localhost.
Irker authors strongly warn about the risks of running this on a publicly accessible interface, so change this with caution.
Type: string
Default:
"localhost"Example:
"0.0.0.0"Declared by:
services.irkerd.nick¶
Nick to use for irker
Type: string
Default:
"irker"Declared by:
services.irkerd.openPorts¶
Open ports in the firewall for irkerd
Type: boolean
Default:
falseDeclared by:
services.irqbalance.enable¶
Whether to enable irqbalance daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.jack.alsa.enable¶
Route audio to/from generic ALSA-using applications using ALSA JACK PCM plugin.
Type: boolean
Default:
trueDeclared by:
services.jack.alsa.support32Bit¶
Whether to support sound for 32-bit ALSA applications on 64-bit system.
Type: boolean
Default:
falseDeclared by:
services.jack.jackd.enable¶
Whether to enable JACK Audio Connection Kit. You need to add yourself to the “jackaudio” group .
Type: boolean
Default:
falseExample:
trueDeclared by:
services.jack.jackd.extraOptions¶
Specifies startup command line arguments to pass to JACK server.
Type: list of strings
Default:
[ "-dalsa" ]Example:
[ "-dalsa" "--device" "hw:1" ];Declared by:
services.jack.jackd.session¶
Commands to run after JACK is started.
Type: strings concatenated with “\n”
Declared by:
services.jack.loopback.enable¶
Create ALSA loopback device, instead of using PCM plugin. Has broader application support (things like Steam will work), but may need fine-tuning for concrete hardware.
Type: boolean
Default:
falseDeclared by:
services.jack.loopback.config¶
ALSA config for loopback device.
Type: strings concatenated with “\n”
Declared by:
services.jack.loopback.dmixConfig¶
For music production software that still doesn’t support JACK natively you would like to put buffer/period adjustments here to decrease dmix device latency.
Type: strings concatenated with “\n”
Default:
""Example:
'' period_size 2048 periods 2 ''Declared by:
services.jack.loopback.index¶
Index of an ALSA loopback device.
Type: signed integer
Default:
10Declared by:
services.jack.loopback.session¶
Additional commands to run to setup loopback device.
Type: strings concatenated with “\n”
Declared by:
services.jackett.enable¶
Whether to enable Jackett.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.jackett.package¶
Jackett package to use.
Type: package
Default:
"pkgs.jackett"Declared by:
services.jackett.dataDir¶
The directory where Jackett stores its data files.
Type: string
Default:
"/var/lib/jackett/.config/Jackett"Declared by:
services.jackett.group¶
Group under which Jackett runs.
Type: string
Default:
"jackett"Declared by:
services.jackett.openFirewall¶
Open ports in the firewall for the Jackett web interface.
Type: boolean
Default:
falseDeclared by:
services.jackett.user¶
User account under which Jackett runs.
Type: string
Default:
"jackett"Declared by:
services.jboss.enable¶
Whether to enable JBoss. WARNING : this package is outdated and is known to have vulnerabilities.
Type: unspecified
Default:
falseDeclared by:
services.jboss.deployDir¶
Location of the deployment files
Type: unspecified
Default:
"/nix/var/nix/profiles/default/server/default/deploy/"Declared by:
services.jboss.libUrl¶
Location where the shared library JARs are stored
Type: unspecified
Default:
"file:///nix/var/nix/profiles/default/server/default/lib"Declared by:
services.jboss.logDir¶
Location of the logfile directory of JBoss
Type: unspecified
Default:
"/var/log/jboss"Declared by:
services.jboss.serverDir¶
Location of the server instance files
Type: unspecified
Default:
"/var/jboss/server"Declared by:
services.jboss.tempDir¶
Location where JBoss stores its temp files
Type: unspecified
Default:
"/tmp"Declared by:
services.jboss.useJK¶
Whether to use to connector to the Apache HTTP server
Type: unspecified
Default:
falseDeclared by:
services.jboss.user¶
User account under which jboss runs.
Type: unspecified
Default:
"nobody"Declared by:
services.jellyfin.enable¶
Whether to enable Jellyfin Media Server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.jellyfin.group¶
Group under which jellyfin runs.
Type: string
Default:
"jellyfin"Declared by:
services.jellyfin.user¶
User account under which Jellyfin runs.
Type: string
Default:
"jellyfin"Declared by:
services.jenkins.enable¶
Whether to enable the jenkins continuous integration server.
Type: boolean
Default:
falseDeclared by:
services.jenkins.package¶
Jenkins package to use.
Type: package
Default:
"pkgs.jenkins"Declared by:
services.jenkins.packages¶
Packages to add to PATH for the jenkins process.
Type: list of packages
Default:
"[ pkgs.stdenv pkgs.git pkgs.jdk config.programs.ssh.package pkgs.nix ]"Declared by:
services.jenkins.environment¶
Additional environment variables to be passed to the jenkins process. As a base environment, jenkins receives NIX_PATH from, NIX_REMOTE is set to “daemon” and JENKINS_HOME is set to the value of. This option has precedence and can be used to override those mentioned variables.
Type: attribute set of strings
Default: ``{
}``
Declared by:
services.jenkins.extraGroups¶
List of extra groups that the “jenkins” user should be a part of.
Type: list of strings
Default: ``[
]``
Example:
[ "wheel" "dialout" ]Declared by:
services.jenkins.extraJavaOptions¶
Additional command line arguments to pass to the Java run time (as opposed to Jenkins).
Type: list of strings
Default: ``[
]``
Example:
[ "-Xmx80m" ]Declared by:
services.jenkins.extraOptions¶
Additional command line arguments to pass to Jenkins.
Type: list of strings
Default: ``[
]``
Example:
[ "--debug=9" ]Declared by:
services.jenkins.group¶
If the default user “jenkins” is configured then this is the primary group of that user.
Type: string
Default:
"jenkins"Declared by:
services.jenkins.home¶
The path to use as JENKINS_HOME. If the default user “jenkins” is configured then this is the home of the “jenkins” user.
Type: path
Default:
"/var/lib/jenkins"Declared by:
services.jenkins.jobBuilder.enable¶
Whether or not to enable the Jenkins Job Builder (JJB) service. It allows defining jobs for Jenkins in a declarative manner.
Jobs managed through the Jenkins WebUI (or by other means) are left unchanged.
Note that it really is declarative configuration; if you remove a previously defined job, the corresponding job directory will be deleted.
Please see the Jenkins Job Builder documentation for more info:http://docs.openstack.org/infra/jenkins-job-builder/
Type: boolean
Default:
falseDeclared by:
services.jenkins.jobBuilder.accessToken¶
User token in Jenkins used to reload config. WARNING: This token will be world readable in the Nix store. To keep it secret, use the option instead.
Type: string
Default:
""Declared by:
services.jenkins.jobBuilder.accessTokenFile¶
File containing the API token for the user.
Type: string
Default:
""Example:
"/run/keys/jenkins-job-builder-access-token"Declared by:
services.jenkins.jobBuilder.accessUser¶
User id in Jenkins used to reload config.
Type: string
Default:
""Declared by:
services.jenkins.jobBuilder.jsonJobs¶
Job descriptions for Jenkins Job Builder in JSON format.
Type: list of strings
Default: ``[
]``
Example:
[ '' [ { "job": { "name": "jenkins-job-test-2", "builders": [ "shell": "echo 'Hello world!'" ] } } ] '' ]Declared by:
services.jenkins.jobBuilder.nixJobs¶
Job descriptions for Jenkins Job Builder in Nix format.
This is a trivial wrapper around jsonJobs, using builtins.toJSON behind the scene.
Type: list of attribute sets
Default: ``[
]``
Example:
[ { job = { name = "jenkins-job-test-3"; builders = [ { shell = "echo 'Hello world!'"; } ]; }; } ]Declared by:
services.jenkins.jobBuilder.yamlJobs¶
Job descriptions for Jenkins Job Builder in YAML format.
Type: strings concatenated with “\n”
Default:
""Example:
'' - job: name: jenkins-job-test-1 builders: - shell: echo 'Hello world!' ''Declared by:
services.jenkins.listenAddress¶
Specifies the bind address on which the jenkins HTTP interface listens. The default is the wildcard address.
Type: string
Default:
"0.0.0.0"Example:
"localhost"Declared by:
services.jenkins.plugins¶
A set of plugins to activate. Note that this will completely remove and replace any previously installed plugins. If you have manually-installed plugins that you want to keep while using this module, set this option to``null``. You can generate this set with a tool such as
jenkinsPlugins2nix.Type: null or attribute set of packages
Default:
nullExample:
import path/to/jenkinsPlugins2nix-generated-plugins.nix { inherit (pkgs) fetchurl stdenv; }Declared by:
services.jenkins.port¶
Specifies port number on which the jenkins HTTP interface listens. The default is 8080.
Type: signed integer
Default:
8080Declared by:
services.jenkins.prefix¶
Specifies a urlPrefix to use with jenkins. If the example /jenkins is given, the jenkins server will be accessible using localhost:8080/jenkins.
Type: string
Default:
""Example:
"/jenkins"Declared by:
services.jenkins.user¶
User the jenkins server should execute under.
Type: string
Default:
"jenkins"Declared by:
services.jenkinsSlave.enable¶
If true the system will be configured to work as a jenkins slave. If the system is also configured to work as a jenkins master then this has no effect. In progress: Currently only assures the jenkins user is configured.
Type: boolean
Default:
falseDeclared by:
services.jenkinsSlave.group¶
If the default slave agent user “jenkins” is configured then this is the primary group of that user.
Type: string
Default:
"jenkins"Declared by:
services.jenkinsSlave.home¶
The path to use as JENKINS_HOME. If the default user “jenkins” is configured then this is the home of the “jenkins” user.
Type: path
Default:
"/var/lib/jenkins"Declared by:
services.jenkinsSlave.user¶
User the jenkins slave agent should execute under.
Type: string
Default:
"jenkins"Declared by:
services.jira.enable¶
Whether to enable Atlassian JIRA service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.jira.package¶
Atlassian JIRA package to use.
Type: package
Default:
"pkgs.atlassian-jira"Declared by:
services.jira.catalinaOptions¶
Java options to pass to catalina/tomcat.
Type: list of strings
Default: ``[
]``
Example:
[ "-Xms1024m" "-Xmx2048m" ]Declared by:
services.jira.group¶
Group which runs JIRA.
Type: string
Default:
"jira"Declared by:
services.jira.home¶
Home directory of the JIRA instance.
Type: string
Default:
"/var/lib/jira"Declared by:
services.jira.jrePackage¶
Note that Atlassian only support the Oracle JRE (JRASERVER-46152).
Type: package
Default:
"pkgs.oraclejre8"Declared by:
services.jira.listenAddress¶
Address to listen on.
Type: string
Default:
"127.0.0.1"Declared by:
services.jira.listenPort¶
Port to listen on.
Type: signed integer
Default:
8091Declared by:
services.jira.proxy.enable¶
Whether to enable reverse proxy support.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.jira.proxy.name¶
Virtual hostname at the proxy
Type: string
Example:
"jira.example.com"Declared by:
services.jira.proxy.port¶
Port used at the proxy
Type: signed integer
Default:
443Example:
80Declared by:
services.jira.proxy.scheme¶
Protocol used at the proxy.
Type: string
Default:
"https"Example:
"http"Declared by:
services.jira.proxy.secure¶
Whether the connections to the proxy should be considered secure.
Type: boolean
Default:
trueDeclared by:
services.jira.sso.enable¶
Whether to enable SSO with Atlassian Crowd.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.jira.sso.applicationName¶
Exact name of this JIRA instance in Crowd
Type: string
Example:
"jira"Declared by:
services.jira.sso.applicationPassword¶
Application password of this JIRA instance in Crowd
Type: string
Declared by:
services.jira.sso.crowd¶
Crowd Base URL without trailing slash
Type: string
Example:
"http://localhost:8095/crowd"Declared by:
services.jira.sso.validationInterval¶
Set to 0, if you want authentication checks to occur on each request. Otherwise set to the number of minutes between request to validate if the user is logged in or out of the Crowd SSO server. Setting this value to 1 or higher will increase the performance of Crowd’s integration.
Type: signed integer
Default:
2Example:
0Declared by:
services.jira.user¶
User which runs JIRA.
Type: string
Default:
"jira"Declared by:
services.jirafeau.enable¶
Whether to enable Jirafeau file upload application..
Type: boolean
Default:
falseExample:
trueDeclared by:
services.jirafeau.package¶
Jirafeau package to use
Type: package
Default:
"pkgs.jirafeau"Example:
"pkgs.jirafeau"Declared by:
services.jirafeau.adminPasswordSha256¶
SHA-256 of the desired administration password. Leave blank/unset for no password.
Type: string
Default:
""Declared by:
services.jirafeau.dataDir¶
Location of Jirafeau storage directory.
Type: path
Default:
"/var/lib/jirafeau/data/"Declared by:
services.jirafeau.extraConfig¶
Jirefeau configuration. Refer to ` <https://gitlab.com/mojo42/Jirafeau/-/blob/4.1.1/lib/config.original.php>`_ for supported values.
Type: strings concatenated with “\n”
Default:
""Example:
'' $cfg['style'] = 'courgette'; $cfg['organisation'] = 'ACME'; ''Declared by:
services.jirafeau.hostName¶
URL of instance. Must have trailing slash.
Type: string
Default:
"localhost"Declared by:
services.jirafeau.maxUploadSizeMegabytes¶
Maximum upload size of accepted files.
Type: signed integer
Default:
0Declared by:
services.jirafeau.maxUploadTimeout¶
Timeout for reading client request bodies and headers. Refer to` <http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout>`_ and` <http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_timeout>`_ for accepted values.
Type: string
Default:
"30m"Declared by:
services.jirafeau.nginxConfig¶
Extra configuration for the nginx virtual host of Jirafeau.
Type: submodule
Default: ``{
}``
Example:
{ serverAliases = [ "wiki.\\${config.networking.domain}" ] ; }Declared by:
services.jirafeau.nginxConfig.enableACME¶
Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through .
Type: boolean
Default:
falseDeclared by:
services.jirafeau.nginxConfig.acmeFallbackHost¶
Host which to proxy requests to if acme challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.
Type: null or string
Default:
nullDeclared by:
services.jirafeau.nginxConfig.acmeRoot¶
Directory for the acme challenge which is PUBLIC, don’t put certs or keys in here
Type: string
Default:
"/var/lib/acme/acme-challenge"Declared by:
services.jirafeau.nginxConfig.addSSL¶
Whether to enable HTTPS in addition to plain HTTP. This will set defaults for``listen`` to listen on all interfaces on the respective default ports (80, 443).
Type: boolean
Default:
falseDeclared by:
services.jirafeau.nginxConfig.basicAuth¶
Basic Auth protection for a vhost.
WARNING: This is implemented to store the password in plain text in the nix store.
Type: attribute set of strings
Default: ``{
}``
Example:
{ user = "password"; };Declared by:
services.jirafeau.nginxConfig.basicAuthFile¶
Basic Auth password file for a vhost. Can be created via: htpasswd -c <filename> <username>
Type: null or path
Default:
nullDeclared by:
services.jirafeau.nginxConfig.default¶
Makes this vhost the default.
Type: boolean
Default:
falseDeclared by:
services.jirafeau.nginxConfig.extraConfig¶
These lines go to the end of the vhost verbatim.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.jirafeau.nginxConfig.forceSSL¶
Whether to add a separate nginx server block that permanently redirects (301) all plain HTTP traffic to HTTPS. This will set defaults for``listen`` to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
Type: boolean
Default:
falseDeclared by:
services.jirafeau.nginxConfig.globalRedirect¶
If set, all requests for this host are redirected permanently to the given hostname.
Type: null or string
Default:
nullExample:
"newserver.example.org"Declared by:
services.jirafeau.nginxConfig.http2¶
Whether to enable HTTP 2. Note that (as of writing) due to nginx’s implementation, to disable HTTP 2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2,then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.
Type: boolean
Default:
trueDeclared by:
services.jirafeau.nginxConfig.listen¶
Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides
addSSLandonlySSL.Type: list of submodules
Default: ``[
]``
Example: ``[
{ addr = “195.154.1.1”; port = 443; ssl = true; }
{ addr = “192.154.1.1”; port = 80; }
]``
Declared by:
services.jirafeau.nginxConfig.listen.*.addr¶
services.jirafeau.nginxConfig.listen.*.extraParameters¶
Extra parameters of this listen directive.
Type: list of strings
Default: ``[
]``
Example:
[ "reuseport" "deferred" ]Declared by:
services.jirafeau.nginxConfig.listen.*.port¶
Port number.
Type: signed integer
Default:
80Declared by:
services.jirafeau.nginxConfig.listen.*.ssl¶
Enable SSL.
Type: boolean
Default:
falseDeclared by:
services.jirafeau.nginxConfig.locations¶
Declarative location config
Type: attribute set of submodules
Default: ``{
}``
Example:
{ "/" = { proxyPass = "http://localhost:3000"; }; };Declared by:
services.jirafeau.nginxConfig.locations.<name>.alias¶
Alias directory for requests.
Type: null or path
Default:
nullExample:
"/your/alias/directory"Declared by:
services.jirafeau.nginxConfig.locations.<name>.extraConfig¶
These lines go to the end of the location verbatim.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.jirafeau.nginxConfig.locations.<name>.index¶
Adds index directive.
Type: null or string
Default:
nullExample:
"index.php index.html"Declared by:
services.jirafeau.nginxConfig.locations.<name>.priority¶
Order of this location block in relation to the others in the vhost. The semantics are the same as with `lib.mkOrder`. Smaller values have a greater priority.
Type: signed integer
Default:
1000Declared by:
services.jirafeau.nginxConfig.locations.<name>.proxyPass¶
Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.
Type: null or string
Default:
nullExample:
"http://www.example.org/"Declared by:
services.jirafeau.nginxConfig.locations.<name>.proxyWebsockets¶
Whether to supporty proxying websocket connections with HTTP/1.1.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.jirafeau.nginxConfig.locations.<name>.return¶
Adds a return directive, for e.g. redirections.
Type: null or string
Default:
nullExample:
"301 http://example.com\\$request_uri"Declared by:
services.jirafeau.nginxConfig.locations.<name>.root¶
Root directory for requests.
Type: null or path
Default:
nullExample:
"/your/root/directory"Declared by:
services.jirafeau.nginxConfig.locations.<name>.tryFiles¶
Adds try_files directive.
Type: null or string
Default:
nullExample:
"\\$uri =404"Declared by:
services.jirafeau.nginxConfig.onlySSL¶
Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for
listento listen on all interfaces on port 443.Type: boolean
Default:
falseDeclared by:
services.jirafeau.nginxConfig.root¶
The path of the web root directory.
Type: null or path
Default:
nullExample:
"/data/webserver/docs"Declared by:
services.jirafeau.nginxConfig.serverAliases¶
Additional names of virtual hosts served by this virtual host configuration.
Type: list of strings
Default: ``[
]``
Example:
[ "www.example.org" "example.org" ]Declared by:
services.jirafeau.nginxConfig.serverName¶
Name of this virtual host. Defaults to attribute name in virtualHosts.
Type: null or string
Default:
nullExample:
"example.org"Declared by:
services.jirafeau.nginxConfig.sslCertificate¶
Path to server SSL certificate.
Type: path
Example:
"/var/host.cert"Declared by:
services.jirafeau.nginxConfig.sslCertificateKey¶
Path to server SSL certificate key.
Type: path
Example:
"/var/host.key"Declared by:
services.jirafeau.nginxConfig.sslTrustedCertificate¶
Path to root SSL certificate for stapling and client certificates.
Type: null or path
Default:
nullExample:
"/var/root.cert"Declared by:
services.jirafeau.nginxConfig.useACMEHost¶
A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the`rate limit <https://letsencrypt.org/docs/rate-limits/>`_. Alternately, you can generate a certificate through .*Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.*
Type: null or string
Default:
nullDeclared by:
services.jirafeau.poolConfig¶
Options for Jirafeau PHP pool. See documentation on
php-fpm.conffor details on configuration directives.Type: attribute set of string or signed integer or booleans
Default:
{ pm = "dynamic"; pm.max_children = 32; pm.max_requests = 500; pm.max_spare_servers = 4; pm.min_spare_servers = 2; pm.start_servers = 2; }Declared by:
services.journalbeat.enable¶
Whether to enable journalbeat.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.journalbeat.package¶
The journalbeat package to use
Type: package
Default:
"pkgs.journalbeat"Example:
pkgs.journalbeat7Declared by:
services.journalbeat.extraConfig¶
Any other configuration options you want to add
Type: strings concatenated with “\n”
Default:
""Declared by:
services.journalbeat.name¶
Name of the beat
Type: string
Default:
"journalbeat"Declared by:
services.journalbeat.stateDir¶
Directory below
/var/lib/to store journalbeat’s own logs and other data. This directory will be created automatically using systemd’s StateDirectory mechanism.Type: string
Default:
"journalbeat"Declared by:
services.journalbeat.tags¶
services.journald.enableHttpGateway¶
Whether to enable the HTTP gateway to the journal.
Type: boolean
Default:
falseDeclared by:
services.journald.console¶
If non-empty, write log messages to the specified TTY device.
Type: string
Default:
""Declared by:
services.journald.extraConfig¶
Extra config options for systemd-journald. See man journald.conf for available options.
Type: strings concatenated with “\n”
Default:
""Example:
"Storage=volatile"Declared by:
services.journald.forwardToSyslog¶
Whether to forward log messages to syslog.
Type: boolean
Default:
"services.rsyslogd.enable \|| services.syslog-ng.enable"Declared by:
services.journald.rateLimitBurst¶
Configures the rate limiting burst limit (number of messages per interval) that is applied to all messages generated on the system. This rate limiting is applied per-service, so that two services which log do not interfere with each other’s limit.
Type: signed integer
Default:
1000Declared by:
services.journald.rateLimitInterval¶
Configures the rate limiting interval that is applied to all messages generated on the system. This rate limiting is applied per-service, so that two services which log do not interfere with each other’s limit. The value may be specified in the following units: s, min, h, ms, us. To turn off any kind of rate limiting, set either value to 0.
Type: string
Default:
"30s"Declared by:
services.journaldriver.enable¶
Whether to enable journaldriver to forward journald logs to Stackdriver Logging.
Type: boolean
Default:
falseDeclared by:
services.journaldriver.applicationCredentials¶
Path to the service account private key (in JSON-format) used to forward log entries to Stackdriver Logging on non-GCP instances.
This option is required on non-GCP machines, but should not be set on GCP instances.
Type: null or path
Default:
nullDeclared by:
services.journaldriver.googleCloudProject¶
Configures the name of the Google Cloud project to which to forward journald logs.
This option is required on non-GCP machines, but should not be set on GCP instances.
Type: null or string
Default:
nullDeclared by:
services.journaldriver.logLevel¶
Log level at which journaldriver logs its own output.
Type: string
Default:
"info"Declared by:
services.journaldriver.logName¶
Configures the name of the target log in Stackdriver Logging. This option can be set to, for example, the hostname of a machine to improve the user experience in the logging overview.
Type: null or string
Default:
nullDeclared by:
services.journaldriver.logStream¶
Configures the name of the Stackdriver Logging log stream into which to write journald entries.
This option is required on non-GCP machines, but should not be set on GCP instances.
Type: null or string
Default:
nullDeclared by:
services.journalwatch.enable¶
If enabled, periodically check the journal with journalwatch and report the results by mail.
Type: boolean
Default:
falseDeclared by:
services.journalwatch.accuracy¶
The time window around the interval in which the journalwatch run will be scheduled.
The format is described in systemd.time(7).
Type: string
Default:
"10min"Declared by:
services.journalwatch.extraConfig¶
Extra lines to be added verbatim to the journalwatch/config configuration file. You can add any commandline argument to the config, without the ‘–’. See
journalwatch --helpfor all arguments and their description.Type: string
Default:
""Declared by:
services.journalwatch.filterBlocks¶
filterBlocks can be defined to blacklist journal messages which are not errors. Each block matches on a log entry field, and the filters in that block then are matched against all messages with a matching log entry field.
All messages whose PRIORITY is at least 6 (INFO) are processed by journalwatch. If you don’t specify any filterBlocks, PRIORITY is reduced to 5 (NOTICE) by default.
All regular expressions are extended Python regular expressions, for details see: http://doc.pyschools.com/html/regex.html
Type: list of submodules
Default: ``[
{ filters = “(Stopped|Stopping|Starting|Started) .*\n(Created slice|Removed slice) user-\d*\.slice\.\nReceived SIGRTMIN\+24 from PID .*\n(Reached target|Stopped target) .*\nStartup finished in \d*ms\.\n”; match = “SYSLOG_IDENTIFIER = systemd”; }
]``
Example: ``[
{ filters = “New session [a-z]?\d+ of user \w+\.\nRemoved session [a-z]?\d+\.\n”; match = “_SYSTEMD_UNIT = systemd-logind.service”; }
{ filters = “pam_unix\(crond:session\): session (opened|closed) for user \w+\n\(\w+\) CMD .*\n”; match = “SYSLOG_IDENTIFIER = /(CROND|crond)/”; }
]``
Declared by:
services.journalwatch.filterBlocks.*.filters¶
The filters to apply on all messages which satisfy . Any of those messages that match any specified filter will be removed from journalwatch’s output. Each filter is an extended Python regular expression. You can specify multiple filters and separate them by newlines. Lines starting with ‘#’ are comments. Inline-comments are not permitted.
Type: string
Example:
'' (Stopped|Stopping|Starting|Started) .* (Reached target|Stopped target) .* ''Declared by:
services.journalwatch.filterBlocks.*.match¶
Syntax:
field = valueSpecifies the log entryfieldthis block should apply to. If thefieldof a message matches thisvalue, this patternBlock’s are applied. Ifvaluestarts and ends with a slash, it is interpreted as an extended python regular expression, if not, it’s an exact match. The journal fields are explained in systemd.journal-fields(7).Type: string
Example:
"SYSLOG_IDENTIFIER = systemd"Declared by:
services.journalwatch.interval¶
How often to run journalwatch.
The format is described in systemd.time(7).
Type: string
Default:
"hourly"Declared by:
services.journalwatch.mailBinary¶
Sendmail-compatible binary to be used to send the messages.
Type: path
Default:
"/run/wrappers/bin/sendmail"Declared by:
services.journalwatch.mailFrom¶
Mail address to send journalwatch reports from.
Type: string
Default:
"journalwatch@nixos"Declared by:
services.journalwatch.mailTo¶
Mail address to send journalwatch reports to.
Type: null or string
Default:
nullDeclared by:
services.journalwatch.priority¶
Lowest priority of message to be considered. A value between 7 (“debug”), and 0 (“emerg”). Defaults to 6 (“info”). If you don’t care about anything with “info” priority, you can reduce this to e.g. 5 (“notice”) to considerably reduce the amount of messages without needing many .
Type: signed integer
Default:
6Declared by:
services.jupyter.enable¶
Whether to enable Jupyter development server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.jupyter.group¶
Name of the group used to run the jupyter service. Use this if you want to create a group of users that are able to view the notebook directory’s content.
Type: string
Default:
"jupyter"Example:
"users"Declared by:
services.jupyter.ip¶
IP address Jupyter will be listening on.
Type: string
Default:
"localhost"Declared by:
services.jupyter.kernels¶
Declarative kernel config
Kernels can be declared in any language that supports and has the required dependencies to communicate with a jupyter server. In python’s case, it means that ipykernel package must always be included in the list of packages of the targeted environment.
Type: null or attribute set of submodules
Default:
nullExample:
{ python3 = let env = (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [ ipykernel pandas scikitlearn ])); in { displayName = "Python 3 for machine learning"; argv = [ "${env.interpreter}" "-m" "ipykernel_launcher" "-f" "{connection_file}" ]; language = "python"; logo32 = "${env.sitePackages}/ipykernel/resources/logo-32x32.png"; logo64 = "${env.sitePackages}/ipykernel/resources/logo-64x64.png"; }; }Declared by:
services.jupyter.kernels.<name>.argv¶
Command and arguments to start the kernel.
Type: list of strings
Example:
[ "{customEnv.interpreter}" "-m" "ipykernel_launcher" "-f" "{connection_file}" ]Declared by:
services.jupyter.kernels.<name>.displayName¶
Name that will be shown to the user.
Type: string
Default:
""Example:
[ "Python 3" "Python 3 for Data Science" ]Declared by:
services.jupyter.kernels.<name>.language¶
Language of the environment. Typically the name of the binary.
Type: string
Example:
"python"Declared by:
services.jupyter.kernels.<name>.logo32¶
Path to 32x32 logo png.
Type: null or path
Default:
nullExample:
"{env.sitePackages}/ipykernel/resources/logo-32x32.png"Declared by:
services.jupyter.kernels.<name>.logo64¶
Path to 64x64 logo png.
Type: null or path
Default:
nullExample:
"{env.sitePackages}/ipykernel/resources/logo-64x64.png"Declared by:
services.jupyter.notebookConfig¶
Raw jupyter config.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.jupyter.notebookDir¶
Root directory for notebooks.
Type: string
Default:
"~/"Declared by:
services.jupyter.password¶
Password to use with notebook. Can be generated using: In [1]: from notebook.auth import passwd In [2]: passwd(‘test’) Out[2]: ‘sha1:1b961dc713fb:88483270a63e57d18d43cf337e629539de1436ba’ NOTE: you need to keep the single quote inside the nix string. Or you can use a python oneliner: “open(‘/path/secret_file’, ‘r’, encoding=’utf8’).read().strip()” It will be interpreted at the end of the notebookConfig.
Type: string
Example:
[ "'sha1:1b961dc713fb:88483270a63e57d18d43cf337e629539de1436ba'" "open('/path/secret_file', 'r', encoding='utf8').read().strip()" ]Declared by:
services.jupyter.port¶
Port number Jupyter will be listening on.
Type: signed integer
Default:
8888Declared by:
services.jupyter.user¶
Name of the user used to run the jupyter service. For security reason, jupyter should really not be run as root. If not set (jupyter), the service will create a jupyter user with appropriate settings.
Type: string
Default:
"jupyter"Example:
"aborsu"Declared by:
services.kapacitor.enable¶
Whether to enable kapacitor.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.kapacitor.alerta.enable¶
Whether to enable kapacitor alerta integration.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.kapacitor.alerta.environment¶
Default Alerta environment
Type: string
Default:
"Production"Declared by:
services.kapacitor.alerta.origin¶
Default origin of alert
Type: string
Default:
"kapacitor"Declared by:
services.kapacitor.alerta.token¶
Default Alerta authentication token
Type: string
Default:
""Declared by:
services.kapacitor.alerta.url¶
The URL to the Alerta REST API
Type: string
Default:
"http://localhost:5000"Example:
"http://localhost:5000"Declared by:
services.kapacitor.bind¶
Address to bind to. The default is to bind to all addresses
Type: string
Default:
""Example:
0.0.0.0Declared by:
services.kapacitor.dataDir¶
Location where Kapacitor stores its state
Type: path
Default:
"/var/lib/kapacitor"Example:
"/var/lib/kapacitor"Declared by:
services.kapacitor.defaultDatabase.enable¶
Whether to enable kapacitor.defaultDatabase.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.kapacitor.defaultDatabase.password¶
The password to connect to the remote InfluxDB server
Type: string
Declared by:
services.kapacitor.defaultDatabase.url¶
The URL to an InfluxDB server that serves as the default database
Type: string
Example:
"http://localhost:8086"Declared by:
services.kapacitor.defaultDatabase.username¶
The username to connect to the remote InfluxDB server
Type: string
Declared by:
services.kapacitor.extraConfig¶
These lines go into kapacitord.conf verbatim.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.kapacitor.group¶
Group under which Kapacitor runs
Type: string
Default:
"kapacitor"Declared by:
services.kapacitor.loadDirectory¶
Directory where to load services from, such as tasks, templates and handlers (or null to disable service loading on startup)
Type: null or path
Default:
nullDeclared by:
services.kapacitor.port¶
Port of Kapacitor
Type: signed integer
Default:
9092Declared by:
services.kapacitor.taskSnapshotInterval¶
Specifies how often to snapshot the task state (in InfluxDB time units)
Type: string
Default:
"1m0s"Example:
"1m0s"Declared by:
services.kapacitor.user¶
User account under which Kapacitor runs
Type: string
Default:
"kapacitor"Declared by:
services.kbfs.enable¶
Whether to mount the Keybase filesystem.
Type: boolean
Default:
falseDeclared by:
services.kbfs.enableRedirector¶
Whether to enable the Keybase root redirector service, allowing any user to access KBFS files via
/keybase, which will show different contents depending on the requester.Type: boolean
Default:
falseDeclared by:
services.kbfs.extraFlags¶
Additional flags to pass to the Keybase filesystem on launch.
Type: list of strings
Default: ``[
]``
Example:
[ "-label kbfs" "-mount-type normal" ]Declared by:
services.kbfs.mountPoint¶
Mountpoint for the Keybase filesystem.
Type: string
Default:
"%h/keybase"Example:
"/keybase"Declared by:
services.keepalived.enable¶
Whether to enable Keepalived.
Type: boolean
Default:
falseDeclared by:
services.keepalived.enableScriptSecurity¶
Don’t run scripts configured to be run as root if any part of the path is writable by a non-root user.
Type: boolean
Default:
falseDeclared by:
services.keepalived.extraConfig¶
Extra lines to be added verbatim to the configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.keepalived.extraGlobalDefs¶
Extra lines to be added verbatim to the ‘global_defs’ block of the configuration file
Type: strings concatenated with “\n”
Default:
""Declared by:
services.keepalived.snmp.enable¶
Whether to enable the builtin AgentX subagent.
Type: boolean
Default:
falseDeclared by:
services.keepalived.snmp.enableChecker¶
Enable SNMP handling of checker element of KEEPALIVED MIB.
Type: boolean
Default:
falseDeclared by:
services.keepalived.snmp.enableKeepalived¶
Enable SNMP handling of vrrp element of KEEPALIVED MIB.
Type: boolean
Default:
falseDeclared by:
services.keepalived.snmp.enableRfc¶
Enable SNMP handling of RFC2787 and RFC6527 VRRP MIBs.
Type: boolean
Default:
falseDeclared by:
services.keepalived.snmp.enableRfcV2¶
Enable SNMP handling of RFC2787 VRRP MIB.
Type: boolean
Default:
falseDeclared by:
services.keepalived.snmp.enableRfcV3¶
Enable SNMP handling of RFC6527 VRRP MIB.
Type: boolean
Default:
falseDeclared by:
services.keepalived.snmp.enableTraps¶
Enable SNMP traps.
Type: boolean
Default:
falseDeclared by:
services.keepalived.snmp.socket¶
Socket to use for connecting to SNMP master agent. If this value is set to null, keepalived’s default will be used, which is unix:/var/agentx/master, unless using a network namespace, when the default is udp:localhost:705.
Type: null or string
Default:
nullDeclared by:
services.keepalived.vrrpInstances¶
services.keepalived.vrrpInstances.<name>.extraConfig¶
Extra lines to be added verbatim to the vrrp_instance section.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.keepalived.vrrpInstances.<name>.interface¶
Interface for inside_network, bound by vrrp.
Type: string
Declared by:
services.keepalived.vrrpInstances.<name>.noPreempt¶
VRRP will normally preempt a lower priority machine when a higher priority machine comes online. “nopreempt” allows the lower priority machine to maintain the master role, even when a higher priority machine comes back online. NOTE: For this to work, the initial state of this entry must be BACKUP.
Type: boolean
Default:
falseDeclared by:
services.keepalived.vrrpInstances.<name>.priority¶
For electing MASTER, highest priority wins. To be MASTER, make 50 more than other machines.
Type: signed integer
Default:
100Declared by:
services.keepalived.vrrpInstances.<name>.state¶
Initial state. As soon as the other machine(s) come up, an election will be held and the machine with the highest “priority” will become MASTER. So the entry here doesn’t matter a whole lot.
Type: one of “MASTER”, “BACKUP”
Default:
"BACKUP"Declared by:
services.keepalived.vrrpInstances.<name>.trackInterfaces¶
List of network interfaces to monitor for health tracking.
Type: list of strings
Default: ``[
]``
Example:
[ "eth0" "eth1" ]Declared by:
services.keepalived.vrrpInstances.<name>.trackScripts¶
List of script names to invoke for health tracking.
Type: list of strings
Default: ``[
]``
Example:
[ "chk_cmd1" "chk_cmd2" ]Declared by:
services.keepalived.vrrpInstances.<name>.unicastPeers¶
Do not send VRRP adverts over VRRP multicast group. Instead it sends adverts to the following list of ip addresses using unicast design fashion. It can be cool to use VRRP FSM and features in a networking environment where multicast is not supported! IP Addresses specified can IPv4 as well as IPv6.
Type: list of strings
Default: ``[
]``
Declared by:
services.keepalived.vrrpInstances.<name>.unicastSrcIp¶
Default IP for binding vrrpd is the primary IP on interface. If you want to hide location of vrrpd, use this IP as src_addr for unicast vrrp packets.
Type: null or string
Default:
nullDeclared by:
services.keepalived.vrrpInstances.<name>.useVmac¶
Use VRRP Virtual MAC.
Type: boolean
Default:
falseDeclared by:
services.keepalived.vrrpInstances.<name>.virtualIps¶
Declarative vhost config
Type: list of submodules
Default: ``[
]``
Example:
TODO: ExampleDeclared by:
services.keepalived.vrrpInstances.<name>.virtualIps.*.addr¶
IP address, optionally with a netmask: IPADDR[/MASK]
Type: string
Declared by:
services.keepalived.vrrpInstances.<name>.virtualIps.*.brd¶
The broadcast address on the interface.
Type: null or string
Default:
nullDeclared by:
services.keepalived.vrrpInstances.<name>.virtualIps.*.dev¶
The name of the device to add the address to.
Type: null or string
Default:
nullDeclared by:
services.keepalived.vrrpInstances.<name>.virtualIps.*.label¶
Each address may be tagged with a label string. In order to preserve compatibility with Linux-2.0 net aliases, this string must coincide with the name of the device or must be prefixed with the device name followed by colon.
Type: null or string
Default:
nullDeclared by:
services.keepalived.vrrpInstances.<name>.virtualIps.*.scope¶
The scope of the area where this address is valid.
Type: null or string
Default:
nullDeclared by:
services.keepalived.vrrpInstances.<name>.virtualRouterId¶
Arbitrary unique number 0..255. Used to differentiate multiple instances of vrrpd running on the same NIC (and hence same socket).
Type: signed integer
Declared by:
services.keepalived.vrrpInstances.<name>.vmacInterface¶
Name of the vmac interface to use. keepalived will come up with a name if you don’t specify one.
Type: null or string
Default:
nullDeclared by:
services.keepalived.vrrpInstances.<name>.vmacXmitBase¶
Send/Recv VRRP messages from base interface instead of VMAC interface.
Type: boolean
Default:
falseDeclared by:
services.keepalived.vrrpScripts¶
services.keepalived.vrrpScripts.<name>.extraConfig¶
Extra lines to be added verbatim to the vrrp_script section.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.keepalived.vrrpScripts.<name>.fall¶
Required number of failures for KO transition.
Type: signed integer
Default:
3Declared by:
services.keepalived.vrrpScripts.<name>.group¶
Name of group to run the script under. Defaults to user group.
Type: null or string
Default:
nullDeclared by:
services.keepalived.vrrpScripts.<name>.interval¶
Seconds between script invocations.
Type: signed integer
Default:
1Declared by:
services.keepalived.vrrpScripts.<name>.rise¶
Required number of successes for OK transition.
Type: signed integer
Default:
5Declared by:
services.keepalived.vrrpScripts.<name>.script¶
(Path of) Script command to execute followed by args, i.e. cmd [args]…
Type: string
Example:
"\\${pkgs.curl} -f http://localhost:80"Declared by:
services.keepalived.vrrpScripts.<name>.timeout¶
Seconds after which script is considered to have failed.
Type: signed integer
Default:
5Declared by:
services.keepalived.vrrpScripts.<name>.user¶
Name of user to run the script under.
Type: string
Default:
"keepalived_script"Declared by:
services.keepalived.vrrpScripts.<name>.weight¶
Following a failure, adjust the priority by this weight.
Type: signed integer
Default:
0Declared by:
services.kerberos_server.enable¶
Enable the kerberos authentification server.
Type: unspecified
Default:
falseDeclared by:
services.kerberos_server.realms¶
The realm(s) to serve keys for.
Type: attribute set of submodules
Declared by:
services.kerberos_server.realms.<name>.acl¶
The privileges granted to a user.
Type: list of submodules
Default: ``[
{ access = “all”; principal = “*/admin”; }
{ access = “all”; principal = “admin”; }
]``
Declared by:
services.kerberos_server.realms.<name>.acl.*.access¶
The changes the principal is allowed to make.
Type: list of one of “add”, “cpw”, “delete”, “get”, “list”, “modify”s or one of “all”
Default:
"all"Declared by:
services.kerberos_server.realms.<name>.acl.*.principal¶
Which principal the rule applies to
Type: string
Declared by:
services.kerberos_server.realms.<name>.acl.*.target¶
The principals that ‘access’ applies to.
Type: string
Default:
"\*"Declared by:
services.keybase.enable¶
Whether to start the Keybase service.
Type: boolean
Default:
falseDeclared by:
services.kibana.enable¶
Whether to enable kibana service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.kibana.package¶
Kibana package to use
Type: package
Default:
"pkgs.kibana"Example:
"pkgs.kibana"Declared by:
services.kibana.cert¶
Kibana ssl certificate.
Type: null or path
Default:
nullDeclared by:
services.kibana.dataDir¶
Kibana data directory
Type: path
Default:
"/var/lib/kibana"Declared by:
services.kibana.defaultAppId¶
Elasticsearch default application id.
Type: string
Default:
"discover"Declared by:
services.kibana.elasticsearch.ca¶
CA file to auth against elasticsearch.
It’s recommended to use the option when using kibana-5.4 or newer.
Type: null or path
Default:
nullDeclared by:
services.kibana.elasticsearch.cert¶
Certificate file to auth against elasticsearch.
Type: null or path
Default:
nullDeclared by:
services.kibana.elasticsearch.certificateAuthorities¶
CA files to auth against elasticsearch.
Please use the option when using kibana < 5.4 because those old versions don’t support setting multiple CA’s.
This defaults to the singleton list [ca] when the option is defined.
Type: list of paths
Default: ``[
]``
Declared by:
services.kibana.elasticsearch.hosts¶
The URLs of the Elasticsearch instances to use for all your queries. All nodes listed here must be on the same cluster.
Defaults to
[ "http://localhost:9200" ].This option is only valid when using kibana >= 6.6.
Type: null or list of strings
Default:
nullDeclared by:
services.kibana.elasticsearch.key¶
Key file to auth against elasticsearch.
Type: null or path
Default:
nullDeclared by:
services.kibana.elasticsearch.password¶
Password for elasticsearch basic auth.
Type: null or string
Default:
nullDeclared by:
services.kibana.elasticsearch.url¶
Elasticsearch url.
Defaults to
"http://localhost:9200".Don’t set this when using Kibana >= 7.0.0 because it will result in a configuration error. Use instead.
Type: null or string
Default:
nullDeclared by:
services.kibana.elasticsearch.username¶
Username for elasticsearch basic auth.
Type: null or string
Default:
nullDeclared by:
services.kibana.extraConf¶
services.kibana.index¶
Elasticsearch index to use for saving kibana config.
Type: string
Default:
".kibana"Declared by:
services.kibana.key¶
Kibana ssl key.
Type: null or path
Default:
nullDeclared by:
services.kibana.listenAddress¶
Kibana listening host
Type: string
Default:
"127.0.0.1"Declared by:
services.kibana.port¶
Kibana listening port
Type: signed integer
Default:
5601Declared by:
services.kippo.enable¶
Enable the kippo honeypot ssh server.
Type: boolean
Default:
falseDeclared by:
services.kippo.extraConfig¶
Extra verbatim configuration added to the end of kippo.cfg.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.kippo.hostname¶
Hostname for kippo to present to SSH login
Type: string
Default:
"nas3"Declared by:
services.kippo.logPath¶
Path of log files needed for operation and configuration.
Type: path
Default:
"/var/log/kippo"Declared by:
services.kippo.pidPath¶
Path of pid files needed for operation.
Type: path
Default:
"/run/kippo"Declared by:
services.kippo.port¶
TCP port number for kippo to bind to.
Type: signed integer
Default:
2222Declared by:
services.kippo.varPath¶
Path of read/write files needed for operation and configuration.
Type: path
Default:
"/var/lib/kippo"Declared by:
services.klogd.enable¶
Whether to enable klogd, the kernel log message processing daemon. Since systemd handles logging of kernel messages on Linux 3.5 and later, this is only useful if you’re running an older kernel.
Type: boolean
Default:
falseDeclared by:
services.kmscon.enable¶
Use kmscon as the virtual console instead of gettys. kmscon is a kms/dri-based userspace virtual terminal implementation. It supports a richer feature set than the standard linux console VT, including full unicode support, and when the video card supports drm should be much faster.
Type: boolean
Default:
falseDeclared by:
services.kmscon.autologinUser¶
Username of the account that will be automatically logged in at the console. If unspecified, a login prompt is shown as usual.
Type: null or string
Default:
nullDeclared by:
services.kmscon.extraConfig¶
Extra contents of the kmscon.conf file.
Type: strings concatenated with “\n”
Default:
""Example:
"font-size=14"Declared by:
services.kmscon.extraOptions¶
Extra flags to pass to kmscon.
Type: strings concatenated with ” “
Default:
""Example:
"--term xterm-256color"Declared by:
services.kmscon.hwRender¶
Whether to use 3D hardware acceleration to render the console.
Type: boolean
Default:
falseDeclared by:
services.knot.enable¶
Whether to enable Knot authoritative-only DNS server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.knot.package¶
Which Knot DNS package to use
Type: package
Default:
"pkgs.knot-dns"Declared by:
services.knot.extraArgs¶
List of additional command line paramters for knotd
Type: list of strings
Default: ``[
]``
Declared by:
services.knot.extraConfig¶
Extra lines to be added verbatim to knot.conf
Type: strings concatenated with “\n”
Default:
""Declared by:
services.knot.keyFiles¶
A list of files containing additional configuration to be included using the include directive. This option allows to include configuration like TSIG keys without exposing them to the nix store readable to any process. Note that using this option will also disable configuration checks at build time.
Type: list of paths
Default: ``[
]``
Declared by:
services.kresd.enable¶
Whether to enable knot-resolver domain name server. DNSSEC validation is turned on by default. You can run
sudo nc -U /run/knot-resolver/control/1and give commands interactively to kresd@1.service.Type: boolean
Default:
falseDeclared by:
services.kresd.extraConfig¶
Extra lines to be added verbatim to the generated configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.kresd.instances¶
The number of instances to start. They will be called kresd@{1,2,…}.service. Knot Resolver uses no threads, so this is the way to scale. You can dynamically start/stop them at will, so this is just system default.
Type: unsigned integer, meaning >=0
Default:
1Declared by:
services.kresd.listenDoH¶
Addresses and ports on which kresd should provide DNS over HTTPS (see RFC 8484). For detailed syntax see ListenStream in man systemd.socket.
Type: list of strings
Default: ``[
]``
Example:
[ "198.51.100.1:443" "\[2001:db8::1]:443" "443" ]Declared by:
services.kresd.listenPlain¶
What addresses and ports the server should listen on. For detailed syntax see ListenStream in man systemd.socket.
Type: list of strings
Default:
[ "\[::1]:53" "127.0.0.1:53" ]Example:
[ "53" ]Declared by:
services.kresd.listenTLS¶
Addresses and ports on which kresd should provide DNS over TLS (see RFC 7858). For detailed syntax see ListenStream in man systemd.socket.
Type: list of strings
Default: ``[
]``
Example:
[ "198.51.100.1:853" "\[2001:db8::1]:853" "853" ]Declared by:
services.kubernetes.package¶
Kubernetes package to use.
Type: package
Default:
"pkgs.kubernetes"Declared by:
services.kubernetes.addonManager.enable¶
Whether to enable Whether to enable Kubernetes addon manager..
Type: boolean
Default:
falseExample:
trueDeclared by:
services.kubernetes.addonManager.addons¶
Kubernetes addons (any kind of Kubernetes resource can be an addon).
Type: attribute set of attribute set or list of attribute setss
Default: ``{
}``
Example:
{ "my-service" = { "apiVersion" = "v1"; "kind" = "Service"; "metadata" = { "name" = "my-service"; "namespace" = "default"; }; "spec" = { ... }; }; } // import <nixpkgs/nixos/modules/services/cluster/kubernetes/dashboard.nix> { cfg = config.services.kubernetes; };Declared by:
services.kubernetes.addonManager.bootstrapAddons¶
Bootstrap addons are like regular addons, but they are applied with cluster-admin rigths. They are applied at addon-manager startup only.
Type: attribute set of attribute sets
Default: ``{
}``
Example:
{ "my-service" = { "apiVersion" = "v1"; "kind" = "Service"; "metadata" = { "name" = "my-service"; "namespace" = "default"; }; "spec" = { ... }; }; }Declared by:
services.kubernetes.addons.dashboard.enable¶
Whether to enable kubernetes dashboard addon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.kubernetes.addons.dashboard.extraArgs¶
Extra arguments to append to the dashboard cmdline
Type: list of strings
Default: ``[
]``
Example:
[ "--enable-skip-login" ]Declared by:
services.kubernetes.addons.dashboard.image¶
Docker image to seed for the kubernetes dashboard container.
Type: attribute set
Default:
{ finalImageTag = "v1.10.1"; imageDigest = "sha256:0ae6b69432e78069c5ce2bcde0fe409c5c4d6f0f4d9cd50a17974fea38898747"; imageName = "k8s.gcr.io/kubernetes-dashboard-amd64"; sha256 = "01xrr4pwgr2hcjrjsi3d14ifpzdfbxzqpzxbk2fkbjb9zkv38zxy"; }Declared by:
services.kubernetes.addons.dashboard.rbac¶
services.kubernetes.addons.dashboard.rbac.enable¶
Whether to enable role based access control is enabled for kubernetes dashboard
Type: boolean
Default:
trueDeclared by:
services.kubernetes.addons.dashboard.rbac.clusterAdmin¶
Whether to assign cluster admin rights to the kubernetes dashboard
Type: boolean
Default:
falseDeclared by:
services.kubernetes.addons.dashboard.version¶
Which version of the kubernetes dashboard to deploy
Type: string
Default:
"v1.10.1"Declared by:
services.kubernetes.addons.dns.enable¶
Whether to enable kubernetes dns addon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.kubernetes.addons.dns.clusterDomain¶
Dns cluster domain
Type: string
Default:
"cluster.local"Declared by:
services.kubernetes.addons.dns.clusterIp¶
Dns addon clusterIP
Type: string
Default:
"10.0.0.254"Declared by:
services.kubernetes.addons.dns.coredns¶
Docker image to seed for the CoreDNS container.
Type: attribute set
Default:
{ finalImageTag = "1.6.4"; imageDigest = "sha256:493ee88e1a92abebac67cbd4b5658b4730e0f33512461442d8d9214ea6734a9b"; imageName = "coredns/coredns"; sha256 = "0fm9zdjavpf5hni8g7fkdd3csjbhd7n7py7llxjc66sbii087028"; }Declared by:
services.kubernetes.addons.dns.reconcileMode¶
Controls the addon manager reconciliation mode for the DNS addon.
Setting reconcile mode to EnsureExists makes it possible to tailor DNS behavior by editing the coredns ConfigMap.
See: ` <https://github.com/kubernetes/kubernetes/blob/master/cluster/addons/addon-manager/README.md>`_.
Type: one of “Reconcile”, “EnsureExists”
Default:
"Reconcile"Declared by:
services.kubernetes.addons.dns.replicas¶
Number of DNS pod replicas to deploy in the cluster.
Type: signed integer
Default:
2Declared by:
services.kubernetes.apiserver.enable¶
Whether to enable Kubernetes apiserver.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.kubernetes.apiserver.enableAdmissionPlugins¶
Kubernetes admission control plugins to enable. See` <https://kubernetes.io/docs/admin/admission-controllers/>`_
Type: list of strings
Default:
[ "NamespaceLifecycle" "LimitRanger" "ServiceAccount" "ResourceQuota" "DefaultStorageClass" "DefaultTolerationSeconds" "NodeRestriction" ]Example:
[ "NamespaceLifecycle" "NamespaceExists" "LimitRanger" "SecurityContextDeny" "ServiceAccount" "ResourceQuota" "PodSecurityPolicy" "NodeRestriction" "DefaultStorageClass" ]Declared by:
services.kubernetes.apiserver.advertiseAddress¶
Kubernetes apiserver IP address on which to advertise the apiserver to members of the cluster. This address must be reachable by the rest of the cluster.
Type: null or string
Default:
nullDeclared by:
services.kubernetes.apiserver.allowPrivileged¶
Whether to allow privileged containers on Kubernetes.
Type: boolean
Default:
falseDeclared by:
services.kubernetes.apiserver.authorizationMode¶
Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/Webhook/RBAC/Node). See` <https://kubernetes.io/docs/reference/access-authn-authz/authorization/>`_
Type: list of one of “AlwaysAllow”, “AlwaysDeny”, “ABAC”, “Webhook”, “RBAC”, “Node”s
Default:
[ "RBAC" "Node" ]Declared by:
services.kubernetes.apiserver.authorizationPolicy¶
Kubernetes apiserver authorization policy file. See` <https://kubernetes.io/docs/reference/access-authn-authz/authorization/>`_
Type: list of attribute sets
Default: ``[
]``
Declared by:
services.kubernetes.apiserver.basicAuthFile¶
Kubernetes apiserver basic authentication file. See` <https://kubernetes.io/docs/reference/access-authn-authz/authentication>`_
Type: null or path
Default:
nullDeclared by:
services.kubernetes.apiserver.bindAddress¶
The IP address on which to listen for the –secure-port port. The associated interface(s) must be reachable by the rest of the cluster, and by CLI/web clients.
Type: string
Default:
"0.0.0.0"Declared by:
services.kubernetes.apiserver.clientCaFile¶
Kubernetes apiserver CA file for client auth.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.apiserver.disableAdmissionPlugins¶
Kubernetes admission control plugins to disable. See` <https://kubernetes.io/docs/admin/admission-controllers/>`_
Type: list of strings
Default: ``[
]``
Declared by:
services.kubernetes.apiserver.etcd.caFile¶
Etcd ca file.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.apiserver.etcd.certFile¶
Etcd cert file.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.apiserver.etcd.keyFile¶
Etcd key file.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.apiserver.etcd.servers¶
List of etcd servers.
Type: list of strings
Default:
[ "http://127.0.0.1:2379" ]Declared by:
services.kubernetes.apiserver.extraOpts¶
Kubernetes apiserver extra command line options.
Type: string
Default:
""Declared by:
services.kubernetes.apiserver.extraSANs¶
Extra x509 Subject Alternative Names to be added to the kubernetes apiserver tls cert.
Type: list of strings
Default: ``[
]``
Declared by:
services.kubernetes.apiserver.featureGates¶
services.kubernetes.apiserver.insecureBindAddress¶
The IP address on which to serve the –insecure-port.
Type: string
Default:
"127.0.0.1"Declared by:
services.kubernetes.apiserver.insecurePort¶
Kubernetes apiserver insecure listening port. (0 = disabled)
Type: signed integer
Default:
0Declared by:
services.kubernetes.apiserver.kubeletClientCaFile¶
Path to a cert file for connecting to kubelet.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.apiserver.kubeletClientCertFile¶
Client certificate to use for connections to kubelet.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.apiserver.kubeletClientKeyFile¶
Key to use for connections to kubelet.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.apiserver.kubeletHttps¶
Whether to use https for connections to kubelet.
Type: boolean
Default:
trueDeclared by:
services.kubernetes.apiserver.preferredAddressTypes¶
List of the preferred NodeAddressTypes to use for kubelet connections.
Type: null or string
Default:
nullDeclared by:
services.kubernetes.apiserver.proxyClientCertFile¶
Client certificate to use for connections to proxy.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.apiserver.proxyClientKeyFile¶
Key to use for connections to proxy.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.apiserver.runtimeConfig¶
Api runtime configuration. See` <https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/>`_
Type: string
Default:
"authentication.k8s.io/v1beta1=true"Example:
"api/all=false,api/v1=true"Declared by:
services.kubernetes.apiserver.securePort¶
Kubernetes apiserver secure port.
Type: signed integer
Default:
6443Declared by:
services.kubernetes.apiserver.serviceAccountKeyFile¶
Kubernetes apiserver PEM-encoded x509 RSA private or public key file, used to verify ServiceAccount tokens. By default tls private key file is used.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.apiserver.serviceClusterIpRange¶
A CIDR notation IP range from which to assign service cluster IPs. This must not overlap with any IP ranges assigned to nodes for pods.
Type: string
Default:
"10.0.0.0/24"Declared by:
services.kubernetes.apiserver.storageBackend¶
Kubernetes apiserver storage backend.
Type: one of “etcd2”, “etcd3”
Default:
"etcd3"Declared by:
services.kubernetes.apiserver.tlsCertFile¶
Kubernetes apiserver certificate file.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.apiserver.tlsKeyFile¶
Kubernetes apiserver private key file.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.apiserver.tokenAuthFile¶
Kubernetes apiserver token authentication file. See` <https://kubernetes.io/docs/reference/access-authn-authz/authentication>`_
Type: null or path
Default:
nullDeclared by:
services.kubernetes.apiserver.verbosity¶
Optional glog verbosity level for logging statements. See` <https://github.com/kubernetes/community/blob/master/contributors/devel/logging.md>`_
Type: null or signed integer
Default:
nullDeclared by:
services.kubernetes.apiserver.webhookConfig¶
Kubernetes apiserver Webhook config file. It uses the kubeconfig file format. See ` <https://kubernetes.io/docs/reference/access-authn-authz/webhook/>`_
Type: null or path
Default:
nullDeclared by:
services.kubernetes.apiserverAddress¶
Clusterwide accessible address for the kubernetes apiserver, including protocol and optional port.
Type: string
Example:
"https://kubernetes-apiserver.example.com:6443"Declared by:
services.kubernetes.caFile¶
Default kubernetes certificate authority
Type: null or path
Default:
nullDeclared by:
services.kubernetes.clusterCidr¶
Kubernetes controller manager and proxy CIDR Range for Pods in cluster.
Type: null or string
Default:
"10.1.0.0/16"Declared by:
services.kubernetes.controllerManager.enable¶
Whether to enable Kubernetes controller manager.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.kubernetes.controllerManager.allocateNodeCIDRs¶
Whether to automatically allocate CIDR ranges for cluster nodes.
Type: boolean
Default:
trueDeclared by:
services.kubernetes.controllerManager.bindAddress¶
Kubernetes controller manager listening address.
Type: string
Default:
"127.0.0.1"Declared by:
services.kubernetes.controllerManager.clusterCidr¶
Kubernetes CIDR Range for Pods in cluster.
Type: string
Default:
"10.1.0.0/16"Declared by:
services.kubernetes.controllerManager.extraOpts¶
Kubernetes controller manager extra command line options.
Type: string
Default:
""Declared by:
services.kubernetes.controllerManager.featureGates¶
services.kubernetes.controllerManager.insecurePort¶
Kubernetes controller manager insecure listening port.
Type: signed integer
Default:
0Declared by:
services.kubernetes.controllerManager.kubeconfig.caFile¶
Kubernetes controller manager certificate authority file used to connect to kube-apiserver.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.controllerManager.kubeconfig.certFile¶
Kubernetes controller manager client certificate file used to connect to kube-apiserver.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.controllerManager.kubeconfig.keyFile¶
Kubernetes controller manager client key file used to connect to kube-apiserver.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.controllerManager.kubeconfig.server¶
Kubernetes controller manager kube-apiserver server address.
Type: string
Declared by:
services.kubernetes.controllerManager.leaderElect¶
Whether to start leader election before executing main loop.
Type: boolean
Default:
trueDeclared by:
services.kubernetes.controllerManager.rootCaFile¶
Kubernetes controller manager certificate authority file included in service account’s token secret.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.controllerManager.securePort¶
Kubernetes controller manager secure listening port.
Type: signed integer
Default:
10252Declared by:
services.kubernetes.controllerManager.serviceAccountKeyFile¶
Kubernetes controller manager PEM-encoded private RSA key file used to sign service account tokens
Type: null or path
Default:
nullDeclared by:
services.kubernetes.controllerManager.tlsCertFile¶
Kubernetes controller-manager certificate file.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.controllerManager.tlsKeyFile¶
Kubernetes controller-manager private key file.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.controllerManager.verbosity¶
Optional glog verbosity level for logging statements. See` <https://github.com/kubernetes/community/blob/master/contributors/devel/logging.md>`_
Type: null or signed integer
Default:
nullDeclared by:
services.kubernetes.dataDir¶
Kubernetes root directory for managing kubelet files.
Type: path
Default:
"/var/lib/kubernetes"Declared by:
services.kubernetes.easyCerts¶
Automatically setup x509 certificates and keys for the entire cluster.
Type: boolean
Default:
falseDeclared by:
services.kubernetes.featureGates¶
services.kubernetes.flannel.enable¶
Whether to enable enable flannel networking.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.kubernetes.kubeconfig.caFile¶
Default kubeconfig certificate authority file used to connect to kube-apiserver.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.kubeconfig.certFile¶
Default kubeconfig client certificate file used to connect to kube-apiserver.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.kubeconfig.keyFile¶
Default kubeconfig client key file used to connect to kube-apiserver.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.kubeconfig.server¶
Default kubeconfig kube-apiserver server address.
Type: string
Declared by:
services.kubernetes.kubelet.enable¶
Whether to enable Kubernetes kubelet..
Type: boolean
Default:
falseExample:
trueDeclared by:
services.kubernetes.kubelet.address¶
Kubernetes kubelet info server listening address.
Type: string
Default:
"0.0.0.0"Declared by:
services.kubernetes.kubelet.clientCaFile¶
Kubernetes apiserver CA file for client authentication.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.kubelet.clusterDns¶
Use alternative DNS.
Type: string
Default:
"10.1.0.1"Declared by:
services.kubernetes.kubelet.clusterDomain¶
Use alternative domain.
Type: string
Default:
"cluster.local"Declared by:
services.kubernetes.kubelet.cni.packages¶
services.kubernetes.kubelet.cni.config¶
Kubernetes CNI configuration.
Type: list of attribute sets
Default: ``[
]``
Example:
[{ "cniVersion": "0.3.1", "name": "mynet", "type": "bridge", "bridge": "cni0", "isGateway": true, "ipMasq": true, "ipam": { "type": "host-local", "subnet": "10.22.0.0/16", "routes": [ { "dst": "0.0.0.0/0" } ] } } { "cniVersion": "0.3.1", "type": "loopback" }]Declared by:
services.kubernetes.kubelet.cni.configDir¶
Path to Kubernetes CNI configuration directory.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.kubelet.extraOpts¶
Kubernetes kubelet extra command line options.
Type: string
Default:
""Declared by:
services.kubernetes.kubelet.featureGates¶
services.kubernetes.kubelet.healthz.bind¶
Kubernetes kubelet healthz listening address.
Type: string
Default:
"127.0.0.1"Declared by:
services.kubernetes.kubelet.healthz.port¶
Kubernetes kubelet healthz port.
Type: signed integer
Default:
10248Declared by:
services.kubernetes.kubelet.hostname¶
Kubernetes kubelet hostname override.
Type: string
Default:
"nixos"Declared by:
services.kubernetes.kubelet.kubeconfig.caFile¶
Kubelet certificate authority file used to connect to kube-apiserver.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.kubelet.kubeconfig.certFile¶
Kubelet client certificate file used to connect to kube-apiserver.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.kubelet.kubeconfig.keyFile¶
Kubelet client key file used to connect to kube-apiserver.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.kubelet.kubeconfig.server¶
Kubelet kube-apiserver server address.
Type: string
Declared by:
services.kubernetes.kubelet.manifests¶
List of manifests to bootstrap with kubelet (only pods can be created as manifest entry)
Type: attribute set of attribute sets
Default: ``{
}``
Declared by:
services.kubernetes.kubelet.networkPlugin¶
Network plugin to use by Kubernetes.
Type: null or one of “cni”, “kubenet”
Default:
"kubenet"Declared by:
services.kubernetes.kubelet.nodeIp¶
IP address of the node. If set, kubelet will use this IP address for the node.
Type: null or string
Default:
nullDeclared by:
services.kubernetes.kubelet.port¶
Kubernetes kubelet info server listening port.
Type: signed integer
Default:
10250Declared by:
services.kubernetes.kubelet.registerNode¶
Whether to auto register kubelet with API server.
Type: boolean
Default:
trueDeclared by:
services.kubernetes.kubelet.seedDockerImages¶
services.kubernetes.kubelet.taints¶
Node taints (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/).
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.kubernetes.kubelet.taints.<name>.effect¶
Effect of taint.
Type: one of “NoSchedule”, “PreferNoSchedule”, “NoExecute”
Example:
"NoSchedule"Declared by:
services.kubernetes.kubelet.taints.<name>.key¶
Key of taint.
Type: string
Default:
"‹name›"Declared by:
services.kubernetes.kubelet.taints.<name>.value¶
Value of taint.
Type: string
Declared by:
services.kubernetes.kubelet.tlsCertFile¶
File containing x509 Certificate for HTTPS.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.kubelet.tlsKeyFile¶
File containing x509 private key matching tlsCertFile.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.kubelet.unschedulable¶
Whether to set node taint to unschedulable=true as it is the case of node that has only master role.
Type: boolean
Default:
falseDeclared by:
services.kubernetes.kubelet.verbosity¶
Optional glog verbosity level for logging statements. See` <https://github.com/kubernetes/community/blob/master/contributors/devel/logging.md>`_
Type: null or signed integer
Default:
nullDeclared by:
services.kubernetes.lib¶
Common functions for the kubernetes modules.
Type: attribute set
Default:
{ mkCert = "<function>"; mkKubeConfig = "<function>"; mkKubeConfigOptions = "<function>"; }Declared by:
services.kubernetes.masterAddress¶
Clusterwide available network address or hostname for the kubernetes master server.
Type: string
Example:
"master.example.com"Declared by:
services.kubernetes.path¶
Packages added to the services’ PATH environment variable. Both the bin and sbin subdirectories of each package are added.
Type: list of packages
Default: ``[
]``
Declared by:
services.kubernetes.pki.enable¶
Whether to enable easyCert issuer service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.kubernetes.pki.caCertPathPrefix¶
Path-prefrix for the CA-certificate to be used for cfssl signing. Suffixes “.pem” and “-key.pem” will be automatically appended for the public and private keys respectively.
Type: string
Default:
"/var/lib/cfssl/ca"Declared by:
services.kubernetes.pki.caSpec¶
Certificate specification for the auto-generated CAcert.
Type: attribute set
Default:
{ CN = "kubernetes-cluster-ca"; L = "auto-generated"; O = "NixOS"; OU = "services.kubernetes.pki.caSpec"; }Declared by:
services.kubernetes.pki.certs¶
List of certificate specs to feed to cert generator.
Type: attribute set
Default: ``{
}``
Declared by:
services.kubernetes.pki.cfsslAPIExtraSANs¶
Extra x509 Subject Alternative Names to be added to the cfssl API webserver TLS cert.
Type: list of strings
Default: ``[
]``
Example:
[ "subdomain.example.com" ]Declared by:
services.kubernetes.pki.etcClusterAdminKubeconfig¶
Symlink a kubeconfig with cluster-admin privileges to environment path (/etc/<path>).
Type: null or string
Default:
nullDeclared by:
services.kubernetes.pki.genCfsslAPICerts¶
Whether to automatically generate cfssl API webserver TLS cert and key, if they don’t exist.
Type: boolean
Default:
trueDeclared by:
services.kubernetes.pki.genCfsslAPIToken¶
Whether to automatically generate cfssl API-token secret, if they doesn’t exist.
Type: boolean
Default:
trueDeclared by:
services.kubernetes.pki.genCfsslCACert¶
Whether to automatically generate cfssl CA certificate and key, if they don’t exist.
Type: boolean
Default:
trueDeclared by:
services.kubernetes.pki.pkiTrustOnBootstrap¶
Whether to always trust remote cfssl server upon initial PKI bootstrap.
Type: boolean
Default:
trueDeclared by:
services.kubernetes.proxy.enable¶
Whether to enable Kubernetes proxy.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.kubernetes.proxy.bindAddress¶
Kubernetes proxy listening address.
Type: string
Default:
"0.0.0.0"Declared by:
services.kubernetes.proxy.extraOpts¶
Kubernetes proxy extra command line options.
Type: string
Default:
""Declared by:
services.kubernetes.proxy.featureGates¶
services.kubernetes.proxy.hostname¶
Kubernetes proxy hostname override.
Type: string
Default:
"nixos"Declared by:
services.kubernetes.proxy.kubeconfig.caFile¶
Kubernetes proxy certificate authority file used to connect to kube-apiserver.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.proxy.kubeconfig.certFile¶
Kubernetes proxy client certificate file used to connect to kube-apiserver.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.proxy.kubeconfig.keyFile¶
Kubernetes proxy client key file used to connect to kube-apiserver.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.proxy.kubeconfig.server¶
Kubernetes proxy kube-apiserver server address.
Type: string
Declared by:
services.kubernetes.proxy.verbosity¶
Optional glog verbosity level for logging statements. See` <https://github.com/kubernetes/community/blob/master/contributors/devel/logging.md>`_
Type: null or signed integer
Default:
nullDeclared by:
services.kubernetes.roles¶
Kubernetes role that this machine should take.
Master role will enable etcd, apiserver, scheduler, controller manager addon manager, flannel and proxy services. Node role will enable flannel, docker, kubelet and proxy services.
Type: list of one of “master”, “node”s
Default: ``[
]``
Declared by:
services.kubernetes.scheduler.enable¶
Whether to enable Kubernetes scheduler.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.kubernetes.scheduler.address¶
Kubernetes scheduler listening address.
Type: string
Default:
"127.0.0.1"Declared by:
services.kubernetes.scheduler.extraOpts¶
Kubernetes scheduler extra command line options.
Type: string
Default:
""Declared by:
services.kubernetes.scheduler.featureGates¶
services.kubernetes.scheduler.kubeconfig.caFile¶
Kubernetes scheduler certificate authority file used to connect to kube-apiserver.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.scheduler.kubeconfig.certFile¶
Kubernetes scheduler client certificate file used to connect to kube-apiserver.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.scheduler.kubeconfig.keyFile¶
Kubernetes scheduler client key file used to connect to kube-apiserver.
Type: null or path
Default:
nullDeclared by:
services.kubernetes.scheduler.kubeconfig.server¶
Kubernetes scheduler kube-apiserver server address.
Type: string
Declared by:
services.kubernetes.scheduler.leaderElect¶
Whether to start leader election before executing main loop.
Type: boolean
Default:
trueDeclared by:
services.kubernetes.scheduler.port¶
Kubernetes scheduler listening port.
Type: signed integer
Default:
10251Declared by:
services.kubernetes.scheduler.verbosity¶
Optional glog verbosity level for logging statements. See` <https://github.com/kubernetes/community/blob/master/contributors/devel/logging.md>`_
Type: null or signed integer
Default:
nullDeclared by:
services.kubernetes.secretsPath¶
Default location for kubernetes secrets. Not a store location.
Type: path
Default:
"/var/lib/kubernetes/secrets"Declared by:
services.lambdabot.enable¶
Enable the Lambdabot IRC bot
Type: boolean
Default:
falseDeclared by:
services.lambdabot.package¶
Used lambdabot package
Type: package
Default:
"pkgs.lambdabot"Declared by:
services.lambdabot.script¶
Lambdabot script
Type: string
Default:
""Declared by:
services.leaps.enable¶
Whether to enable leaps.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.leaps.address¶
Hostname or IP-address to listen to. By default it will listen on all interfaces.
Type: string
Default:
""Example:
"127.0.0.1"Declared by:
services.leaps.path¶
Subdirectory used for reverse proxy setups
Type: path
Default:
"/"Declared by:
services.leaps.port¶
A port where leaps listens for incoming http requests
Type: signed integer
Default:
8080Declared by:
services.libreswan.enable¶
Whether to enable libreswan ipsec service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.libreswan.configSetup¶
Options to go in the ‘config setup’ section of the libreswan ipsec configuration
Type: strings concatenated with “\n”
Default:
'' protostack=netkey nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 ''Example:
'' secretsfile=/root/ipsec.secrets protostack=netkey nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 ''Declared by:
services.libreswan.connections¶
A set of connections to define for the libreswan ipsec service
Type: attribute set of strings concatenated with “\n”s
Default: ``{
}``
Example:
{ myconnection = "auto=add\\nleft=%defaultroute\\nleftid=@user\\n\\nright=my.vpn.com\\n\\nikev2=no\\nikelifetime=8h\\n"; }Declared by:
services.lidarr.enable¶
Whether to enable Lidarr.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.lidarr.package¶
The Lidarr package to use
Type: package
Default:
"pkgs.lidarr"Declared by:
services.lidarr.dataDir¶
The directory where Lidarr stores its data files.
Type: string
Default:
"/var/lib/lidarr/.config/Lidarr"Declared by:
services.lidarr.group¶
Group under which Lidarr runs.
Type: string
Default:
"lidarr"Declared by:
services.lidarr.openFirewall¶
Open ports in the firewall for Lidarr
Type: boolean
Default:
falseDeclared by:
services.lidarr.user¶
User account under which Lidarr runs.
Type: string
Default:
"lidarr"Declared by:
services.lighttpd.enable¶
Enable the lighttpd web server.
Type: boolean
Default:
falseDeclared by:
services.lighttpd.enableModules¶
List of lighttpd modules to enable. Sub-services take care of enabling modules as needed, so this option is mainly for when you want to add custom stuff to that depends on a certain module.
Type: list of strings
Default: ``[
]``
Example:
[ "mod_cgi" "mod_status" ]Declared by:
services.lighttpd.enableUpstreamMimeTypes¶
Whether to include the list of mime types bundled with lighttpd (upstream). If you disable this, no mime types will be added by NixOS and you will have to add your own mime types in.
Type: boolean
Default:
trueDeclared by:
services.lighttpd.cgit.enable¶
If true, enable cgit (fast web interface for git repositories) as a sub-service in lighttpd.
Type: boolean
Default:
falseDeclared by:
services.lighttpd.cgit.configText¶
Verbatim contents of the cgit runtime configuration file. Documentation (with cgitrc example file) is available in “man cgitrc”. Or online: http://git.zx2c4.com/cgit/tree/cgitrc.5.txt
Type: strings concatenated with “\n”
Default:
""Example:
'' source-filter=''${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py about-filter=''${pkgs.cgit}/lib/cgit/filters/about-formatting.sh cache-size=1000 scan-path=/srv/git ''Declared by:
services.lighttpd.cgit.subdir¶
The subdirectory in which to serve cgit. The web application will be accessible at http://yourserver/${subdir}
Type: string
Default:
"cgit"Example:
""Declared by:
services.lighttpd.collectd.enable¶
Whether to enable collectd subservice accessible at http://yourserver/collectd.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.lighttpd.collectd.collectionCgi¶
Path to collection.cgi script from (collectd sources)/contrib/collection.cgi This option allows to use a customized version
Type: path
Default:
*(build of collection.cgi)*Declared by:
services.lighttpd.configText¶
Overridable config file contents to use for lighttpd. By default, use the contents automatically generated by NixOS.
Type: strings concatenated with “\n”
Default:
""Example:
"...verbatim config file contents..."Declared by:
services.lighttpd.document-root¶
Document-root of the web server. Must be readable by the “lighttpd” user.
Type: path
Default:
"/srv/www"Declared by:
services.lighttpd.extraConfig¶
These configuration lines will be appended to the generated lighttpd config file. Note that this mechanism does not work when the manual option is used.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.lighttpd.gitweb.enable¶
If true, enable gitweb in lighttpd. Access it at http://yourserver/gitweb
Type: boolean
Default:
falseDeclared by:
services.lighttpd.mod_status¶
Show server status overview at /server-status, statistics at /server-statistics and list of loaded modules at /server-config.
Type: boolean
Default:
falseDeclared by:
services.lighttpd.mod_userdir¶
If true, requests in the form /~user/page.html are rewritten to take the file public_html/page.html from the home directory of the user.
Type: boolean
Default:
falseDeclared by:
services.lighttpd.port¶
TCP port number for lighttpd to bind to.
Type: signed integer
Default:
80Declared by:
services.limesurvey.enable¶
Whether to enable Limesurvey web application..
Type: boolean
Default:
falseExample:
trueDeclared by:
services.limesurvey.config¶
LimeSurvey configuration. Refer to` <https://manual.limesurvey.org/Optional_settings>`_ for details on supported values.
Type: limesurvey config type (str, int, bool or attribute set thereof)
Default: ``{
}``
Declared by:
services.limesurvey.database.createLocally¶
Create the database and database user locally. This currently only applies if database type “mysql” is selected.
Type: boolean
Default:
"true"Declared by:
services.limesurvey.database.host¶
Database host address.
Type: string
Default:
"localhost"Declared by:
services.limesurvey.database.name¶
Database name.
Type: string
Default:
"limesurvey"Declared by:
services.limesurvey.database.passwordFile¶
A file containing the password corresponding to.
Type: null or path
Default:
nullExample:
"/run/keys/limesurvey-dbpassword"Declared by:
services.limesurvey.database.port¶
Database host port.
Type: signed integer
Default:
"3306"Declared by:
services.limesurvey.database.socket¶
Path to the unix socket file to use for authentication.
Type: null or path
Default:
"/run/mysqld/mysqld.sock"Declared by:
services.limesurvey.database.type¶
Database engine to use.
Type: one of “mysql”, “pgsql”, “odbc”, “mssql”
Default:
"mysql"Example:
"pgsql"Declared by:
services.limesurvey.database.user¶
Database user.
Type: string
Default:
"limesurvey"Declared by:
services.limesurvey.poolConfig¶
Options for the LimeSurvey PHP pool. See the documentation on
php-fpm.conffor details on configuration directives.Type: attribute set of string or signed integer or booleans
Default:
{ pm = "dynamic"; pm.max_children = 32; pm.max_requests = 500; pm.max_spare_servers = 4; pm.min_spare_servers = 2; pm.start_servers = 2; }Declared by:
services.limesurvey.virtualHost¶
Apache configuration can be done by adapting
services.httpd.virtualHosts.<name>. See services.httpd.virtualHosts for further information.Type: submodule
Example:
{ hostName = "survey.example.org"; adminAddr = "webmaster@example.org"; forceSSL = true; enableACME = true; }Declared by:
services.limesurvey.virtualHost.enableACME¶
Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through .
Type: boolean
Default:
falseDeclared by:
services.limesurvey.virtualHost.enableUserDir¶
Whether to enable serving
~/public_htmlas``/~*username*``.Type: boolean
Default:
falseDeclared by:
services.limesurvey.virtualHost.acmeRoot¶
Directory for the acme challenge which is PUBLIC, don’t put certs or keys in here
Type: string
Default:
"/var/lib/acme/acme-challenges"Declared by:
services.limesurvey.virtualHost.addSSL¶
Whether to enable HTTPS in addition to plain HTTP. This will set defaults for``listen`` to listen on all interfaces on the respective default ports (80, 443).
Type: boolean
Default:
falseDeclared by:
services.limesurvey.virtualHost.adminAddr¶
E-mail address of the server administrator.
Type: null or string
Default:
nullExample:
"admin@example.org"Declared by:
services.limesurvey.virtualHost.documentRoot¶
The path of Apache’s document root directory. If left undefined, an empty directory in the Nix store will be used as root.
Type: null or path
Default:
nullExample:
"/data/webserver/docs"Declared by:
services.limesurvey.virtualHost.extraConfig¶
These lines go to httpd.conf verbatim. They will go after directories and directory aliases defined by default.
Type: strings concatenated with “\n”
Default:
""Example:
'' <Directory /home> Options FollowSymlinks AllowOverride All </Directory> ''Declared by:
services.limesurvey.virtualHost.forceSSL¶
Whether to add a separate nginx server block that permanently redirects (301) all plain HTTP traffic to HTTPS. This will set defaults for``listen`` to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
Type: boolean
Default:
falseDeclared by:
services.limesurvey.virtualHost.globalRedirect¶
If set, all requests for this host are redirected permanently to the given URL.
Type: null or string
Default:
nullExample:
"http://newserver.example.org/"Declared by:
services.limesurvey.virtualHost.hostName¶
Canonical hostname for the server.
Type: string
Default:
"‹name›"Declared by:
services.limesurvey.virtualHost.http2¶
Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. However, if you use the prefork mpm, there will be severe restrictions. Refer to ` <https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config>`_ for details.
Type: boolean
Default:
falseDeclared by:
services.limesurvey.virtualHost.listen¶
services.limesurvey.virtualHost.listen.*.ip¶
IP to listen on. 0.0.0.0 for IPv4 only, * for all.
Type: string
Default:
"\*"Declared by:
services.limesurvey.virtualHost.listen.*.port¶
Port to listen on
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Declared by:
services.limesurvey.virtualHost.listen.*.ssl¶
Whether to enable SSL (https) support.
Type: boolean
Default:
falseDeclared by:
services.limesurvey.virtualHost.locations¶
Declarative location config. See ` <https://httpd.apache.org/docs/2.4/mod/core.html#location>`_ for details.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ "/" = { proxyPass = "http://localhost:3000"; }; "/foo/bar.png" = { alias = "/home/eelco/some-file.png"; }; };Declared by:
services.limesurvey.virtualHost.locations.<name>.alias¶
Alias directory for requests. See ` <https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias>`_.
Type: null or path
Default:
nullExample:
"/your/alias/directory"Declared by:
services.limesurvey.virtualHost.locations.<name>.extraConfig¶
These lines go to the end of the location verbatim.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.limesurvey.virtualHost.locations.<name>.index¶
Adds DirectoryIndex directive. See ` <https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryindex>`_.
Type: null or string
Default:
nullExample:
"index.php index.html"Declared by:
services.limesurvey.virtualHost.locations.<name>.priority¶
Order of this location block in relation to the others in the vhost. The semantics are the same as with `lib.mkOrder`. Smaller values have a greater priority.
Type: signed integer
Default:
1000Declared by:
services.limesurvey.virtualHost.locations.<name>.proxyPass¶
Sets up a simple reverse proxy as described by ` <https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html#simple>`_.
Type: null or string
Default:
nullExample:
"http://www.example.org/"Declared by:
services.limesurvey.virtualHost.logFormat¶
Log format for Apache’s log files. Possible values are: combined, common, referer, agent.
Type: string
Default:
"common"Example:
"combined"Declared by:
services.limesurvey.virtualHost.onlySSL¶
Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for
listento listen on all interfaces on port 443.Type: boolean
Default:
falseDeclared by:
services.limesurvey.virtualHost.robotsEntries¶
Specification of pages to be ignored by web crawlers. See ` <http://www.robotstxt.org/>`_ for details.
Type: strings concatenated with “\n”
Default:
""Example:
"Disallow: /foo/"Declared by:
services.limesurvey.virtualHost.servedDirs¶
services.limesurvey.virtualHost.servedFiles¶
This option provides a simple way to serve individual, static files.
Note
This option has been deprecated and will be removed in a future version of NixOS. You can achieve the same result by making use of the
locations.<name>.aliasoption.Type: list of attribute sets
Default: ``[
]``
Example: ``[
{ file = “/home/eelco/some-file.png”; urlPath = “/foo/bar.png”; }
]``
Declared by:
services.limesurvey.virtualHost.serverAliases¶
Additional names of virtual hosts served by this virtual host configuration.
Type: list of strings
Default: ``[
]``
Example:
[ "www.example.org" "www.example.org:8080" "example.org" ]Declared by:
services.limesurvey.virtualHost.sslServerCert¶
Path to server SSL certificate.
Type: path
Example:
"/var/host.cert"Declared by:
services.limesurvey.virtualHost.sslServerChain¶
Path to server SSL chain file.
Type: null or path
Default:
nullExample:
"/var/ca.pem"Declared by:
services.limesurvey.virtualHost.sslServerKey¶
Path to server SSL certificate key.
Type: path
Example:
"/var/host.key"Declared by:
services.limesurvey.virtualHost.useACMEHost¶
A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the`rate limit <https://letsencrypt.org/docs/rate-limits/>`_. Alternately, you can generate a certificate through .*Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.*
Type: null or string
Default:
nullDeclared by:
services.liquidsoap.streams¶
Set of Liquidsoap streams to start, one systemd service per stream.
Type: attribute set of path or strings
Default: ``{
}``
Example:
{ myStream1 = "/etc/liquidsoap/myStream1.liq"; myStream2 = ./myStream2.liq; myStream3 = "out(playlist(\\"/srv/music/\\"))"; }Declared by:
services.lirc.enable¶
Whether to enable LIRC daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.lirc.configs¶
Configurations for lircd to load, see man:lircd.conf(5) for details (
lircd.conf)Type: list of strings concatenated with “\n”s
Declared by:
services.lirc.extraArguments¶
services.lirc.options¶
LIRC default options descriped in man:lircd(8) (
lirc_options.conf)Type: strings concatenated with “\n”
Example:
'' [lircd] nodaemon = False ''Declared by:
services.lldpd.enable¶
Whether to enable Link Layer Discovery Protocol Daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.lldpd.extraArgs¶
List of command line parameters for lldpd
Type: list of strings
Default: ``[
]``
Example:
[ "-c" "-k" "-I eth0" ]Declared by:
services.localtime.enable¶
Enable
localtime, simple daemon for keeping the system timezone up-to-date based on the current location. It uses geoclue2 to determine the current location and systemd-timedated to actually set the timezone.Type: unspecified
Default:
falseDeclared by:
services.locate.enable¶
If enabled, NixOS will periodically update the database of files used by the locate command.
Type: boolean
Default:
falseDeclared by:
services.locate.extraFlags¶
services.locate.interval¶
Update the locate database at this interval. Updates by default at 2:15 AM every day.
The format is described insystemd.time7.
Type: string
Default:
"02:15"Example:
"hourly"Declared by:
services.locate.localuser¶
The user to search non-network directories as, using:command:su.
Type: null or string
Default:
"nobody"Declared by:
services.locate.locate¶
The locate implementation to use
Type: package
Default:
"pkgs.findutils"Example:
"pkgs.mlocate"Declared by:
services.locate.output¶
The database file to build.
Type: path
Default:
"/var/cache/locatedb"Declared by:
services.locate.pruneBindMounts¶
Whether not to index bind mounts
Type: boolean
Default:
falseDeclared by:
services.locate.pruneFS¶
Which filesystem types to exclude from indexing
Type: list of strings
Default:
[ "afs" "anon_inodefs" "auto" "autofs" "bdev" "binfmt" "binfmt_misc" "cgroup" "cifs" "coda" "configfs" "cramfs" "cpuset" "debugfs" "devfs" "devpts" "devtmpfs" "ecryptfs" "eventpollfs" "exofs" "futexfs" "ftpfs" "fuse" "fusectl" "gfs" "gfs2" "hostfs" "hugetlbfs" "inotifyfs" "iso9660" "jffs2" "lustre" "misc" "mqueue" "ncpfs" "nnpfs" "ocfs" "ocfs2" "pipefs" "proc" "ramfs" "rpc_pipefs" "securityfs" "selinuxfs" "sfs" "shfs" "smbfs" "sockfs" "spufs" "nfs" "NFS" "nfs4" "nfsd" "sshfs" "subfs" "supermount" "sysfs" "tmpfs" "ubifs" "udf" "usbfs" "vboxsf" "vperfctrfs" ]Declared by:
services.locate.pruneNames¶
Directory components which should exclude paths containing them from indexing
Type: list of strings
Default: ``[
]``
Declared by:
services.locate.prunePaths¶
Which paths to exclude from indexing
Type: list of paths
Default:
[ "/tmp" "/var/tmp" "/var/cache" "/var/lock" "/var/run" "/var/spool" "/nix/store" ]Declared by:
services.logcheck.enable¶
Enable the logcheck cron job.
Type: boolean
Default:
falseDeclared by:
services.logcheck.config¶
Config options that you would like in logcheck.conf.
Type: strings concatenated with “\n”
Default:
"FQDN=1"Declared by:
services.logcheck.extraGroups¶
Extra groups for the logcheck user, for example to be able to use sendmail, or to access certain log files.
Type: list of strings
Default: ``[
]``
Example:
[ "postdrop" "mongodb" ]Declared by:
services.logcheck.extraRulesDirs¶
Directories with extra rules.
Type: list of paths
Default: ``[
]``
Example:
"/etc/logcheck"Declared by:
services.logcheck.files¶
Which log files to check.
Type: list of paths
Default:
[ "/var/log/messages" ]Example:
[ "/var/log/messages" "/var/log/mail" ]Declared by:
services.logcheck.ignore¶
This option defines extra ignore rules.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.logcheck.ignore.<name>.level¶
Set the logcheck level.
Type: one of “workstation”, “server”, “paranoid”
Default:
"server"Declared by:
services.logcheck.ignore.<name>.regex¶
Regex specifying which log lines to ignore.
Type: string
Default:
""Declared by:
services.logcheck.ignoreCron¶
This option defines extra ignore rules for cronjobs.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.logcheck.ignoreCron.<name>.cmdline¶
Command line for the cron job. Will be turned into a regex for the logcheck ignore rule.
Type: string
Default:
""Declared by:
services.logcheck.ignoreCron.<name>.timeArgs¶
“min hr dom mon dow” crontab time args, to auto-create a cronjob too. Leave at null to not do this and just add a logcheck ignore rule.
Type: null or string
Default:
nullExample:
"02 06 * * \*"Declared by:
services.logcheck.ignoreCron.<name>.user¶
User that runs the cronjob.
Type: string
Default:
"root"Declared by:
services.logcheck.level¶
Set the logcheck level. Either “workstation”, “server”, or “paranoid”.
Type: string
Default:
"server"Declared by:
services.logcheck.mailTo¶
Email address to send reports to.
Type: string
Default:
"root"Example:
"you@domain.com"Declared by:
services.logcheck.timeOfDay¶
Time of day to run logcheck. A logcheck will be scheduled at xx:02 each day. Leave default (*) to run every hour. Of course when nothing special was logged, logcheck will be silent.
Type: string
Default:
"\*"Example:
"6"Declared by:
services.logcheck.user¶
Username for the logcheck user.
Type: string
Default:
"logcheck"Declared by:
services.logind.extraConfig¶
Extra config options for systemd-logind. See`logind.conf(5) <https://www.freedesktop.org/software/systemd/man/logind.conf.html>`_ for available options.
Type: strings concatenated with “\n”
Default:
""Example:
"IdleAction=lock"Declared by:
services.logind.killUserProcesses¶
Specifies whether the processes of a user should be killed when the user logs out. If true, the scope unit corresponding to the session and all processes inside that scope will be terminated. If false, the scope is “abandoned” (see`systemd.scope(5) <https://www.freedesktop.org/software/systemd/man/systemd.scope.html#>`_), and processes are not killed.
See logind.conf(5) for more details.
Type: boolean
Default:
falseDeclared by:
services.logind.lidSwitch¶
Specifies what to be done when the laptop lid is closed.
Type: one of “ignore”, “poweroff”, “reboot”, “halt”, “kexec”, “suspend”, “hibernate”, “hybrid-sleep”, “suspend-then-hibernate”, “lock”
Default:
"suspend"Example:
"ignore"Declared by:
services.logind.lidSwitchDocked¶
Specifies what to be done when the laptop lid is closed and another screen is added.
Type: one of “ignore”, “poweroff”, “reboot”, “halt”, “kexec”, “suspend”, “hibernate”, “hybrid-sleep”, “suspend-then-hibernate”, “lock”
Default:
"ignore"Example:
"suspend"Declared by:
services.logind.lidSwitchExternalPower¶
Specifies what to do when the laptop lid is closed and the system is on external power. By default use the same action as specified in services.logind.lidSwitch.
Type: one of “ignore”, “poweroff”, “reboot”, “halt”, “kexec”, “suspend”, “hibernate”, “hybrid-sleep”, “suspend-then-hibernate”, “lock”
Default:
"services.logind.lidSwitch"Example:
"ignore"Declared by:
services.logkeys.enable¶
Whether to enable logkeys service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.logkeys.device¶
Use the given device as keyboard input event device instead of /dev/input/eventX default.
Type: null or string
Default:
nullExample:
"/dev/input/event15"Declared by:
services.logmein-hamachi.enable¶
Whether to enable LogMeIn Hamachi, a proprietary (closed source) commercial VPN software.
Type: boolean
Default:
falseDeclared by:
services.logrotate.enable¶
Enable the logrotate cron job
Type: boolean
Default:
falseDeclared by:
services.logrotate.config¶
The contents of the logrotate config file
Type: strings concatenated with “\n”
Default:
""Declared by:
services.logstash.enable¶
Enable logstash.
Type: boolean
Default:
falseDeclared by:
services.logstash.package¶
Logstash package to use.
Type: package
Default:
"pkgs.logstash"Example:
pkgs.logstashDeclared by:
services.logstash.dataDir¶
A path to directory writable by logstash that it uses to store data. Plugins will also have access to this path.
Type: string
Default:
"/var/lib/logstash"Declared by:
services.logstash.extraSettings¶
Extra Logstash settings in YAML format.
Type: strings concatenated with “\n”
Default:
""Example:
'' pipeline: batch: size: 125 delay: 5 ''Declared by:
services.logstash.filterConfig¶
logstash filter configuration.
Type: strings concatenated with “\n”
Default:
""Example:
'' if [type] == "syslog" { # Keep only relevant systemd fields # http://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html prune { whitelist_names => [ "type", "@timestamp", "@version", "MESSAGE", "PRIORITY", "SYSLOG_FACILITY" ] } } ''Declared by:
services.logstash.filterWorkers¶
The quantity of filter workers to run.
Type: signed integer
Default:
1Declared by:
services.logstash.inputConfig¶
Logstash input configuration.
Type: strings concatenated with “\n”
Default:
"generator { }"Example:
'' # Read from journal pipe { command => "''${pkgs.systemd}/bin/journalctl -f -o json" type => "syslog" codec => json {} } ''Declared by:
services.logstash.listenAddress¶
Address on which to start webserver.
Type: string
Default:
"127.0.0.1"Declared by:
services.logstash.logLevel¶
Logging verbosity level.
Type: one of “debug”, “info”, “warn”, “error”, “fatal”
Default:
"warn"Declared by:
services.logstash.outputConfig¶
Logstash output configuration.
Type: strings concatenated with “\n”
Default:
"stdout { codec => rubydebug }"Example:
'' redis { host => ["localhost"] data_type => "list" key => "logstash" codec => json } elasticsearch { } ''Declared by:
services.logstash.plugins¶
The paths to find other logstash plugins in.
Type: list of paths
Default: ``[
]``
Example:
[ pkgs.logstash-contrib ]Declared by:
services.logstash.port¶
Port on which to start webserver.
Type: string
Default:
"9292"Declared by:
services.loki.enable¶
Whether to enable loki.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.loki.configFile¶
Specify a configuration file that Loki should use.
Type: null or path
Default:
nullDeclared by:
services.loki.configuration¶
services.loki.dataDir¶
Specify the directory for Loki.
Type: path
Default:
"/var/lib/loki"Declared by:
services.loki.extraFlags¶
Specify a list of additional command line flags, which get escaped and are then passed to Loki.
Type: list of strings
Default: ``[
]``
Example:
*Declared by:*
services.loki.group¶
Group under which the Loki service runs.
Type: string
Default:
"loki"Declared by:
services.loki.user¶
User under which the Loki service runs.
Type: string
Default:
"loki"Declared by:
services.longview.enable¶
If enabled, system metrics will be sent to Linode LongView.
Type: boolean
Default:
falseDeclared by:
services.longview.apacheStatusUrl¶
The Apache status page URL. If provided, Longview will gather statistics from this location. This requires Apache mod_status to be loaded and enabled.
Type: string
Default:
""Example:
"http://127.0.0.1/server-status"Declared by:
services.longview.apiKey¶
Longview API key. To get this, look in Longview settings which are found at https://manager.linode.com/longview/.
Warning: this secret is stored in the world-readable Nix store! Use instead.
Type: string
Default:
""Example:
"01234567-89AB-CDEF-0123456789ABCDEF"Declared by:
services.longview.apiKeyFile¶
A file containing the Longview API key. To get this, look in Longview settings which are found at https://manager.linode.com/longview/.
takes precedence over .
Type: null or path
Default:
nullExample:
"/run/keys/longview-api-key"Declared by:
services.longview.mysqlPassword¶
The password corresponding to . Warning: this is stored in cleartext in the Nix store! Use instead.
Type: string
Default:
""Declared by:
services.longview.mysqlPasswordFile¶
A file containing the password corresponding to .
Type: null or path
Default:
nullExample:
"/run/keys/dbpassword"Declared by:
services.longview.mysqlUser¶
The user for connecting to the MySQL database. If provided, Longview will connect to MySQL and collect statistics about queries, etc. This user does not need to have been granted any extra privileges.
Type: string
Default:
""Declared by:
services.longview.nginxStatusUrl¶
The Nginx status page URL. Longview will gather statistics from this URL. This requires the Nginx stub_status module to be enabled and configured at the given location.
Type: string
Default:
""Example:
"http://127.0.0.1/nginx_status"Declared by:
services.lorri.enable¶
Enables the daemon for `lorri`, a nix-shell replacement for project development. The socket-activated daemon starts on the first request issued by the `lorri` command.
Type: boolean
Default:
falseDeclared by:
services.lshd.enable¶
Whether to enable the GNU lshd SSH2 daemon, which allows secure remote login.
Type: unspecified
Default:
falseDeclared by:
services.lshd.hostKey¶
Path to the server’s private key. Note that this key must have been created, e.g., using “lsh-keygen –server | lsh-writekey –server”, so that you can run lshd.
Type: unspecified
Default:
"/etc/lsh/host-key"Declared by:
services.lshd.interfaces¶
List of network interfaces where listening for connections. When providing the empty list, `[]’, lshd listens on all network interfaces.
Type: unspecified
Default: ``[
]``
Example:
[ "localhost" "1.2.3.4:443" ]Declared by:
services.lshd.loginShell¶
If non-null, override the default login shell with the specified value.
Type: unspecified
Default:
nullExample:
"/nix/store/xyz-bash-10.0/bin/bash10"Declared by:
services.lshd.passwordAuthentication¶
Whether to enable password authentication.
Type: unspecified
Default:
trueDeclared by:
services.lshd.portNumber¶
The port on which to listen for connections.
Type: unspecified
Default:
22Declared by:
services.lshd.publicKeyAuthentication¶
Whether to enable public key authentication.
Type: unspecified
Default:
trueDeclared by:
services.lshd.rootLogin¶
Whether to enable remote root login.
Type: unspecified
Default:
falseDeclared by:
services.lshd.srpKeyExchange¶
Whether to enable SRP key exchange and user authentication.
Type: unspecified
Default:
falseDeclared by:
services.lshd.subsystems¶
List of subsystem-path pairs, where the head of the pair denotes the subsystem name, and the tail denotes the path to an executable implementing it.
Type: unspecified
Declared by:
services.lshd.syslog¶
Whether to enable syslog output.
Type: unspecified
Default:
trueDeclared by:
services.lshd.tcpForwarding¶
Whether to enable TCP/IP forwarding.
Type: unspecified
Default:
trueDeclared by:
services.lshd.x11Forwarding¶
Whether to enable X11 forwarding.
Type: unspecified
Default:
trueDeclared by:
services.magnetico.enable¶
Whether to enable Magnetico, Bittorrent DHT crawler.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.magnetico.crawler.address¶
Address to be used for indexing DHT nodes.
Type: string
Default:
"0.0.0.0"Example:
"1.2.3.4"Declared by:
services.magnetico.crawler.extraOptions¶
Extra command line arguments to pass to magneticod.
Type: list of strings
Default: ``[
]``
Declared by:
services.magnetico.crawler.maxLeeches¶
Maximum number of simultaneous leeches.
Type: positive integer, meaning >0
Default:
200Declared by:
services.magnetico.crawler.maxNeighbors¶
Maximum number of simultaneous neighbors of an indexer. Be careful changing this number: high values can very easily cause your network to be congested or even crash your router.
Type: positive integer, meaning >0
Default:
1000Declared by:
services.magnetico.crawler.port¶
Port to be used for indexing DHT nodes. This port should be added to.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
0Declared by:
services.magnetico.web.address¶
Address the web interface will listen to.
Type: string
Default:
"localhost"Example:
"1.2.3.4"Declared by:
services.magnetico.web.credentials¶
The credentials to access the web interface, in case authentication is enabled, in the format
username:hash. If unset no authentication will be required.Usernames must start with a lowercase ([a-z]) ASCII character, might contain non-consecutive underscores except at the end, and consists of small-case a-z characters and digits 0-9. The:command:htpasswd tool from the apacheHttpd package may be used to generate the hash: htpasswd -bnBC 12 username password
Warning
The hashes will be stored world-readable in the nix store. Consider using the
credentialsFileoption if you don’t want this.Type: attribute set of strings
Default: ``{
}``
Example:
{ myuser = "$2y$12$YE01LZ8jrbQbx6c0s2hdZO71dSjn2p/O9XsYJpz.5968yCysUgiaG"; }Declared by:
services.magnetico.web.credentialsFile¶
The path to the file holding the credentials to access the web interface. If unset no authentication will be required.
The file must constain user names and password hashes in the format``username:hash``, one for each line. Usernames must start with a lowecase ([a-z]) ASCII character, might contain non-consecutive underscores except at the end, and consists of small-case a-z characters and digits 0-9. The htpasswd tool from the apacheHttpd package may be used to generate the hash:htpasswd -bnBC 12 username password
Type: null or path
Default:
nullDeclared by:
services.magnetico.web.extraOptions¶
Extra command line arguments to pass to magneticow.
Type: list of strings
Default: ``[
]``
Declared by:
services.magnetico.web.port¶
Port the web interface will listen to.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
8080Declared by:
services.mail.freepopsd.enable¶
Enables Freepops, a POP3 webmail wrapper.
Type: boolean
Default:
falseDeclared by:
services.mail.freepopsd.bind¶
Bind over an IPv4 address instead of any.
Type: string
Default:
"0.0.0.0"Declared by:
services.mail.freepopsd.logFile¶
Filename of the log file or syslog to rely on the logging daemon.
Type: string
Default:
"/var/log/freepopsd"Example:
"syslog"Declared by:
services.mail.freepopsd.port¶
Port on which the pop server will listen.
Type: signed integer
Default:
2000Declared by:
services.mail.freepopsd.suid.group¶
Group under which freepopsd will be after binding the port.
Type: string
Default:
"nogroup"Declared by:
services.mail.freepopsd.suid.user¶
User name under which freepopsd will be after binding the port.
Type: string
Default:
"nobody"Declared by:
services.mail.freepopsd.threads¶
Max simultaneous connections.
Type: signed integer
Default:
5Declared by:
services.mailcatcher.enable¶
Whether to enable MailCatcher.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.mailcatcher.http.ip¶
The ip address of the http server.
Type: string
Default:
"127.0.0.1"Declared by:
services.mailcatcher.http.path¶
Prefix to all HTTP paths.
Type: null or string
Default:
nullExample:
"/mailcatcher"Declared by:
services.mailcatcher.http.port¶
The port address of the http server.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
1080Declared by:
services.mailcatcher.smtp.ip¶
The ip address of the smtp server.
Type: string
Default:
"127.0.0.1"Declared by:
services.mailcatcher.smtp.port¶
The port address of the smtp server.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
1025Declared by:
services.mailhog.enable¶
Whether to enable MailHog.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.mailhog.user¶
User account under which mailhog runs.
Type: string
Default:
"mailhog"Declared by:
services.mailman.enable¶
Enable Mailman on this host. Requires an active Postfix installation.
Type: boolean
Default:
falseDeclared by:
services.mailman.package¶
Mailman package to use
Type: package
Default:
"pkgs.mailman"Example:
"pkgs.mailman.override { archivers = \[]; }"Declared by:
services.mailman.hyperkitty.enable¶
Whether to enable the Hyperkitty archiver for Mailman.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.mailman.hyperkitty.baseUrl¶
Where can Mailman connect to Hyperkitty’s internal API, preferably on localhost?
Type: string
Default:
"http://localhost/hyperkitty/"Declared by:
services.mailman.siteOwner¶
Certain messages that must be delivered to a human, but which can’t be delivered to a list owner (e.g. a bounce from a list owner), will be sent to this address. It should point to a human.
Type: string
Example:
"postmaster@example.org"Declared by:
services.mailman.webHosts¶
The list of hostnames and/or IP addresses from which the Mailman Web UI will accept requests. By default, “localhost” and “127.0.0.1” are enabled. All additional names under which your web server accepts requests for the UI must be listed here or incoming requests will be rejected.
Type: list of strings
Default: ``[
]``
Declared by:
services.mailman.webRoot¶
The web root for the Hyperkity + Postorius apps provided by Mailman. This variable can be set, of course, but it mainly exists so that site admins can refer to it in their own hand-written web server configuration files.
Type: path
Default:
"\\${pkgs.mailman-web}/\\${pkgs.python3.sitePackages}"Declared by:
services.mailman.webSettings¶
Overrides for the default mailman-web Django settings.
Type: attribute set
Default: ``{
}``
Declared by:
services.mailman.webUser¶
User to run mailman-web as
Type: string
Default:
"wwwrun"Declared by:
services.mailpile.enable¶
Whether to enable Mailpile the mail client.
Type: unspecified
Default:
falseDeclared by:
services.mailpile.hostname¶
Listen to this hostname or ip.
Type: unspecified
Default:
"localhost"Declared by:
services.mailpile.port¶
Listen on this port.
Type: unspecified
Default:
"33411"Declared by:
services.mame.enable¶
Whether to setup TUN/TAP Ethernet interface for MAME emulator.
Type: boolean
Default:
falseDeclared by:
services.mame.emuAddr¶
IP address of the guest system. The same you set inside guest OS under MAME. Should be on the same subnet as .
Type: string
Example:
"192.168.31.155"Declared by:
services.mame.hostAddr¶
IP address of the host system. Usually an address of the main network adapter or the adapter through which you get an internet connection.
Type: string
Example:
"192.168.31.156"Declared by:
services.mame.user¶
User from which you run MAME binary.
Type: string
Declared by:
services.marathon.enable¶
Whether to enable the marathon mesos framework.
Type: boolean
Default:
falseDeclared by:
services.marathon.environment¶
Environment variables passed to Marathon.
Type: attribute set
Default: ``{
}``
Example:
{ JAVA_OPTS = "-Xmx512m"; MESOSPHERE_HTTP_CREDENTIALS = "username:password"; }Declared by:
services.marathon.extraCmdLineOptions¶
Extra command line options to pass to Marathon. See ` <https://mesosphere.github.io/marathon/docs/command-line-flags.html>`_ for all possible flags.
Type: list of strings
Default: ``[
]``
Example:
[ "--https_port=8443" "--zk_timeout=10000" "--marathon_store_timeout=2000" ]Declared by:
services.marathon.httpPort¶
Marathon listening port for HTTP connections.
Type: signed integer
Default:
8080Declared by:
services.marathon.master¶
Mesos master address. See ` <https://mesosphere.github.io/marathon/docs/>`_ for details.
Type: string
Default:
"zk://localhost:2181/mesos"Example:
"zk://1.2.3.4:2181,2.3.4.5:2181,3.4.5.6:2181/mesos"Declared by:
services.marathon.user¶
The user that the Marathon framework will be launched as. If the user doesn’t exist it will be created. If you want to run apps that require root access or you want to launch apps using arbitrary users, that is using the `–mesos_user` flag then you need to change this to `root`.
Type: string
Default:
"marathon"Example:
"root"Declared by:
services.marathon.zookeeperHosts¶
ZooKeeper hosts’ addresses.
Type: list of strings
Default:
[ "localhost:2181" ]Example:
[ "1.2.3.4:2181" "2.3.4.5:2181" "3.4.5.6:2181" ]Declared by:
services.mathics.enable¶
Whether to enable Mathics notebook service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.mathics.external¶
Listen on all interfaces, rather than just localhost?
Type: boolean
Default:
falseDeclared by:
services.mathics.port¶
TCP port to listen on.
Type: signed integer
Default:
8000Declared by:
services.matomo.enable¶
Enable Matomo web analytics with php-fpm backend. Either the nginx option or the webServerUser option is mandatory.
Type: boolean
Default:
falseDeclared by:
services.matomo.package¶
Matomo package for the service to use. This can be used to point to newer releases from nixos-unstable, as they don’t get backported if they are not security-relevant.
Type: package
Default:
"pkgs.matomo"Declared by:
services.matomo.nginx¶
With this option, you can customize an nginx virtualHost which already has sensible defaults for Matomo. Either this option or the webServerUser option is mandatory. Set this to {} to just enable the virtualHost if you don’t need any customization. If enabled, then by default, the is``${user}.${config.networking.hostName}.${config.networking.domain}``, SSL is active, and certificates are acquired via ACME. If this is set to null (the default), no nginx virtualHost will be configured.
Type: null or submodule
Default:
nullExample:
{ enableACME = false; serverAliases = [ "matomo.\\${config.networking.domain}" "stats.\\${config.networking.domain}" ] ; }Declared by:
services.matomo.nginx.enableACME¶
Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through .
Type: boolean
Default:
trueDeclared by:
services.matomo.nginx.acmeFallbackHost¶
Host which to proxy requests to if acme challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.
Type: null or string
Default:
nullDeclared by:
services.matomo.nginx.acmeRoot¶
Directory for the acme challenge which is PUBLIC, don’t put certs or keys in here
Type: string
Default:
"/var/lib/acme/acme-challenge"Declared by:
services.matomo.nginx.addSSL¶
Whether to enable HTTPS in addition to plain HTTP. This will set defaults for``listen`` to listen on all interfaces on the respective default ports (80, 443).
Type: boolean
Default:
falseDeclared by:
services.matomo.nginx.basicAuth¶
Basic Auth protection for a vhost.
WARNING: This is implemented to store the password in plain text in the nix store.
Type: attribute set of strings
Default: ``{
}``
Example:
{ user = "password"; };Declared by:
services.matomo.nginx.basicAuthFile¶
Basic Auth password file for a vhost. Can be created via: htpasswd -c <filename> <username>
Type: null or path
Default:
nullDeclared by:
services.matomo.nginx.default¶
Makes this vhost the default.
Type: boolean
Default:
falseDeclared by:
services.matomo.nginx.extraConfig¶
These lines go to the end of the vhost verbatim.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.matomo.nginx.forceSSL¶
Whether to add a separate nginx server block that permanently redirects (301) all plain HTTP traffic to HTTPS. This will set defaults for``listen`` to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
Type: boolean
Default:
trueDeclared by:
services.matomo.nginx.globalRedirect¶
If set, all requests for this host are redirected permanently to the given hostname.
Type: null or string
Default:
nullExample:
"newserver.example.org"Declared by:
services.matomo.nginx.http2¶
Whether to enable HTTP 2. Note that (as of writing) due to nginx’s implementation, to disable HTTP 2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2,then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.
Type: boolean
Default:
trueDeclared by:
services.matomo.nginx.listen¶
Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides
addSSLandonlySSL.Type: list of submodules
Default: ``[
]``
Example: ``[
{ addr = “195.154.1.1”; port = 443; ssl = true; }
{ addr = “192.154.1.1”; port = 80; }
]``
Declared by:
services.matomo.nginx.listen.*.addr¶
services.matomo.nginx.listen.*.extraParameters¶
Extra parameters of this listen directive.
Type: list of strings
Default: ``[
]``
Example:
[ "reuseport" "deferred" ]Declared by:
services.matomo.nginx.listen.*.port¶
Port number.
Type: signed integer
Default:
80Declared by:
services.matomo.nginx.listen.*.ssl¶
Enable SSL.
Type: boolean
Default:
falseDeclared by:
services.matomo.nginx.locations¶
Declarative location config
Type: attribute set of submodules
Default: ``{
}``
Example:
{ "/" = { proxyPass = "http://localhost:3000"; }; };Declared by:
services.matomo.nginx.locations.<name>.alias¶
Alias directory for requests.
Type: null or path
Default:
nullExample:
"/your/alias/directory"Declared by:
services.matomo.nginx.locations.<name>.extraConfig¶
These lines go to the end of the location verbatim.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.matomo.nginx.locations.<name>.index¶
Adds index directive.
Type: null or string
Default:
nullExample:
"index.php index.html"Declared by:
services.matomo.nginx.locations.<name>.priority¶
Order of this location block in relation to the others in the vhost. The semantics are the same as with `lib.mkOrder`. Smaller values have a greater priority.
Type: signed integer
Default:
1000Declared by:
services.matomo.nginx.locations.<name>.proxyPass¶
Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.
Type: null or string
Default:
nullExample:
"http://www.example.org/"Declared by:
services.matomo.nginx.locations.<name>.proxyWebsockets¶
Whether to supporty proxying websocket connections with HTTP/1.1.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.matomo.nginx.locations.<name>.return¶
Adds a return directive, for e.g. redirections.
Type: null or string
Default:
nullExample:
"301 http://example.com\\$request_uri"Declared by:
services.matomo.nginx.locations.<name>.root¶
Root directory for requests.
Type: null or path
Default:
nullExample:
"/your/root/directory"Declared by:
services.matomo.nginx.locations.<name>.tryFiles¶
Adds try_files directive.
Type: null or string
Default:
nullExample:
"\\$uri =404"Declared by:
services.matomo.nginx.onlySSL¶
Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for
listento listen on all interfaces on port 443.Type: boolean
Default:
falseDeclared by:
services.matomo.nginx.root¶
The path of the web root directory.
Type: null or path
Default:
nullExample:
"/data/webserver/docs"Declared by:
services.matomo.nginx.serverAliases¶
Additional names of virtual hosts served by this virtual host configuration.
Type: list of strings
Default: ``[
]``
Example:
[ "www.example.org" "example.org" ]Declared by:
services.matomo.nginx.serverName¶
Name of this virtual host. Defaults to attribute name in virtualHosts.
Type: null or string
Default:
nullExample:
"example.org"Declared by:
services.matomo.nginx.sslCertificate¶
Path to server SSL certificate.
Type: path
Example:
"/var/host.cert"Declared by:
services.matomo.nginx.sslCertificateKey¶
Path to server SSL certificate key.
Type: path
Example:
"/var/host.key"Declared by:
services.matomo.nginx.sslTrustedCertificate¶
Path to root SSL certificate for stapling and client certificates.
Type: null or path
Default:
nullExample:
"/var/root.cert"Declared by:
services.matomo.nginx.useACMEHost¶
A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the`rate limit <https://letsencrypt.org/docs/rate-limits/>`_. Alternately, you can generate a certificate through .*Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.*
Type: null or string
Default:
nullDeclared by:
services.matomo.periodicArchiveProcessing¶
Enable periodic archive processing, which generates aggregated reports from the visits.
This means that you can safely disable browser triggers for Matomo archiving, and safely enable to delete old visitor logs. Before deleting visitor logs, make sure though that you run
systemctl start matomo-archive-processing.serviceat least once without errors if you have already collected data before.Type: boolean
Default:
trueDeclared by:
services.matomo.webServerUser¶
Name of the web server user that forwards requests to the fastcgi socket for Matomo if the nginx option is not used. Either this option or the nginx option is mandatory. If you want to use another webserver than nginx, you need to set this to that server’s user and pass fastcgi requests to `index.php`, `matomo.php` and `piwik.php` (legacy name) to this socket.
Type: null or string
Default:
nullExample:
"lighttpd"Declared by:
services.matrix-synapse.enable¶
Whether to enable matrix.org synapse.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.matrix-synapse.enable_metrics¶
Enable collection and rendering of performance metrics
Type: boolean
Default:
falseDeclared by:
services.matrix-synapse.enable_registration¶
Enable registration for new users.
Type: boolean
Default:
falseDeclared by:
services.matrix-synapse.enable_registration_captcha¶
Enables ReCaptcha checks when registering, preventing signup unless a captcha is answered. Requires a valid ReCaptcha public/private key.
Type: boolean
Default:
falseDeclared by:
services.matrix-synapse.package¶
Overridable attribute of the matrix synapse server package to use.
Type: package
Default:
"pkgs.matrix-synapse"Declared by:
services.matrix-synapse.account_threepid_delegates.email¶
services.matrix-synapse.account_threepid_delegates.msisdn¶
Delegate SMS sending to this local process (https://localhost:8090)
Type: null or string
Default:
nullDeclared by:
services.matrix-synapse.allow_guest_access¶
Allows users to register as guests without a password/email/etc, and participate in rooms hosted on this server which have been made accessible to anonymous users.
Type: boolean
Default:
falseDeclared by:
services.matrix-synapse.app_service_config_files¶
services.matrix-synapse.bcrypt_rounds¶
Set the number of bcrypt rounds used to generate password hash. Larger numbers increase the work factor needed to generate the hash.
Type: string
Default:
"12"Declared by:
services.matrix-synapse.bind_host¶
DEPRECATED: Use listeners instead. Local interface to listen on. The empty string will cause synapse to listen on all interfaces.
Type: null or string
Default:
nullDeclared by:
services.matrix-synapse.bind_port¶
DEPRECATED: Use listeners instead. The port to listen for HTTPS requests on. For when matrix traffic is sent directly to synapse.
Type: null or signed integer
Default:
nullExample:
8448Declared by:
services.matrix-synapse.create_local_database¶
Whether to create a local database automatically.
Type: boolean
Default:
trueDeclared by:
services.matrix-synapse.dataDir¶
The directory where matrix-synapse stores its stateful data such as certificates, media and uploads.
Type: string
Default:
"/var/lib/matrix-synapse"Declared by:
services.matrix-synapse.database_args¶
Arguments to pass to the engine.
Type: attribute set
Default:
{ database = "matrix-synapse"; user = "matrix-synapse"; }Declared by:
services.matrix-synapse.database_name¶
Database name.
Type: string
Default:
"matrix-synapse"Declared by:
services.matrix-synapse.database_type¶
The database engine name. Can be sqlite or psycopg2.
Type: one of “sqlite3”, “psycopg2”
Default:
"psycopg2"Declared by:
services.matrix-synapse.database_user¶
Database user name.
Type: string
Default:
"matrix-synapse"Declared by:
services.matrix-synapse.dynamic_thumbnails¶
Whether to generate new thumbnails on the fly to precisely match the resolution requested by the client. If true then whenever a new resolution is requested by the client the server will generate a new thumbnail. If false the server will pick a thumbnail from a precalculated list.
Type: boolean
Default:
falseDeclared by:
services.matrix-synapse.event_cache_size¶
Number of events to cache in memory.
Type: string
Default:
"10K"Declared by:
services.matrix-synapse.expire_access_token¶
Whether to enable access token expiration.
Type: boolean
Default:
falseDeclared by:
services.matrix-synapse.extraConfig¶
Extra config options for matrix-synapse.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.matrix-synapse.extraConfigFiles¶
Extra config files to include.
The configuration files will be included based on the command line argument –config-path. This allows to configure secrets without having to go through the Nix store, e.g. based on deployment keys if NixOPS is in use.
Type: list of paths
Default: ``[
]``
Declared by:
services.matrix-synapse.federation_rc_concurrent¶
The number of federation requests to concurrently process from a single server
Type: string
Default:
"3"Declared by:
services.matrix-synapse.federation_rc_reject_limit¶
The maximum number of concurrent federation requests allowed from a single server
Type: string
Default:
"50"Declared by:
services.matrix-synapse.federation_rc_sleep_delay¶
The duration in milliseconds to delay processing events from remote servers by if they go over the sleep limit.
Type: string
Default:
"500"Declared by:
services.matrix-synapse.federation_rc_sleep_limit¶
The number of federation requests from a single server in a window before the server will delay processing the request.
Type: string
Default:
"10"Declared by:
services.matrix-synapse.federation_rc_window_size¶
The federation window size in milliseconds
Type: string
Default:
"1000"Declared by:
services.matrix-synapse.key_refresh_interval¶
How long key response published by this server is valid for. Used to set the valid_until_ts in /key/v2 APIs. Determines how quickly servers will query to check which keys are still valid.
Type: string
Default:
"1d"Declared by:
services.matrix-synapse.listeners¶
List of ports that Synapse should listen on, their purpose and their configuration.
Type: list of submodules
Default: ``[
{ bind_address = “”; port = 8448; resources = [
{ compress = true; names = [ “client” “webclient” ] ; }
{ compress = false; names = [ “federation” ] ; }
] ; tls = true; type = “http”; x_forwarded = false; }
]``
Declared by:
services.matrix-synapse.listeners.*.bind_address¶
Local interface to listen on. The empty string will cause synapse to listen on all interfaces.
Type: string
Default:
""Example:
"203.0.113.42"Declared by:
services.matrix-synapse.listeners.*.port¶
The port to listen for HTTP(S) requests on.
Type: signed integer
Example:
8448Declared by:
services.matrix-synapse.listeners.*.resources¶
List of HTTP resources to serve on this listener.
Type: list of submodules
Declared by:
services.matrix-synapse.listeners.*.resources.*.compress¶
Should synapse compress HTTP responses to clients that support it? This should be disabled if running synapse behind a load balancer that can do automatic compression.
Type: boolean
Declared by:
services.matrix-synapse.listeners.*.resources.*.names¶
List of resources to host on this listener.
Type: list of strings
Example:
[ "client" "webclient" "federation" ]Declared by:
services.matrix-synapse.listeners.*.tls¶
Whether to listen for HTTPS connections rather than HTTP.
Type: boolean
Default:
trueDeclared by:
services.matrix-synapse.listeners.*.type¶
Type of listener.
Type: string
Default:
"http"Declared by:
services.matrix-synapse.listeners.*.x_forwarded¶
Use the X-Forwarded-For (XFF) header as the client IP and not the actual client IP.
Type: boolean
Default:
falseDeclared by:
services.matrix-synapse.logConfig¶
A yaml python logging config file
Type: strings concatenated with “\n”
Default:
'' version: 1 # In systemd's journal, loglevel is implicitly stored, so let's omit it # from the message text. formatters: journal_fmt: format: '%(name)s: [%(request)s] %(message)s' filters: context: (): synapse.util.logcontext.LoggingContextFilter request: "" handlers: journal: class: systemd.journal.JournalHandler formatter: journal_fmt filters: [context] SYSLOG_IDENTIFIER: synapse root: level: INFO handlers: [journal] disable_existing_loggers: False ''Declared by:
services.matrix-synapse.macaroon_secret_key¶
Secret key for authentication tokens
Type: null or string
Default:
nullDeclared by:
services.matrix-synapse.max_image_pixels¶
Maximum number of pixels that will be thumbnailed
Type: string
Default:
"32M"Declared by:
services.matrix-synapse.max_upload_size¶
The largest allowed upload size in bytes
Type: string
Default:
"10M"Declared by:
services.matrix-synapse.no_tls¶
Don’t bind to the https port
Type: boolean
Default:
falseDeclared by:
services.matrix-synapse.public_baseurl¶
The public-facing base URL for the client API (not including _matrix/…)
Type: null or string
Default:
nullExample:
"https://example.com:8448/"Declared by:
services.matrix-synapse.rc_message_burst_count¶
Number of message a client can send before being throttled
Type: string
Default:
"10.0"Declared by:
services.matrix-synapse.rc_messages_per_second¶
Number of messages a client can send per second
Type: string
Default:
"0.2"Declared by:
services.matrix-synapse.recaptcha_private_key¶
This Home Server’s ReCAPTCHA private key.
Type: string
Default:
""Declared by:
services.matrix-synapse.recaptcha_public_key¶
This Home Server’s ReCAPTCHA public key.
Type: string
Default:
""Declared by:
services.matrix-synapse.redaction_retention_period¶
How long to keep redacted events in unredacted form in the database.
Type: signed integer
Default:
7Declared by:
services.matrix-synapse.report_stats¶
services.matrix-synapse.room_invite_state_types¶
A list of event types that will be included in the room_invite_state
Type: list of strings
Default:
[ "m.room.join_rules" "m.room.canonical_alias" "m.room.avatar" "m.room.name" ]Declared by:
services.matrix-synapse.server_name¶
The domain name of the server, with optional explicit port. This is used by remote servers to connect to this server, e.g. matrix.org, localhost:8080, etc. This is also the last part of your UserID.
Type: string
Default:
"nixos"Example:
"example.com"Declared by:
services.matrix-synapse.servers¶
The trusted servers to download signing keys from.
Type: attribute set of attribute set of stringss
Default:
{ matrix.org = { ed25519:auto = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; } ; }Declared by:
services.matrix-synapse.tls_certificate_path¶
PEM encoded X509 certificate for TLS. You can replace the self-signed certificate that synapse autogenerates on launch with your own SSL certificate + key pair if you like. Any required intermediary certificates can be appended after the primary certificate in hierarchical order.
Type: null or string
Default:
nullExample:
"/var/lib/matrix-synapse/homeserver.tls.crt"Declared by:
services.matrix-synapse.tls_dh_params_path¶
PEM dh parameters for ephemeral keys
Type: null or string
Default:
nullExample:
"/var/lib/matrix-synapse/homeserver.tls.dh"Declared by:
services.matrix-synapse.tls_private_key_path¶
PEM encoded private key for TLS. Specify null if synapse is not speaking TLS directly.
Type: null or string
Default:
nullExample:
"/var/lib/matrix-synapse/homeserver.tls.key"Declared by:
services.matrix-synapse.turn_uris¶
The public URIs of the TURN server to give to clients
Type: list of strings
Default: ``[
]``
Declared by:
services.matrix-synapse.turn_user_lifetime¶
How long generated TURN credentials last
Type: string
Default:
"1h"Declared by:
services.matrix-synapse.unsecure_port¶
DEPRECATED: Use listeners instead. The port to listen for HTTP requests on. For when matrix traffic passes through loadbalancer that unwraps TLS.
Type: null or signed integer
Default:
nullExample:
8008Declared by:
services.matrix-synapse.url_preview_enabled¶
Is the preview URL API enabled? If enabled, you *must* specify an explicit url_preview_ip_range_blacklist of IPs that the spider is denied from accessing.
Type: boolean
Default:
falseDeclared by:
services.matrix-synapse.url_preview_ip_range_blacklist¶
List of IP address CIDR ranges that the URL preview spider is denied from accessing.
Type: list of strings
Default:
[ "127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10" "169.254.0.0/16" "::1/128" "fe80::/64" "fc00::/7" ]Declared by:
services.matrix-synapse.url_preview_ip_range_whitelist¶
List of IP address CIDR ranges that the URL preview spider is allowed to access even if they are specified in url_preview_ip_range_blacklist.
Type: list of strings
Default: ``[
]``
Declared by:
services.matrix-synapse.url_preview_url_blacklist¶
Optional list of URL matches that the URL preview spider is denied from accessing.
Type: list of strings
Default: ``[
]``
Declared by:
services.matrix-synapse.user_creation_max_duration¶
Sets the expiry for the short term user creation in milliseconds. The default value is two weeks.
Type: string
Default:
"1209600000"Declared by:
services.matrix-synapse.verbose¶
Logging verbosity level.
Type: string
Default:
"0"Declared by:
services.matrix-synapse.web_client¶
Whether to serve a web client from the HTTP/HTTPS root resource.
Type: boolean
Default:
falseDeclared by:
services.matterbridge.enable¶
Whether to enable Matterbridge chat platform bridge.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.matterbridge.configFile¶
WARNING: THIS IS INSECURE, as your password will end up in:file:/nix/store, thus publicly readable. Use``services.matterbridge.configPath`` instead.
The matterbridge configuration file in the TOML file format.
Type: string
Example:
'' # WARNING: as this file contains credentials, do not use this option! # It is kept only for backwards compatibility, and would cause your # credentials to be in the nix-store, thus with the world-readable # permission bits. # Use services.matterbridge.configPath instead. [irc] [irc.freenode] Server="irc.freenode.net:6667" Nick="matterbot" [mattermost] [mattermost.work] # Do not prefix it with http:// or https:// Server="yourmattermostserver.domain" Team="yourteam" Login="yourlogin" Password="yourpass" PrefixMessagesWithNick=true [[gateway]] name="gateway1" enable=true [[gateway.inout]] account="irc.freenode" channel="#testing" [[gateway.inout]] account="mattermost.work" channel="off-topic" ''Declared by:
services.matterbridge.configPath¶
The path to the matterbridge configuration file.
Type: null or string
Default:
nullExample:
"/etc/nixos/matterbridge.toml"Declared by:
services.matterbridge.group¶
Group which runs the matterbridge service.
Type: string
Default:
"matterbridge"Declared by:
services.matterbridge.user¶
User which runs the matterbridge service.
Type: string
Default:
"matterbridge"Declared by:
services.mattermost.enable¶
Whether to enable Mattermost chat server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.mattermost.extraConfig¶
Addtional configuration options as Nix attribute set in config.json schema.
Type: attribute set
Default: ``{
}``
Declared by:
services.mattermost.group¶
Group which runs the Mattermost service.
Type: string
Default:
"mattermost"Declared by:
services.mattermost.listenAddress¶
Address and port this Mattermost instance listens to.
Type: string
Default:
":8065"Example:
"\[::1]:8065"Declared by:
services.mattermost.localDatabaseCreate¶
Create a local PostgreSQL database for Mattermost automatically.
Type: boolean
Default:
trueDeclared by:
services.mattermost.localDatabaseName¶
Local Mattermost database name.
Type: string
Default:
"mattermost"Declared by:
services.mattermost.localDatabasePassword¶
Password for local Mattermost database user.
Type: string
Default:
"mmpgsecret"Declared by:
services.mattermost.localDatabaseUser¶
Local Mattermost database username.
Type: string
Default:
"mattermost"Declared by:
services.mattermost.matterircd.enable¶
Whether to enable Mattermost IRC bridge.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.mattermost.matterircd.parameters¶
Set commandline parameters to pass to matterircd. See https://github.com/42wim/matterircd#usage for more information.
Type: list of strings
Default: ``[
]``
Example:
[ "-mmserver chat.example.com" "-bind \[::]:6667" ]Declared by:
services.mattermost.mutableConfig¶
Whether the Mattermost config.json is writeable by Mattermost.
Most of the settings can be edited in the system console of Mattermost if this option is enabled. A template config using the options specified in services.mattermost will be generated but won’t be overwritten on changes or rebuilds.
If this option is disabled, changes in the system console won’t be possible (default). If an config.json is present, it will be overwritten!
Type: boolean
Default:
falseDeclared by:
services.mattermost.siteName¶
Name of this Mattermost site.
Type: string
Default:
"Mattermost"Declared by:
services.mattermost.siteUrl¶
URL this Mattermost instance is reachable under, without trailing slash.
Type: string
Example:
"https://chat.example.com"Declared by:
services.mattermost.statePath¶
Mattermost working directory
Type: string
Default:
"/var/lib/mattermost"Declared by:
services.mattermost.user¶
User which runs the Mattermost service.
Type: string
Default:
"mattermost"Declared by:
services.mbpfan.enable¶
Whether to enable mbpfan, fan controller daemon for Apple Macs and MacBooks.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.mbpfan.package¶
The package used for the mbpfan daemon.
Type: package
Default:
"pkgs.mbpfan"Declared by:
services.mbpfan.highTemp¶
The high temperature.
Type: signed integer
Default:
66Declared by:
services.mbpfan.lowTemp¶
The low temperature.
Type: signed integer
Default:
63Declared by:
services.mbpfan.maxFanSpeed¶
The maximum fan speed.
Type: signed integer
Default:
6200Declared by:
services.mbpfan.maxTemp¶
The maximum temperature.
Type: signed integer
Default:
86Declared by:
services.mbpfan.minFanSpeed¶
The minimum fan speed.
Type: signed integer
Default:
2000Declared by:
services.mbpfan.pollingInterval¶
The polling interval.
Type: signed integer
Default:
7Declared by:
services.mbpfan.verbose¶
If true, sets the log level to verbose.
Type: boolean
Default:
falseDeclared by:
services.mediatomb.enable¶
Whether to enable the mediatomb DLNA server.
Type: boolean
Default:
falseDeclared by:
services.mediatomb.customCfg¶
Allow mediatomb to create and use its own config file inside /var/lib/mediatomb.
Type: boolean
Default:
falseDeclared by:
services.mediatomb.dataDir¶
The directory where mediatomb stores its state, data, etc.
Type: path
Default:
"/var/lib/mediatomb"Declared by:
services.mediatomb.dsmSupport¶
Whether to enable D-Link DSM 320 specific tweaks. WARNING: incompatible with ps3 support.
Type: boolean
Default:
falseDeclared by:
services.mediatomb.group¶
Group account under which mediatomb runs.
Type: unspecified
Default:
"mediatomb"Declared by:
services.mediatomb.interface¶
A specific interface to bind to.
Type: unspecified
Default:
""Declared by:
services.mediatomb.port¶
The network port to listen on.
Type: unspecified
Default:
49152Declared by:
services.mediatomb.ps3Support¶
Whether to enable ps3 specific tweaks. WARNING: incompatible with DSM 320 support.
Type: boolean
Default:
falseDeclared by:
services.mediatomb.serverName¶
How to identify the server on the network.
Type: string
Default:
"mediatomb"Declared by:
services.mediatomb.tg100Support¶
Whether to enable Telegent TG100 specific tweaks.
Type: boolean
Default:
falseDeclared by:
services.mediatomb.transcoding¶
Whether to enable transcoding.
Type: boolean
Default:
falseDeclared by:
services.mediatomb.user¶
User account under which mediatomb runs.
Type: unspecified
Default:
"mediatomb"Declared by:
services.mediatomb.uuid¶
A unique (on your network) to identify the server by.
Type: unspecified
Default:
"fdfc8a4e-a3ad-4c1d-b43d-a2eedb03a687"Declared by:
services.mediawiki.enable¶
Whether to enable MediaWiki.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.mediawiki.package¶
Which MediaWiki package to use.
Type: package
Default:
*(build of mediawiki-1.34.0)*Declared by:
services.mediawiki.database.createLocally¶
Create the database and database user locally. This currently only applies if database type “mysql” is selected.
Type: boolean
Default:
"true"Declared by:
services.mediawiki.database.host¶
Database host address.
Type: string
Default:
"localhost"Declared by:
services.mediawiki.database.name¶
Database name.
Type: string
Default:
"mediawiki"Declared by:
services.mediawiki.database.passwordFile¶
A file containing the password corresponding to.
Type: null or path
Default:
nullExample:
"/run/keys/mediawiki-dbpassword"Declared by:
services.mediawiki.database.port¶
Database host port.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
3306Declared by:
services.mediawiki.database.socket¶
Path to the unix socket file to use for authentication.
Type: null or path
Default:
"/run/mysqld/mysqld.sock"Declared by:
services.mediawiki.database.tablePrefix¶
If you only have access to a single database and wish to install more than one version of MediaWiki, or have other applications that also use the database, you can give the table names a unique prefix to stop any naming conflicts or confusion. See ` <https://www.mediawiki.org/wiki/Manual:$wgDBprefix>`_.
Type: null or string
Default:
nullDeclared by:
services.mediawiki.database.type¶
Database engine to use. MySQL/MariaDB is the database of choice by MediaWiki developers.
Type: one of “mysql”, “postgres”, “sqlite”, “mssql”, “oracle”
Default:
"mysql"Declared by:
services.mediawiki.database.user¶
Database user.
Type: string
Default:
"mediawiki"Declared by:
services.mediawiki.extensions¶
List of paths whose content is copied to the ‘extensions’ subdirectory of the MediaWiki installation.
Type: attribute set of paths
Default: ``{
}``
Declared by:
services.mediawiki.extraConfig¶
Any additional text to be appended to MediaWiki’s LocalSettings.php configuration file. For configuration settings, see ` <https://www.mediawiki.org/wiki/Manual:Configuration_settings>`_.
Type: strings concatenated with “\n”
Default:
""Example:
'' $wgEnableEmail = false; ''Declared by:
services.mediawiki.name¶
Name of the wiki.
Type: unspecified
Default:
"MediaWiki"Example:
"Foobar Wiki"Declared by:
services.mediawiki.passwordFile¶
A file containing the initial password for the admin user.
Type: path
Example:
"/run/keys/mediawiki-password"Declared by:
services.mediawiki.poolConfig¶
Options for the MediaWiki PHP pool. See the documentation on
php-fpm.conffor details on configuration directives.Type: attribute set of string or signed integer or booleans
Default:
{ pm = "dynamic"; pm.max_children = 32; pm.max_requests = 500; pm.max_spare_servers = 4; pm.min_spare_servers = 2; pm.start_servers = 2; }Declared by:
services.mediawiki.skins¶
List of paths whose content is copied to the ‘skins’ subdirectory of the MediaWiki installation.
Type: attribute set of paths
Default: ``{
}``
Declared by:
services.mediawiki.uploadsDir¶
This directory is used for uploads of pictures. The directory passed here is automatically created and permissions adjusted as required.
Type: null or path
Default:
"/var/lib/mediawiki/uploads"Declared by:
services.mediawiki.virtualHost¶
Apache configuration can be done by adapting . See services.httpd.virtualHosts for further information.
Type: submodule
Example:
{ hostName = "mediawiki.example.org"; adminAddr = "webmaster@example.org"; forceSSL = true; enableACME = true; }Declared by:
services.mediawiki.virtualHost.enableACME¶
Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through .
Type: boolean
Default:
falseDeclared by:
services.mediawiki.virtualHost.enableUserDir¶
Whether to enable serving
~/public_htmlas``/~*username*``.Type: boolean
Default:
falseDeclared by:
services.mediawiki.virtualHost.acmeRoot¶
Directory for the acme challenge which is PUBLIC, don’t put certs or keys in here
Type: string
Default:
"/var/lib/acme/acme-challenges"Declared by:
services.mediawiki.virtualHost.addSSL¶
Whether to enable HTTPS in addition to plain HTTP. This will set defaults for``listen`` to listen on all interfaces on the respective default ports (80, 443).
Type: boolean
Default:
falseDeclared by:
services.mediawiki.virtualHost.adminAddr¶
E-mail address of the server administrator.
Type: null or string
Default:
nullExample:
"admin@example.org"Declared by:
services.mediawiki.virtualHost.documentRoot¶
The path of Apache’s document root directory. If left undefined, an empty directory in the Nix store will be used as root.
Type: null or path
Default:
nullExample:
"/data/webserver/docs"Declared by:
services.mediawiki.virtualHost.extraConfig¶
These lines go to httpd.conf verbatim. They will go after directories and directory aliases defined by default.
Type: strings concatenated with “\n”
Default:
""Example:
'' <Directory /home> Options FollowSymlinks AllowOverride All </Directory> ''Declared by:
services.mediawiki.virtualHost.forceSSL¶
Whether to add a separate nginx server block that permanently redirects (301) all plain HTTP traffic to HTTPS. This will set defaults for``listen`` to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
Type: boolean
Default:
falseDeclared by:
services.mediawiki.virtualHost.globalRedirect¶
If set, all requests for this host are redirected permanently to the given URL.
Type: null or string
Default:
nullExample:
"http://newserver.example.org/"Declared by:
services.mediawiki.virtualHost.hostName¶
Canonical hostname for the server.
Type: string
Default:
"‹name›"Declared by:
services.mediawiki.virtualHost.http2¶
Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. However, if you use the prefork mpm, there will be severe restrictions. Refer to ` <https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config>`_ for details.
Type: boolean
Default:
falseDeclared by:
services.mediawiki.virtualHost.listen¶
services.mediawiki.virtualHost.listen.*.ip¶
IP to listen on. 0.0.0.0 for IPv4 only, * for all.
Type: string
Default:
"\*"Declared by:
services.mediawiki.virtualHost.listen.*.port¶
Port to listen on
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Declared by:
services.mediawiki.virtualHost.listen.*.ssl¶
Whether to enable SSL (https) support.
Type: boolean
Default:
falseDeclared by:
services.mediawiki.virtualHost.locations¶
Declarative location config. See ` <https://httpd.apache.org/docs/2.4/mod/core.html#location>`_ for details.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ "/" = { proxyPass = "http://localhost:3000"; }; "/foo/bar.png" = { alias = "/home/eelco/some-file.png"; }; };Declared by:
services.mediawiki.virtualHost.locations.<name>.alias¶
Alias directory for requests. See ` <https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias>`_.
Type: null or path
Default:
nullExample:
"/your/alias/directory"Declared by:
services.mediawiki.virtualHost.locations.<name>.extraConfig¶
These lines go to the end of the location verbatim.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.mediawiki.virtualHost.locations.<name>.index¶
Adds DirectoryIndex directive. See ` <https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryindex>`_.
Type: null or string
Default:
nullExample:
"index.php index.html"Declared by:
services.mediawiki.virtualHost.locations.<name>.priority¶
Order of this location block in relation to the others in the vhost. The semantics are the same as with `lib.mkOrder`. Smaller values have a greater priority.
Type: signed integer
Default:
1000Declared by:
services.mediawiki.virtualHost.locations.<name>.proxyPass¶
Sets up a simple reverse proxy as described by ` <https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html#simple>`_.
Type: null or string
Default:
nullExample:
"http://www.example.org/"Declared by:
services.mediawiki.virtualHost.logFormat¶
Log format for Apache’s log files. Possible values are: combined, common, referer, agent.
Type: string
Default:
"common"Example:
"combined"Declared by:
services.mediawiki.virtualHost.onlySSL¶
Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for
listento listen on all interfaces on port 443.Type: boolean
Default:
falseDeclared by:
services.mediawiki.virtualHost.robotsEntries¶
Specification of pages to be ignored by web crawlers. See ` <http://www.robotstxt.org/>`_ for details.
Type: strings concatenated with “\n”
Default:
""Example:
"Disallow: /foo/"Declared by:
services.mediawiki.virtualHost.servedDirs¶
services.mediawiki.virtualHost.servedFiles¶
This option provides a simple way to serve individual, static files.
Note
This option has been deprecated and will be removed in a future version of NixOS. You can achieve the same result by making use of the
locations.<name>.aliasoption.Type: list of attribute sets
Default: ``[
]``
Example: ``[
{ file = “/home/eelco/some-file.png”; urlPath = “/foo/bar.png”; }
]``
Declared by:
services.mediawiki.virtualHost.serverAliases¶
Additional names of virtual hosts served by this virtual host configuration.
Type: list of strings
Default: ``[
]``
Example:
[ "www.example.org" "www.example.org:8080" "example.org" ]Declared by:
services.mediawiki.virtualHost.sslServerCert¶
Path to server SSL certificate.
Type: path
Example:
"/var/host.cert"Declared by:
services.mediawiki.virtualHost.sslServerChain¶
Path to server SSL chain file.
Type: null or path
Default:
nullExample:
"/var/ca.pem"Declared by:
services.mediawiki.virtualHost.sslServerKey¶
Path to server SSL certificate key.
Type: path
Example:
"/var/host.key"Declared by:
services.mediawiki.virtualHost.useACMEHost¶
A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the`rate limit <https://letsencrypt.org/docs/rate-limits/>`_. Alternately, you can generate a certificate through .*Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.*
Type: null or string
Default:
nullDeclared by:
services.meguca.enable¶
Whether to enable meguca.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.meguca.assumeReverseProxy¶
Assume the server is behind a reverse proxy, when resolving client IPs.
Type: boolean
Default:
falseDeclared by:
services.meguca.cacheSize¶
Cache size in MB.
Type: null or signed integer
Default:
nullExample:
256Declared by:
services.meguca.compressTraffic¶
Compress all traffic with gzip.
Type: boolean
Default:
falseDeclared by:
services.meguca.dataDir¶
Location where meguca stores it’s database and links.
Type: path
Default:
"/var/lib/meguca"Example:
"/home/okina/meguca"Declared by:
services.meguca.httpsOnly¶
Serve and listen only through HTTPS.
Type: boolean
Default:
falseDeclared by:
services.meguca.listenAddress¶
Listen on a specific IP address and port.
Type: null or string
Default:
nullExample:
"127.0.0.1:8000"Declared by:
services.meguca.password¶
Password for the meguca database.
Type: string
Default:
"meguca"Example:
"dumbpass"Declared by:
services.meguca.passwordFile¶
Password file for the meguca database.
Type: path
Default:
"/run/keys/meguca-password-file"Example:
"/home/okina/meguca/keys/pass"Declared by:
services.meguca.postgresArgs¶
Postgresql connection arguments.
Type: string
Example:
"user=meguca password=dumbpass dbname=meguca sslmode=disable"Declared by:
services.meguca.postgresArgsFile¶
Postgresql connection arguments file.
Type: path
Default:
"/run/keys/meguca-postgres-args"Example:
"/home/okina/meguca/keys/postgres"Declared by:
services.meguca.reverseProxy¶
Reverse proxy IP.
Type: null or string
Default:
nullExample:
"192.168.1.5"Declared by:
services.meguca.sslCertificate¶
Path to the SSL certificate.
Type: null or string
Default:
nullExample:
"/home/okina/meguca/ssl.cert"Declared by:
services.meguca.videoPaths¶
Videos that will be symlinked into www/videos.
Type: list of paths
Default: ``[
]``
Example:
[ "/home/okina/Videos/tehe_pero.webm" ]Declared by:
services.memcached.enable¶
Whether to enable Memcached.
Type: unspecified
Default:
falseDeclared by:
services.memcached.enableUnixSocket¶
Whether to enable unix socket at /run/memcached/memcached.sock.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.memcached.extraOptions¶
A list of extra options that will be added as a suffix when running memcached
Type: unspecified
Default: ``[
]``
Declared by:
services.memcached.listen¶
The IP address to bind to
Type: unspecified
Default:
"127.0.0.1"Declared by:
services.memcached.maxConnections¶
The maximum number of simultaneous connections
Type: unspecified
Default:
1024Declared by:
services.memcached.maxMemory¶
The maximum amount of memory to use for storage, in megabytes.
Type: unspecified
Default:
64Declared by:
services.memcached.port¶
The port to bind to
Type: unspecified
Default:
11211Declared by:
services.memcached.user¶
The user to run Memcached as
Type: unspecified
Default:
"memcached"Declared by:
services.mesos.master.enable¶
Whether to enable the Mesos Master.
Type: boolean
Default:
falseDeclared by:
services.mesos.master.advertiseIp¶
IP address advertised to reach this master.
Type: null or string
Default:
nullDeclared by:
services.mesos.master.advertisePort¶
Port advertised to reach this Mesos master.
Type: null or signed integer
Default:
nullDeclared by:
services.mesos.master.extraCmdLineOptions¶
Extra command line options for Mesos Master.
See https://mesos.apache.org/documentation/latest/configuration/
Type: list of strings
Default:
[ "" ]Example:
[ "--credentials=VALUE" ]Declared by:
services.mesos.master.ip¶
IP address to listen on.
Type: string
Default:
"0.0.0.0"Declared by:
services.mesos.master.logLevel¶
The logging level used. Possible values: ‘INFO’, ‘WARNING’, ‘ERROR’
Type: string
Default:
"INFO"Declared by:
services.mesos.master.port¶
Mesos Master port
Type: signed integer
Default:
5050Declared by:
services.mesos.master.quorum¶
The size of the quorum of replicas when using ‘replicated_log’ based registry. It is imperative to set this value to be a majority of masters i.e., quorum > (number of masters)/2.
If 0 will fall back to –registry=in_memory.
Type: signed integer
Default:
0Declared by:
services.mesos.master.workDir¶
The Mesos work directory.
Type: string
Default:
"/var/lib/mesos/master"Declared by:
services.mesos.master.zk¶
ZooKeeper URL (used for leader election amongst masters). May be one of: zk://host1:port1,host2:port2,…/mesos zk://username:password@host1:port1,host2:port2,…/mesos
Type: string
Declared by:
services.mesos.slave.enable¶
Whether to enable the Mesos Slave.
Type: boolean
Default:
falseDeclared by:
services.mesos.slave.advertiseIp¶
IP address advertised to reach this agent.
Type: null or string
Default:
nullDeclared by:
services.mesos.slave.advertisePort¶
Port advertised to reach this agent.
Type: null or signed integer
Default:
nullDeclared by:
services.mesos.slave.attributes¶
Machine attributes for the slave instance.
Use caution when changing this; you may need to manually reset slave metadata before the slave can re-register.
Type: attribute set of strings
Default: ``{
}``
Example:
{ host = "aabc123"; os = "nixos"; rack = "aa"; }Declared by:
services.mesos.slave.containerizers¶
List of containerizer implementations to compose in order to provide containerization. Available options are mesos and docker. The order the containerizers are specified is the order they are tried.
Type: list of strings
Default:
[ "mesos" ]Declared by:
services.mesos.slave.dockerRegistry¶
The default url for pulling Docker images. It could either be a Docker registry server url, or a local path in which Docker image archives are stored.
Type: null or string or path
Default:
nullDeclared by:
services.mesos.slave.executorEnvironmentVariables¶
The environment variables that should be passed to the executor, and thus subsequently task(s).
Type: attribute set of strings
Default:
{ PATH = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"; }Declared by:
services.mesos.slave.extraCmdLineOptions¶
Extra command line options for Mesos Slave.
See https://mesos.apache.org/documentation/latest/configuration/
Type: list of strings
Default:
[ "" ]Example:
[ "--gc_delay=3days" ]Declared by:
services.mesos.slave.imageProviders¶
List of supported image providers, e.g., APPC,DOCKER.
Type: list of strings
Default: ``[
]``
Declared by:
services.mesos.slave.imageProvisionerBackend¶
Strategy for provisioning container rootfs from images, e.g., aufs, bind, copy, overlay.
Type: string
Default:
"copy"Declared by:
services.mesos.slave.ip¶
IP address to listen on.
Type: string
Default:
"0.0.0.0"Declared by:
services.mesos.slave.isolation¶
Isolation mechanisms to use, e.g., posix/cpu,posix/mem, or cgroups/cpu,cgroups/mem, or network/port_mapping, or `gpu/nvidia` for nvidia specific gpu isolation.
Type: list of strings
Default:
[ "posix/cpu" "posix/mem" ]Declared by:
services.mesos.slave.logLevel¶
The logging level used. Possible values: ‘INFO’, ‘WARNING’, ‘ERROR’
Type: string
Default:
"INFO"Declared by:
services.mesos.slave.master¶
May be one of: zk://host1:port1,host2:port2,…/path zk://username:password@host1:port1,host2:port2,…/path
Type: string
Declared by:
services.mesos.slave.port¶
Port to listen on.
Type: signed integer
Default:
5051Declared by:
services.mesos.slave.withDocker¶
Enable the docker containerizer.
Type: boolean
Default:
falseDeclared by:
services.mesos.slave.withHadoop¶
Add the HADOOP_HOME to the slave.
Type: boolean
Default:
falseDeclared by:
services.mesos.slave.workDir¶
The Mesos work directory.
Type: string
Default:
"/var/lib/mesos/slave"Declared by:
services.metabase.enable¶
Whether to enable Metabase service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.metabase.listen.ip¶
IP address that Metabase should listen on.
Type: string
Default:
"0.0.0.0"Declared by:
services.metabase.listen.port¶
Listen port for Metabase.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
3000Declared by:
services.metabase.openFirewall¶
Open ports in the firewall for Metabase.
Type: boolean
Default:
falseDeclared by:
services.metabase.ssl.enable¶
Whether to enable SSL (https) support.
Type: boolean
Default:
falseDeclared by:
services.metabase.ssl.keystore¶
Java KeyStore file containing the certificates.
Type: null or path
Default:
"/var/lib/metabase/metabase.jks"Example:
"/etc/secrets/keystore.jks"Declared by:
services.metabase.ssl.port¶
Listen port over SSL (https) for Metabase.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
8443Declared by:
services.mighttpd2.enable¶
Whether to enable Mighttpd2 web server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.mighttpd2.config¶
Verbatim config file to use (see http://www.mew.org/~kazu/proj/mighttpd/en/config.html)
Type: strings concatenated with “\n”
Default:
""Example:
'' # Example configuration for Mighttpd 2 Port: 80 # IP address or "*" Host: * Debug_Mode: Yes # Yes or No # If available, "nobody" is much more secure for User:. User: root # If available, "nobody" is much more secure for Group:. Group: root Pid_File: /run/mighty.pid Logging: Yes # Yes or No Log_File: /var/log/mighty # The directory must be writable by User: Log_File_Size: 16777216 # bytes Log_Backup_Number: 10 Index_File: index.html Index_Cgi: index.cgi Status_File_Dir: /usr/local/share/mighty/status Connection_Timeout: 30 # seconds Fd_Cache_Duration: 10 # seconds # Server_Name: Mighttpd/3.x.y Tls_Port: 443 Tls_Cert_File: cert.pem # should change this with an absolute path # should change this with comma-separated absolute paths Tls_Chain_Files: chain.pem # Currently, Tls_Key_File must not be encrypted. Tls_Key_File: privkey.pem # should change this with an absolute path Service: 0 # 0 is HTTP only, 1 is HTTPS only, 2 is both ''Declared by:
services.mighttpd2.cores¶
How many cores to use. If null it will be determined automatically
Type: null or signed integer
Default:
nullDeclared by:
services.mighttpd2.routing¶
Verbatim routing file to use (see http://www.mew.org/~kazu/proj/mighttpd/en/config.html)
Type: strings concatenated with “\n”
Default:
""Example:
'' # Example routing for Mighttpd 2 # Domain lists [localhost www.example.com] # Entries are looked up in the specified order # All paths must end with "/" # A path to CGI scripts should be specified with "=>" /~alice/cgi-bin/ => /home/alice/public_html/cgi-bin/ # A path to static files should be specified with "->" /~alice/ -> /home/alice/public_html/ /cgi-bin/ => /export/cgi-bin/ # Reverse proxy rules should be specified with ">>" # /path >> host:port/path2 # Either "host" or ":port" can be committed, but not both. /app/cal/ >> example.net/calendar/ # Yesod app in the same server /app/wiki/ >> 127.0.0.1:3000/ / -> /export/www/ ''Declared by:
services.minecraft-server.enable¶
If enabled, start a Minecraft Server. The server data will be loaded from and saved to.
Type: boolean
Default:
falseDeclared by:
services.minecraft-server.package¶
Version of minecraft-server to run.
Type: package
Default:
"pkgs.minecraft-server"Example:
pkgs.minecraft-server_1_12_2Declared by:
services.minecraft-server.dataDir¶
Directory to store Minecraft database and other state/data files.
Type: path
Default:
"/var/lib/minecraft"Declared by:
services.minecraft-server.declarative¶
Whether to use a declarative Minecraft server configuration. Only if set to
true, the options and will be applied.Type: boolean
Default:
falseDeclared by:
services.minecraft-server.eula¶
Whether you agree to`Mojangs EULA <https://account.mojang.com/documents/minecraft_eula>`_. This option must be set to``true`` to run Minecraft server.
Type: boolean
Default:
falseDeclared by:
services.minecraft-server.jvmOpts¶
JVM options for the Minecraft server.
Type: strings concatenated with ” “
Default:
"-Xmx2048M -Xms2048M"Example:
"-Xmx2048M -Xms4092M -XX:+UseG1GC -XX:+CMSIncrementalPacing -XX:+CMSClassUnloadingEnabled -XX:ParallelGCThreads=2 -XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10"Declared by:
services.minecraft-server.openFirewall¶
Whether to open ports in the firewall for the server.
Type: boolean
Default:
falseDeclared by:
services.minecraft-server.serverProperties¶
Minecraft server properties for the server.properties file. Only has an effect when is set to
true. See` <https://minecraft.gamepedia.com/Server.properties#Java_Edition_3>`_ for documentation on these values.Type: attribute set of boolean or signed integer or strings
Default: ``{
}``
Example:
{ server-port = 43000; difficulty = 3; gamemode = 1; max-players = 5; motd = "NixOS Minecraft server!"; white-list = true; enable-rcon = true; "rcon.password" = "hunter2"; }Declared by:
services.minecraft-server.whitelist¶
Whitelisted players, only has an effect when is``true`` and the whitelist is enabled via by setting
white-listtotrue. This is a mapping from Minecraft usernames to UUIDs. You can use ` <https://mcuuid.net/>`_ to get a Minecraft UUID for a username.Type: attribute set of Minecraft UUIDs
Default: ``{
}``
Example:
{ username1 = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"; username2 = "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy"; };Declared by:
services.minetest-server.enable¶
If enabled, starts a Minetest Server.
Type: boolean
Default:
falseDeclared by:
services.minetest-server.configPath¶
Path to the config to use.
If set to null, the config of the running user will be used: `~/.minetest/minetest.conf`.
Type: null or path
Default:
nullDeclared by:
services.minetest-server.gameId¶
Id of the game to use. To list available games run `minetestserver –gameid list`.
If only one game exists, this option can be null.
Type: null or string
Default:
nullDeclared by:
services.minetest-server.logPath¶
Path to logfile for logging.
If set to null, logging will be output to stdout which means all output will be catched by systemd.
Type: null or path
Default:
nullDeclared by:
services.minetest-server.port¶
Port number to bind to.
If set to null, the default 30000 will be used.
Type: null or signed integer
Default:
nullDeclared by:
services.minetest-server.world¶
Name of the world to use. To list available worlds run `minetestserver –world list`.
If only one world exists, this option can be null.
Type: null or path
Default:
nullDeclared by:
services.mingetty.autologinUser¶
Username of the account that will be automatically logged in at the console. If unspecified, a login prompt is shown as usual.
Type: null or string
Default:
nullDeclared by:
services.mingetty.greetingLine¶
Welcome line printed by mingetty. The default shows current NixOS version label, machine type and tty.
Type: string
Declared by:
services.mingetty.helpLine¶
Help line printed by mingetty below the welcome line. Used by the installation CD to give some hints on how to proceed.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.mingetty.serialSpeed¶
Bitrates to allow for agetty’s listening on serial ports. Listing more bitrates gives more interoperability but at the cost of long delays for getting a sync on the line.
Type: list of signed integers
Default:
[ 115200 57600 38400 9600 ]Example:
[ 38400 9600 ]Declared by:
services.minidlna.enable¶
Whether to enable MiniDLNA, a simple DLNA server. It serves media files such as video and music to DLNA client devices such as televisions and media players.
Type: boolean
Default:
falseDeclared by:
services.minidlna.announceInterval¶
The interval between announces (in seconds).
By default miniDLNA will announce its presence on the network approximately every 15 minutes.
Many people prefer shorter announce intervals (e.g. 60 seconds) on their home networks, especially when DLNA clients are started on demand.
Type: signed integer
Default:
895Declared by:
services.minidlna.config¶
The contents of MiniDLNA’s configuration file. When the service is activated, a basic template is generated from the current options opened here.
Type: strings concatenated with “\n”
Declared by:
services.minidlna.extraConfig¶
Extra minidlna options not yet opened for configuration here (strict_dlna, model_number, model_name, etc…). This is appended to the current service already provided.
Type: strings concatenated with “\n”
Default:
""Example:
'' # Not exhaustive example # Support for streaming .jpg and .mp3 files to a TiVo supporting HMO. enable_tivo=no # SSDP notify interval, in seconds. notify_interval=10 # maximum number of simultaneous connections # note: many clients open several simultaneous connections while # streaming max_connections=50 # set this to yes to allow symlinks that point outside user-defined # media_dirs. wide_links=yes ''Declared by:
services.minidlna.friendlyName¶
Name that the DLNA server presents to clients.
Type: string
Default:
"\\$HOSTNAME MiniDLNA"Example:
"rpi3"Declared by:
services.minidlna.loglevel¶
Defines the type of messages that should be logged, and down to which level of importance they should be considered.
The possible types are “artwork”, “database”, “general”, “http”, “inotify”, “metadata”, “scanner”, “ssdp” and “tivo”.
The levels are “off”, “fatal”, “error”, “warn”, “info” and “debug”, listed here in order of decreasing importance. “off” turns off logging messages entirely, “fatal” logs the most critical messages only, and so on down to “debug” that logs every single messages.
The types are comma-separated, followed by an equal sign (‘=’), followed by a level that applies to the preceding types. This can be repeated, separating each of these constructs with a comma.
Defaults to “general,artwork,database,inotify,scanner,metadata, http,ssdp,tivo=warn” which logs every type of message at the “warn” level.
Type: string
Default:
"warn"Example:
"general,artwork,database,inotify,scanner,metadata,http,ssdp,tivo=warn"Declared by:
services.minidlna.mediaDirs¶
Directories to be scanned for media files. The prefixes``A,``,
V,and``P,`` restrict a directory to audio, video or image files. The directories must be accessible to the``minidlna`` user account.Type: list of strings
Default: ``[
]``
Example:
[ "/data/media" "V,/home/alice/video" ]Declared by:
services.minidlna.rootContainer¶
Use a different container as the root of the directory tree presented to clients. The possible values are: - “.” - standard container - “B” - “Browse Directory” - “M” - “Music” - “P” - “Pictures” - “V” - “Video” - Or, you can specify the ObjectID of your desired root container (eg. 1$F for Music/Playlists) If you specify “B” and the client device is audio-only then “Music/Folders” will be used as root.
Type: string
Default:
"."Example:
"B"Declared by:
services.miniflux.enable¶
Whether to enable miniflux.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.miniflux.adminCredentialsFile¶
File containing the ADMIN_USERNAME, default is “admin”, and ADMIN_PASSWORD (length >= 6), default is “password”; in the format of an EnvironmentFile=, as described by systemd.exec(5).
Type: null or path
Default:
nullExample:
"/etc/nixos/miniflux-admin-credentials"Declared by:
services.miniflux.config¶
Configuration for Miniflux, refer to` <http://docs.miniflux.app/en/latest/configuration.html>`_ for documentation on the supported values.
Type: attribute set of strings
Example:
{ CLEANUP_FREQUENCY = "48"; LISTEN_ADDR = "localhost:8080"; }Declared by:
services.minio.enable¶
Whether to enable Minio Object Storage.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.minio.package¶
Minio package to use.
Type: package
Default:
"pkgs.minio"Declared by:
services.minio.accessKey¶
Access key of 5 to 20 characters in length that clients use to access the server. This overrides the access key that is generated by minio on first startup and stored inside the``configDir`` directory.
Type: string
Default:
""Declared by:
services.minio.browser¶
Enable or disable access to web UI.
Type: boolean
Default:
trueDeclared by:
services.minio.configDir¶
The config directory, for the access keys and other settings.
Type: path
Default:
"/var/lib/minio/config"Declared by:
services.minio.dataDir¶
The data directory, for storing the objects.
Type: path
Default:
"/var/lib/minio/data"Declared by:
services.minio.listenAddress¶
Listen on a specific IP address and port.
Type: string
Default:
":9000"Declared by:
services.minio.region¶
The physical location of the server. By default it is set to us-east-1, which is same as AWS S3’s and Minio’s default region.
Type: string
Default:
"us-east-1"Declared by:
services.minio.secretKey¶
Specify the Secret key of 8 to 40 characters in length that clients use to access the server. This overrides the secret key that is generated by minio on first startup and stored inside the``configDir`` directory.
Type: string
Default:
""Declared by:
services.miniupnpd.enable¶
Whether to enable MiniUPnP daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.miniupnpd.appendConfig¶
Configuration lines appended to the MiniUPnP config.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.miniupnpd.externalInterface¶
Name of the external interface.
Type: string
Declared by:
services.miniupnpd.internalIPs¶
The IP address ranges to listen on.
Type: list of strings
Example:
[ "192.168.1.1/24" "enp1s0" ]Declared by:
services.miniupnpd.natpmp¶
Whether to enable NAT-PMP support.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.miniupnpd.upnp¶
Whether to enable UPNP support.
Type: boolean
Default:
trueDeclared by:
services.miredo.enable¶
Whether to enable the Miredo IPv6 tunneling service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.miredo.package¶
The package to use for the miredo daemon’s binary.
Type: package
Default:
"pkgs.miredo"Declared by:
services.miredo.bindAddress¶
Depending on the local firewall/NAT rules, you might need to force Miredo to use a fixed UDP port and or IPv4 address.
Type: null or string
Default:
nullDeclared by:
services.miredo.bindPort¶
Depending on the local firewall/NAT rules, you might need to force Miredo to use a fixed UDP port and or IPv4 address.
Type: null or string
Default:
nullDeclared by:
services.miredo.interfaceName¶
Name of the network tunneling interface.
Type: string
Default:
"teredo"Declared by:
services.miredo.serverAddress¶
The hostname or primary IPv4 address of the Teredo server. This setting is required if Miredo runs as a Teredo client. “teredo.remlab.net” is an experimental service for testing only. Please use another server for production and/or large scale deployments.
Type: string
Default:
"teredo.remlab.net"Declared by:
services.mjpg-streamer.enable¶
Whether to enable mjpg-streamer webcam streamer.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.mjpg-streamer.group¶
mjpg-streamer group name.
Type: string
Default:
"video"Declared by:
services.mjpg-streamer.inputPlugin¶
Input plugin. See plugins documentation for more information.
Type: string
Default:
"input_uvc.so"Declared by:
services.mjpg-streamer.outputPlugin¶
Output plugin.
@www@is substituted for default mjpg-streamer www directory. See plugins documentation for more information.Type: string
Default:
"output_http.so -w @www@ -n -p 5050"Declared by:
services.mjpg-streamer.user¶
mjpg-streamer user name.
Type: string
Default:
"mjpg-streamer"Declared by:
services.mlmmj.enable¶
Enable mlmmj
Type: boolean
Default:
falseDeclared by:
services.mlmmj.group¶
mailinglist local group
Type: string
Default:
"mlmmj"Declared by:
services.mlmmj.listDomain¶
Set the mailing list domain
Type: string
Default:
"localhost"Declared by:
services.mlmmj.mailLists¶
services.mlmmj.maintInterval¶
Time interval between mlmmj-maintd runs, seesystemd.time7 for format information.
Type: string
Default:
"20min"Declared by:
services.mlmmj.user¶
mailinglist local user
Type: string
Default:
"mlmmj"Declared by:
services.moinmoin.enable¶
Whether to enable MoinMoin Wiki Engine.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.moinmoin.gunicorn.workers¶
The number of worker processes for handling requests.
Type: positive integer, meaning >0
Default:
3Example:
10Declared by:
services.moinmoin.webServer¶
Which web server to use to serve the wiki. Use
noneif you want to configure this yourself.Type: one of “nginx-gunicorn”, “gunicorn”, “none”
Default:
"nginx-gunicorn"Example:
"none"Declared by:
services.moinmoin.wikis¶
Configurations of the individual wikis. Attribute names must be valid Python identifiers of the form
[A-Za-z_][A-Za-z0-9_]*.For every attribute WIKINAME, a helper script moin-WIKINAME is created which runs the:command:moin command under the
moinuser (to avoid file ownership issues) and with the right configuration directory passed to it.Type: attribute set of submodules
Example:
{ "mywiki" = { siteName = "Example Wiki"; webHost = "wiki.example.org"; superUsers = [ "admin" ]; frontPage = "Index"; extraConfig = "page_category_regex = ur'(?P<all>(Category|Kategorie)(?P<key>(?!Template)\S+))'" }; }Declared by:
services.moinmoin.wikis.<name>.extraConfig¶
Additional configuration to be appended verbatim to this wiki’s config.
See ` <http://moinmo.in/HelpOnConfiguration>`_ for documentation.
Type: strings concatenated with “\n”
Default:
""Example:
'' show_hosts = True search_results_per_page = 100 acl_rights_default = u"Known:read,write,delete,revert All:read" logo_string = u"<h2>\U0001f639</h2>" theme_default = u"modernized" user_checkbox_defaults = {'show_page_trail': 0, 'edit_on_doubleclick': 0} navi_bar = [u'SomePage'] + multiconfig.DefaultConfig.navi_bar actions_excluded = multiconfig.DefaultConfig.actions_excluded + ['newaccount'] mail_smarthost = "mail.example.org" mail_from = u"Example.Org Wiki <wiki@example.org>" ''Declared by:
services.moinmoin.wikis.<name>.frontPage¶
Front page name. Set this to something like
FrontPageonce languages are configured.Type: string
Default:
"LanguageSetup"Example:
"FrontPage"Declared by:
services.moinmoin.wikis.<name>.languageDefault¶
The ISO-639-1 name of the main wiki language. Languages that MoinMoin does not support are ignored.
Type: string
Default:
"en"Example:
"de"Declared by:
services.moinmoin.wikis.<name>.siteName¶
Short description of your wiki site, displayed below the logo on each page, and used in RSS documents as the channel title.
Type: string
Default:
"Untitled Wiki"Example:
"ExampleWiki"Declared by:
services.moinmoin.wikis.<name>.superUsers¶
List of trusted user names with wiki system administration super powers.
Please note that accounts for these users need to be created using the moin command-line utility, e.g.:moin-*WIKINAME* account create --name=*NAME* --email=*EMAIL* --password=*PASSWORD*.
Type: list of strings
Default: ``[
]``
Example:
[ "elvis" ]Declared by:
services.moinmoin.wikis.<name>.webHost¶
Host part of the wiki URL. If undefined, the name of the attribute set will be used.
Type: string
Example:
"wiki.example.org"Declared by:
services.moinmoin.wikis.<name>.webLocation¶
Location part of the wiki URL.
Type: string
Default:
"/"Example:
"/moin"Declared by:
services.monero.enable¶
Whether to enable Monero node daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.monero.exclusiveNodes¶
List of peer IP addresses to connect to *only*. If given the other peer options will be ignored.
Type: list of strings
Default: ``[
]``
Declared by:
services.monero.extraConfig¶
Extra lines to be added verbatim to monerod configuration.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.monero.extraNodes¶
List of additional peer IP addresses to add to the local list.
Type: list of strings
Default: ``[
]``
Declared by:
services.monero.limits.download¶
Limit of the download rate in kB/s. Set to
-1to leave unlimited.Type: signed integer
Default:
-1Declared by:
services.monero.limits.syncSize¶
Maximum number of blocks to sync at once. Set to
0for adaptive.Type: signed integer
Default:
0Declared by:
services.monero.limits.threads¶
Maximum number of threads used for a parallel job. Set to
0to leave unlimited.Type: signed integer
Default:
0Declared by:
services.monero.limits.upload¶
Limit of the upload rate in kB/s. Set to
-1to leave unlimited.Type: signed integer
Default:
-1Declared by:
services.monero.mining.enable¶
Whether to mine moneroj.
Type: boolean
Default:
falseDeclared by:
services.monero.mining.address¶
Monero address where to send mining rewards.
Type: string
Default:
""Declared by:
services.monero.mining.threads¶
Number of threads used for mining. Set to
0to use all available.Type: signed integer
Default:
0Declared by:
services.monero.priorityNodes¶
List of peer IP addresses to connect to and attempt to keep the connection open.
Type: list of strings
Default: ``[
]``
Declared by:
services.monero.rpc.address¶
IP address the RPC server will bind to.
Type: string
Default:
"127.0.0.1"Declared by:
services.monero.rpc.password¶
Password for RPC connections.
Type: string
Default:
nullDeclared by:
services.monero.rpc.port¶
Port the RPC server will bind to.
Type: signed integer
Default:
18081Declared by:
services.monero.rpc.restricted¶
Whether to restrict RPC to view only commands.
Type: boolean
Default:
falseDeclared by:
services.monero.rpc.user¶
User name for RPC connections.
Type: null or string
Default:
nullDeclared by:
services.monetdb.enable¶
Whether to enable the MonetDB database server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.monetdb.package¶
MonetDB package to use.
Type: package
Default:
"pkgs.monetdb"Declared by:
services.monetdb.dataDir¶
Data directory for the dbfarm.
Type: path
Default:
"/var/lib/monetdb"Declared by:
services.monetdb.group¶
Group under which MonetDB runs.
Type: string
Default:
"monetdb"Declared by:
services.monetdb.listenAddress¶
Address to listen on.
Type: string
Default:
"127.0.0.1"Example:
"0.0.0.0"Declared by:
services.monetdb.port¶
Port to listen on.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
50000Declared by:
services.monetdb.user¶
User account under which MonetDB runs.
Type: string
Default:
"monetdb"Declared by:
services.mongodb.enable¶
Whether to enable the MongoDB server.
Type: unspecified
Default:
falseDeclared by:
services.mongodb.enableAuth¶
Enable client authentication. Creates a default superuser with username root!
Type: boolean
Default:
falseDeclared by:
services.mongodb.package¶
Which MongoDB derivation to use.
Type: package
Default:
"pkgs.mongodb"Declared by:
services.mongodb.bind_ip¶
IP to bind to
Type: unspecified
Default:
"127.0.0.1"Declared by:
services.mongodb.dbpath¶
Location where MongoDB stores its files
Type: unspecified
Default:
"/var/db/mongodb"Declared by:
services.mongodb.extraConfig¶
MongoDB extra configuration in YAML format
Type: unspecified
Default:
""Example:
'' storage.journal.enabled: false ''Declared by:
services.mongodb.initialRootPassword¶
Password for the root user if auth is enabled.
Type: null or string
Default:
nullDeclared by:
services.mongodb.initialScript¶
A file containing MongoDB statements to execute on first startup.
Type: null or path
Default:
nullDeclared by:
services.mongodb.pidFile¶
Location of MongoDB pid file
Type: unspecified
Default:
"/run/mongodb.pid"Declared by:
services.mongodb.quiet¶
quieter output
Type: unspecified
Default:
falseDeclared by:
services.mongodb.replSetName¶
If this instance is part of a replica set, set its name here. Otherwise, leave empty to run as single node.
Type: unspecified
Default:
""Declared by:
services.mongodb.user¶
User account under which MongoDB runs
Type: unspecified
Default:
"mongodb"Declared by:
services.monit.enable¶
Whether to enable Monit.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.monit.config¶
monitrc content
Type: strings concatenated with “\n”
Default:
""Declared by:
services.moodle.enable¶
Whether to enable Moodle web application.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.moodle.package¶
The Moodle package to use.
Type: package
Default:
"pkgs.moodle"Declared by:
services.moodle.database.createLocally¶
Create the database and database user locally.
Type: boolean
Default:
trueDeclared by:
services.moodle.database.host¶
Database host address.
Type: string
Default:
"localhost"Declared by:
services.moodle.database.name¶
Database name.
Type: string
Default:
"moodle"Declared by:
services.moodle.database.passwordFile¶
A file containing the password corresponding to.
Type: null or path
Default:
nullExample:
"/run/keys/moodle-dbpassword"Declared by:
services.moodle.database.port¶
Database host port.
Type: signed integer
Default:
"3306"Declared by:
services.moodle.database.socket¶
Path to the unix socket file to use for authentication.
Type: null or path
Default:
"/run/mysqld/mysqld.sock"Declared by:
services.moodle.database.type¶
Database engine to use.
Type: one of “mysql”, “pgsql”
Default:
"mysql"Declared by:
services.moodle.database.user¶
Database user.
Type: string
Default:
"moodle"Declared by:
services.moodle.extraConfig¶
Any additional text to be appended to the config.php configuration file. This is a PHP script. For configuration details, see ` <https://docs.moodle.org/37/en/Configuration_file>`_.
Type: strings concatenated with “\n”
Default:
""Example:
'' $CFG->disableupdatenotifications = true; ''Declared by:
services.moodle.initialPassword¶
Specifies the initial password for the admin, i.e. the password assigned if the user does not already exist. The password specified here is world-readable in the Nix store, so it should be changed promptly.
Type: string
Example:
"correcthorsebatterystaple"Declared by:
services.moodle.poolConfig¶
Options for the Moodle PHP pool. See the documentation on
php-fpm.conffor details on configuration directives.Type: attribute set of string or signed integer or booleans
Default:
{ pm = "dynamic"; pm.max_children = 32; pm.max_requests = 500; pm.max_spare_servers = 4; pm.min_spare_servers = 2; pm.start_servers = 2; }Declared by:
services.moodle.virtualHost¶
Apache configuration can be done by adapting . See services.httpd.virtualHosts for further information.
Type: submodule
Example:
{ hostName = "moodle.example.org"; adminAddr = "webmaster@example.org"; forceSSL = true; enableACME = true; }Declared by:
services.moodle.virtualHost.enableACME¶
Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through .
Type: boolean
Default:
falseDeclared by:
services.moodle.virtualHost.enableUserDir¶
Whether to enable serving
~/public_htmlas``/~*username*``.Type: boolean
Default:
falseDeclared by:
services.moodle.virtualHost.acmeRoot¶
Directory for the acme challenge which is PUBLIC, don’t put certs or keys in here
Type: string
Default:
"/var/lib/acme/acme-challenges"Declared by:
services.moodle.virtualHost.addSSL¶
Whether to enable HTTPS in addition to plain HTTP. This will set defaults for``listen`` to listen on all interfaces on the respective default ports (80, 443).
Type: boolean
Default:
falseDeclared by:
services.moodle.virtualHost.adminAddr¶
E-mail address of the server administrator.
Type: null or string
Default:
nullExample:
"admin@example.org"Declared by:
services.moodle.virtualHost.documentRoot¶
The path of Apache’s document root directory. If left undefined, an empty directory in the Nix store will be used as root.
Type: null or path
Default:
nullExample:
"/data/webserver/docs"Declared by:
services.moodle.virtualHost.extraConfig¶
These lines go to httpd.conf verbatim. They will go after directories and directory aliases defined by default.
Type: strings concatenated with “\n”
Default:
""Example:
'' <Directory /home> Options FollowSymlinks AllowOverride All </Directory> ''Declared by:
services.moodle.virtualHost.forceSSL¶
Whether to add a separate nginx server block that permanently redirects (301) all plain HTTP traffic to HTTPS. This will set defaults for``listen`` to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
Type: boolean
Default:
falseDeclared by:
services.moodle.virtualHost.globalRedirect¶
If set, all requests for this host are redirected permanently to the given URL.
Type: null or string
Default:
nullExample:
"http://newserver.example.org/"Declared by:
services.moodle.virtualHost.hostName¶
Canonical hostname for the server.
Type: string
Default:
"‹name›"Declared by:
services.moodle.virtualHost.http2¶
Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. However, if you use the prefork mpm, there will be severe restrictions. Refer to ` <https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config>`_ for details.
Type: boolean
Default:
falseDeclared by:
services.moodle.virtualHost.listen¶
services.moodle.virtualHost.listen.*.ip¶
IP to listen on. 0.0.0.0 for IPv4 only, * for all.
Type: string
Default:
"\*"Declared by:
services.moodle.virtualHost.listen.*.port¶
Port to listen on
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Declared by:
services.moodle.virtualHost.listen.*.ssl¶
Whether to enable SSL (https) support.
Type: boolean
Default:
falseDeclared by:
services.moodle.virtualHost.locations¶
Declarative location config. See ` <https://httpd.apache.org/docs/2.4/mod/core.html#location>`_ for details.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ "/" = { proxyPass = "http://localhost:3000"; }; "/foo/bar.png" = { alias = "/home/eelco/some-file.png"; }; };Declared by:
services.moodle.virtualHost.locations.<name>.alias¶
Alias directory for requests. See ` <https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias>`_.
Type: null or path
Default:
nullExample:
"/your/alias/directory"Declared by:
services.moodle.virtualHost.locations.<name>.extraConfig¶
These lines go to the end of the location verbatim.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.moodle.virtualHost.locations.<name>.index¶
Adds DirectoryIndex directive. See ` <https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryindex>`_.
Type: null or string
Default:
nullExample:
"index.php index.html"Declared by:
services.moodle.virtualHost.locations.<name>.priority¶
Order of this location block in relation to the others in the vhost. The semantics are the same as with `lib.mkOrder`. Smaller values have a greater priority.
Type: signed integer
Default:
1000Declared by:
services.moodle.virtualHost.locations.<name>.proxyPass¶
Sets up a simple reverse proxy as described by ` <https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html#simple>`_.
Type: null or string
Default:
nullExample:
"http://www.example.org/"Declared by:
services.moodle.virtualHost.logFormat¶
Log format for Apache’s log files. Possible values are: combined, common, referer, agent.
Type: string
Default:
"common"Example:
"combined"Declared by:
services.moodle.virtualHost.onlySSL¶
Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for
listento listen on all interfaces on port 443.Type: boolean
Default:
falseDeclared by:
services.moodle.virtualHost.robotsEntries¶
Specification of pages to be ignored by web crawlers. See ` <http://www.robotstxt.org/>`_ for details.
Type: strings concatenated with “\n”
Default:
""Example:
"Disallow: /foo/"Declared by:
services.moodle.virtualHost.servedDirs¶
services.moodle.virtualHost.servedFiles¶
This option provides a simple way to serve individual, static files.
Note
This option has been deprecated and will be removed in a future version of NixOS. You can achieve the same result by making use of the
locations.<name>.aliasoption.Type: list of attribute sets
Default: ``[
]``
Example: ``[
{ file = “/home/eelco/some-file.png”; urlPath = “/foo/bar.png”; }
]``
Declared by:
services.moodle.virtualHost.serverAliases¶
Additional names of virtual hosts served by this virtual host configuration.
Type: list of strings
Default: ``[
]``
Example:
[ "www.example.org" "www.example.org:8080" "example.org" ]Declared by:
services.moodle.virtualHost.sslServerCert¶
Path to server SSL certificate.
Type: path
Example:
"/var/host.cert"Declared by:
services.moodle.virtualHost.sslServerChain¶
Path to server SSL chain file.
Type: null or path
Default:
nullExample:
"/var/ca.pem"Declared by:
services.moodle.virtualHost.sslServerKey¶
Path to server SSL certificate key.
Type: path
Example:
"/var/host.key"Declared by:
services.moodle.virtualHost.useACMEHost¶
A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the`rate limit <https://letsencrypt.org/docs/rate-limits/>`_. Alternately, you can generate a certificate through .*Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.*
Type: null or string
Default:
nullDeclared by:
services.mopidy.enable¶
Whether to enable Mopidy, a music player daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.mopidy.configuration¶
The configuration that Mopidy should use.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.mopidy.dataDir¶
The directory where Mopidy stores its state.
Type: string
Default:
"/var/lib/mopidy"Declared by:
services.mopidy.extensionPackages¶
Mopidy extensions that should be loaded by the service.
Type: list of packages
Default: ``[
]``
Example:
[ pkgs.mopidy-spotify ]Declared by:
services.mopidy.extraConfigFiles¶
Extra config file read by Mopidy when the service starts. Later files in the list overrides earlier configuration.
Type: list of strings
Default: ``[
]``
Declared by:
services.morty.enable¶
Whether to enable Morty proxy server. See https://github.com/asciimoo/morty.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.morty.package¶
morty package to use.
Type: package
Default:
"pkgs.morty"Declared by:
services.morty.ipv6¶
Allow IPv6 HTTP requests?
Type: boolean
Default:
"Allow IPv6 HTTP requests."Declared by:
services.morty.key¶
HMAC url validation key (hexadecimal encoded). Leave blank to disable. Without validation key, anyone can submit proxy requests. Leave blank to disable.
Type: string
Default:
"No HMAC url validation. Generate with echo -n somevalue | openssl dgst -sha1 -hmac somekey"Declared by:
services.morty.listenAddress¶
The address on which the service listens
Type: string
Default:
"127.0.0.1 (localhost)"Declared by:
services.morty.port¶
Listing port
Type: signed integer
Default:
3000Declared by:
services.morty.timeout¶
Request timeout in seconds.
Type: signed integer
Default:
"A resource now gets 2 seconds to respond."Declared by:
services.mosquitto.enable¶
Whether to enable the MQTT Mosquitto broker.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.mosquitto.aclExtraConf¶
Extra config to prepend to the ACL file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.mosquitto.allowAnonymous¶
Allow clients to connect without authentication.
Type: boolean
Default:
falseDeclared by:
services.mosquitto.checkPasswords¶
Refuse connection when clients provide incorrect passwords.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.mosquitto.dataDir¶
The data directory.
Type: path
Default:
"/var/lib/mosquitto"Declared by:
services.mosquitto.extraConf¶
Extra config to append to `mosquitto.conf` file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.mosquitto.host¶
Host to listen on without SSL.
Type: string
Default:
"127.0.0.1"Example:
"0.0.0.0"Declared by:
services.mosquitto.port¶
Port on which to listen without SSL.
Type: signed integer
Default:
1883Example:
1883Declared by:
services.mosquitto.ssl.enable¶
Whether to enable SSL listener.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.mosquitto.ssl.cafile¶
Path to PEM encoded CA certificates.
Type: null or path
Default:
nullDeclared by:
services.mosquitto.ssl.certfile¶
Path to PEM encoded server certificate.
Type: null or path
Default:
nullDeclared by:
services.mosquitto.ssl.host¶
Host to listen on with SSL.
Type: string
Default:
"0.0.0.0"Example:
"localhost"Declared by:
services.mosquitto.ssl.keyfile¶
Path to PEM encoded server key.
Type: null or path
Default:
nullDeclared by:
services.mosquitto.ssl.port¶
Port on which to listen with SSL.
Type: signed integer
Default:
8883Example:
8883Declared by:
services.mosquitto.users¶
A set of users and their passwords and ACLs.
Type: attribute set of submodules
Example:
{ john = { acl = [ "topic readwrite john/#" ] ; password = "123456"; } ; }Declared by:
services.mosquitto.users.<name>.acl¶
Control client access to topics on the broker.
Type: list of strings
Example:
[ "topic read A/B" "topic A/#" ]Declared by:
services.mosquitto.users.<name>.hashedPassword¶
Specifies the hashed password for the MQTT User. overrides . To generate hashed password install
mosquittopackage and usemosquitto_passwd.Type: null or string
Default:
nullDeclared by:
services.mosquitto.users.<name>.password¶
Specifies the (clear text) password for the MQTT User.
Type: null or string
Default:
nullDeclared by:
services.mpd.enable¶
Whether to enable MPD, the music player daemon.
Type: boolean
Default:
falseDeclared by:
services.mpd.dataDir¶
The directory where MPD stores its state, tag cache, playlists etc.
Type: path
Default:
"/var/lib/mpd"Declared by:
services.mpd.dbFile¶
The path to MPD’s database. If set to
nullthe parameter is omitted from the configuration.Type: null or string
Default:
"\\${dataDir}/tag_cache"Declared by:
services.mpd.extraConfig¶
Extra directives added to to the end of MPD’s configuration file, mpd.conf. Basic configuration like file location and uid/gid is added automatically to the beginning of the file. For available options see
man 5 mpd.conf’.Type: strings concatenated with “\n”
Default:
""Declared by:
services.mpd.group¶
Group account under which MPD runs.
Type: string
Default:
"mpd"Declared by:
services.mpd.musicDirectory¶
The directory or NFS/SMB network share where mpd reads music from.
Type: path or string matching the pattern (http|https|nfs|smb)://.+
Default:
"\\${dataDir}/music"Declared by:
services.mpd.network.listenAddress¶
The address for the daemon to listen on. Use
anyto listen on all addresses.Type: string
Default:
"127.0.0.1"Example:
"any"Declared by:
services.mpd.network.port¶
This setting is the TCP port that is desired for the daemon to get assigned to.
Type: signed integer
Default:
6600Declared by:
services.mpd.playlistDirectory¶
The directory where mpd stores playlists.
Type: path
Default:
"\\${dataDir}/playlists"Declared by:
services.mpd.startWhenNeeded¶
If set, mpd is socket-activated; that is, instead of having it permanently running as a daemon, systemd will start it on the first incoming connection.
Type: boolean
Default:
falseDeclared by:
services.mpd.user¶
User account under which MPD runs.
Type: string
Default:
"mpd"Declared by:
services.mstpd.enable¶
Whether to enable the multiple spanning tree protocol daemon.
Type: boolean
Default:
falseDeclared by:
services.mtprotoproxy.enable¶
Whether to enable mtprotoproxy.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.mtprotoproxy.adTag¶
Tag for advertising that can be obtained from @MTProxybot.
Type: null or string
Default:
nullExample:
"3c09c680b76ee91a4c25ad51f742267d"Declared by:
services.mtprotoproxy.extraConfig¶
Extra configuration options for mtprotoproxy.
Type: attribute set
Default: ``{
}``
Example:
{ STATS_PRINT_PERIOD = 600; }Declared by:
services.mtprotoproxy.port¶
TCP port to accept mtproto connections on.
Type: signed integer
Default:
3256Declared by:
services.mtprotoproxy.secureOnly¶
Don’t allow users to connect in non-secure mode (without random padding).
Type: boolean
Default:
trueDeclared by:
services.mtprotoproxy.users¶
Allowed users and their secrets. A secret is a 32 characters long hex string.
Type: attribute set of strings
Example:
{ tg = "00000000000000000000000000000000"; tg2 = "0123456789abcdef0123456789abcdef"; }Declared by:
services.munge.enable¶
Whether to enable munge service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.munge.password¶
The path to a daemon’s secret key.
Type: path
Default:
"/etc/munge/munge.key"Declared by:
services.munin-cron.enable¶
Enable munin-cron. Takes care of all heavy lifting to collect data from nodes and draws graphs to html. Runs munin-update, munin-limits, munin-graphs and munin-html in that order.
HTML output is in
/var/www/munin/, configure your favourite webserver to serve static files.Type: boolean
Default:
falseDeclared by:
services.munin-cron.extraCSS¶
Custom styling for the HTML that munin-cron generates. This will be appended to the CSS files used by munin-cron and will thus take precedence over the builtin styles.
Type: strings concatenated with “\n”
Default:
""Example:
'' /* A simple dark theme. */ html, body { background: #222222; } #header, #footer { background: #333333; } img.i, img.iwarn, img.icrit, img.iunkn { filter: invert(100%) hue-rotate(-30deg); } ''Declared by:
services.munin-cron.extraGlobalConfig¶
munin.confextra global configuration. See ` <http://guide.munin-monitoring.org/en/latest/reference/munin.conf.html>`_. Useful to setup notifications, see` <http://guide.munin-monitoring.org/en/latest/tutorial/alert.html>`_Type: strings concatenated with “\n”
Default:
""Example:
'' contact.email.command mail -s "Munin notification for ''${var:host}" someone@example.com ''Declared by:
services.munin-cron.hosts¶
Definitions of hosts of nodes to collect data from. Needs at least one host for cron to succeed. See` <http://guide.munin-monitoring.org/en/latest/reference/munin.conf.html>`_
Type: strings concatenated with “\n”
Default:
""Example:
'' [''${config.networking.hostName}] address localhost ''Declared by:
services.munin-node.enable¶
Enable Munin Node agent. Munin node listens on 0.0.0.0 and by default accepts connections only from 127.0.0.1 for security reasons.
See ` <http://guide.munin-monitoring.org/en/latest/architecture/index.html>`_.
Type: boolean
Default:
falseDeclared by:
services.munin-node.disabledPlugins¶
Munin plugins to disable, even if``munin-node-configure –suggest`` tries to enable them. To disable a wildcard plugin, use an actual wildcard, as in the example.
munin_stats is disabled by default as it tries to read``/var/log/munin/munin-update.log`` for timing information, and the NixOS build of Munin does not write this file.
Type: list of strings
Default:
[ "munin_stats" ]Example:
[ "diskstats" "zfs_usage_*" ]Declared by:
services.munin-node.extraAutoPlugins¶
Additional Munin plugins to autoconfigure, using``munin-node-configure –suggest``. These should be the actual paths to the plugin files (or directories containing them), not just their names.
If you want to manually enable individual plugins instead, use.
Note that only plugins that have the ‘autoconfig’ capability will do anything if listed here, since plugins that cannot autoconfigure won’t be automatically enabled by``munin-node-configure``.
Plugins will be copied into the Nix store, and it will attempt to modify them to run properly by fixing hardcoded references to``/bin``,
/usr/bin,``/sbin``, and/usr/sbin.Type: list of paths
Default: ``[
]``
Example:
[ /src/munin-contrib/plugins/zfs /src/munin-contrib/plugins/ssh ];Declared by:
services.munin-node.extraConfig¶
munin-node.confextra configuration. See` <http://guide.munin-monitoring.org/en/latest/reference/munin-node.conf.html>`_Type: strings concatenated with “\n”
Default:
""Declared by:
services.munin-node.extraPluginConfig¶
plugin-conf.dextra plugin configuration. See` <http://guide.munin-monitoring.org/en/latest/plugin/use.html>`_Type: strings concatenated with “\n”
Default:
""Example:
'' [fail2ban_*] user root ''Declared by:
services.munin-node.extraPlugins¶
Additional Munin plugins to activate. Keys are the name of the plugin symlink, values are the path to the underlying plugin script. You can use the same plugin script multiple times (e.g. for wildcard plugins).
Note that these plugins do not participate in autoconfiguration. If you want to autoconfigure additional plugins, use.
Plugins enabled in this manner take precedence over autoconfigured plugins.
Plugins will be copied into the Nix store, and it will attempt to modify them to run properly by fixing hardcoded references to``/bin``,
/usr/bin,``/sbin``, and/usr/sbin.Type: attribute set of paths
Default: ``{
}``
Example:
{ zfs_usage_bigpool = /src/munin-contrib/plugins/zfs/zfs_usage_; zfs_usage_smallpool = /src/munin-contrib/plugins/zfs/zfs_usage_; zfs_list = /src/munin-contrib/plugins/zfs/zfs_list; };Declared by:
services.murmur.enable¶
If enabled, start the Murmur Mumble server.
Type: boolean
Default:
falseDeclared by:
services.murmur.allowHtml¶
Allow HTML in client messages, comments, and channel descriptions.
Type: boolean
Default:
trueDeclared by:
services.murmur.autobanAttempts¶
Number of attempts a client is allowed to make in``autobanTimeframe`` seconds, before being banned for
autobanTime.Type: signed integer
Default:
10Declared by:
services.murmur.autobanTime¶
The amount of time an IP ban lasts (in seconds).
Type: signed integer
Default:
300Declared by:
services.murmur.autobanTimeframe¶
Timeframe in which a client can connect without being banned for repeated attempts (in seconds).
Type: signed integer
Default:
120Declared by:
services.murmur.bandwidth¶
Maximum bandwidth (in bits per second) that clients may send speech at.
Type: signed integer
Default:
72000Declared by:
services.murmur.bonjour¶
Enable Bonjour auto-discovery, which allows clients over your LAN to automatically discover Murmur servers.
Type: boolean
Default:
falseDeclared by:
services.murmur.clientCertRequired¶
Require clients to authenticate via certificates.
Type: boolean
Default:
falseDeclared by:
services.murmur.extraConfig¶
Extra configuration to put into murmur.ini.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.murmur.hostName¶
Host to bind to. Defaults binding on all addresses.
Type: string
Default:
""Declared by:
services.murmur.imgMsgLength¶
Max length of image messages. Set 0 for no limit.
Type: signed integer
Default:
131072Declared by:
services.murmur.logDays¶
How long to store RPC logs for in the database. Set 0 to keep logs forever, or -1 to disable DB logging.
Type: signed integer
Default:
31Declared by:
services.murmur.logFile¶
Path to the log file for Murmur daemon. Empty means log to journald.
Type: null or path
Default:
nullExample:
"/var/log/murmur/murmurd.log"Declared by:
services.murmur.password¶
Required password to join server, if specified.
Type: string
Default:
""Declared by:
services.murmur.port¶
Ports to bind to (UDP and TCP).
Type: signed integer
Default:
64738Declared by:
services.murmur.registerHostname¶
DNS hostname where your server can be reached. This is only needed if you want your server to be accessed by its hostname and not IP - but the name *must* resolve on the internet properly.
Type: string
Default:
""Declared by:
services.murmur.registerName¶
Public server registration name, and also the name of the Root channel. Even if you don’t publicly register your server, you probably still want to set this.
Type: string
Default:
""Declared by:
services.murmur.registerPassword¶
Public server registry password, used authenticate your server to the registry to prevent impersonation; required for subsequent registry updates.
Type: string
Default:
""Declared by:
services.murmur.registerUrl¶
URL website for your server.
Type: string
Default:
""Declared by:
services.murmur.sendVersion¶
Send Murmur version in UDP response.
Type: boolean
Default:
trueDeclared by:
services.murmur.sslCa¶
Path to your SSL CA certificate.
Type: string
Default:
""Declared by:
services.murmur.sslCert¶
Path to your SSL certificate.
Type: string
Default:
""Declared by:
services.murmur.sslKey¶
Path to your SSL key.
Type: string
Default:
""Declared by:
services.murmur.textMsgLength¶
Max length of text messages. Set 0 for no limit.
Type: signed integer
Default:
5000Declared by:
services.murmur.users¶
Maximum number of concurrent clients allowed.
Type: signed integer
Default:
100Declared by:
services.murmur.welcometext¶
Welcome message for connected clients.
Type: string
Default:
""Declared by:
services.mwlib.nserve.enable¶
Whether to enable nserve. Nserve is a HTTP server. The Collection extension is talking to that program directly. Nserve uses at least one qserve instance in order to distribute and manage jobs.
Type: boolean
Default:
falseDeclared by:
services.mwlib.nserve.address¶
Specify network interface to listen on.
Type: string
Default:
"127.0.0.1"Declared by:
services.mwlib.nserve.port¶
Specify port to listen on.
Type: signed integer
Default:
8899Declared by:
services.mwlib.nserve.qserve¶
Register qserve instance.
Type: list of strings
Default:
[ "127.0.0.1:14311" ]Declared by:
services.mwlib.nserve.user¶
User to run as.
Type: string
Default:
"nobody"Declared by:
services.mwlib.nslave.enable¶
Pulls new jobs from exactly one qserve instance and calls the zip and render programs in order to download article collections and convert them to different output formats. Nslave uses a cache directory to store the generated documents. Nslave also starts an internal http server serving the content of the cache directory.
Type: boolean
Default:
falseDeclared by:
services.mwlib.nslave.cachedir¶
Directory to store generated documents.
Type: path
Default:
"/var/cache/mwlib-nslave"Declared by:
services.mwlib.nslave.http¶
Internal http server serving the content of the cache directory. You have to enable it, or use your own way for serving files and set the http.url option accordingly.
Type: submodule
Default: ``{
}``
Declared by:
services.mwlib.nslave.http.enable¶
Enable internal http server.
Type: boolean
Default:
trueDeclared by:
services.mwlib.nslave.http.address¶
Specify network interface to listen on.
Type: string
Default:
"127.0.0.1"Declared by:
services.mwlib.nslave.http.port¶
Port to listen to when serving files from cache.
Type: signed integer
Default:
8898Declared by:
services.mwlib.nslave.http.url¶
Specify URL for accessing generated files from cache. The Collection extension of Mediawiki won’t be able to download files without it.
Type: string
Default:
"http://localhost:8898/cache"Declared by:
services.mwlib.nslave.numprocs¶
Number of parallel jobs to be executed.
Type: signed integer
Default:
10Declared by:
services.mwlib.nslave.user¶
User to run as.
Type: string
Default:
"nobody"Declared by:
services.mwlib.qserve.enable¶
A job queue server used to distribute and manage jobs. You should start one qserve instance for each machine that is supposed to render pdf files. Unless you’re operating the Wikipedia installation, one machine should suffice.
Type: boolean
Default:
falseDeclared by:
services.mwlib.qserve.address¶
Specify network interface to listen on.
Type: string
Default:
"127.0.0.1"Declared by:
services.mwlib.qserve.allow¶
List of allowed client IPs. Empty means any.
Type: list of strings
Default:
[ "127.0.0.1" ]Declared by:
services.mwlib.qserve.datadir¶
qserve data directory (FIXME: unused?)
Type: path
Default:
"/var/lib/mwlib-qserve"Declared by:
services.mwlib.qserve.port¶
Specify port to listen on.
Type: signed integer
Default:
14311Declared by:
services.mwlib.qserve.user¶
User to run as.
Type: string
Default:
"nobody"Declared by:
services.mxisd.enable¶
Whether to enable matrix federated identity server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.mxisd.package¶
The mxisd/ma1sd package to use
Type: package
Default:
"pkgs.mxisd"Declared by:
services.mxisd.dataDir¶
Where data mxisd/ma1sd uses resides
Type: string
Default:
"/var/lib/mxisd"Declared by:
services.mxisd.extraConfig¶
Extra options merged into the mxisd/ma1sd configuration
Type: attribute set
Default: ``{
}``
Declared by:
services.mxisd.matrix.domain¶
the domain of the matrix homeserver
Type: string
Declared by:
services.mxisd.server.name¶
Public hostname of mxisd/ma1sd, if different from the Matrix domain.
Type: null or string
Default:
nullDeclared by:
services.mxisd.server.port¶
HTTP port to listen on (unencrypted)
Type: null or signed integer
Default:
nullDeclared by:
services.mysql.enable¶
Whether to enable the MySQL server.
Type: boolean
Default:
falseDeclared by:
services.mysql.package¶
Which MySQL derivation to use. MariaDB packages are supported too.
Type: package
Example:
pkgs.mysqlDeclared by:
services.mysql.bind¶
Address to bind to. The default is to bind to all addresses
Type: null or string
Default:
nullExample:
0.0.0.0Declared by:
services.mysql.dataDir¶
Location where MySQL stores its table files
Type: path
Example:
"/var/lib/mysql"Declared by:
services.mysql.ensureDatabases¶
Ensures that the specified databases exist. This option will never delete existing databases, especially not when the value of this option is changed. This means that databases created once through this option or otherwise have to be removed manually.
Type: list of strings
Default: ``[
]``
Example:
[ "nextcloud" "matomo" ]Declared by:
services.mysql.ensureUsers¶
Ensures that the specified users exist and have at least the ensured permissions. The MySQL users will be identified using Unix socket authentication. This authenticates the Unix user with the same name only, and that without the need for a password. This option will never delete existing users or remove permissions, especially not when the value of this option is changed. This means that users created and permissions assigned once through this option or otherwise have to be removed manually.
Type: list of submodules
Default: ``[
]``
Example:
[ { name = "nextcloud"; ensurePermissions = { "nextcloud.*" = "ALL PRIVILEGES"; }; } { name = "backup"; ensurePermissions = { "*.*" = "SELECT, LOCK TABLES"; }; } ]Declared by:
services.mysql.ensureUsers.*.ensurePermissions¶
Permissions to ensure for the user, specified as attribute set. The attribute names specify the database and tables to grant the permissions for, separated by a dot. You may use wildcards here. The attribute values specfiy the permissions to grant. You may specify one or multiple comma-separated SQL privileges here.
For more information on how to specify the target and on which privileges exist, see the`GRANT syntax <https://mariadb.com/kb/en/library/grant/>`_. The attributes are used as GRANT ${attrName} ON ${attrValue}.
Type: attribute set of strings
Default: ``{
}``
Example:
{ "database.*" = "ALL PRIVILEGES"; "*.*" = "SELECT, LOCK TABLES"; }Declared by:
services.mysql.ensureUsers.*.name¶
Name of the user to ensure.
Type: string
Declared by:
services.mysql.extraOptions¶
Provide extra options to the MySQL configuration file.
Please note, that these options are added to the``[mysqld]`` section so you don’t need to explicitly state it again.
Type: strings concatenated with “\n”
Default:
""Example:
'' key_buffer_size = 6G table_cache = 1600 log-error = /var/log/mysql_err.log ''Declared by:
services.mysql.initialDatabases¶
List of database names and their initial schemas that should be used to create databases on the first startup of MySQL. The schema attribute is optional: If not specified, an empty database is created.
Type: list of submodules
Default: ``[
]``
Example: ``[
{ name = “foodatabase”; schema = ./foodatabase.sql; }
{ name = “bardatabase”; }
]``
Declared by:
services.mysql.initialDatabases.*.name¶
The name of the database to create.
Type: string
Declared by:
services.mysql.initialDatabases.*.schema¶
The initial schema of the database; if null (the default), an empty database is created.
Type: null or path
Default:
nullDeclared by:
services.mysql.initialScript¶
A file containing SQL statements to be executed on the first startup. Can be used for granting certain permissions on the database
Type: null or path
Default:
nullDeclared by:
services.mysql.port¶
Port of MySQL
Type: signed integer
Default:
3306Declared by:
services.mysql.replication.masterHost¶
Hostname of the MySQL master server
Type: string
Declared by:
services.mysql.replication.masterPassword¶
Password of the MySQL replication user
Type: string
Declared by:
services.mysql.replication.masterPort¶
Port number on which the MySQL master server runs
Type: signed integer
Default:
3306Declared by:
services.mysql.replication.masterUser¶
Username of the MySQL replication user
Type: string
Declared by:
services.mysql.replication.role¶
Role of the MySQL server instance.
Type: one of “master”, “slave”, “none”
Default:
"none"Declared by:
services.mysql.replication.serverId¶
Id of the MySQL server instance. This number must be unique for each instance
Type: signed integer
Default:
1Declared by:
services.mysql.replication.slaveHost¶
Hostname of the MySQL slave server
Type: string
Declared by:
services.mysql.user¶
User account under which MySQL runs
Type: string
Default:
"mysql"Declared by:
services.mysqlBackup.enable¶
Whether to enable MySQL backups.
Type: unspecified
Default:
falseDeclared by:
services.mysqlBackup.calendar¶
Configured when to run the backup service systemd unit (DayOfWeek Year-Month-Day Hour:Minute:Second).
Type: string
Default:
"01:15:00"Declared by:
services.mysqlBackup.databases¶
services.mysqlBackup.location¶
Location to put the gzipped MySQL database dumps.
Type: unspecified
Default:
"/var/backup/mysql"Declared by:
services.mysqlBackup.singleTransaction¶
Whether to create database dump in a single transaction
Type: unspecified
Default:
falseDeclared by:
services.mysqlBackup.user¶
User to be used to perform backup.
Type: unspecified
Default:
"mysqlbackup"Declared by:
services.nagios.enable¶
Whether to enable Nagios to monitor your system or network..
Type: boolean
Default:
falseExample:
trueDeclared by:
services.nagios.enableWebInterface¶
Whether to enable the Nagios web interface. You should also enable Apache ().
Type: boolean
Default:
falseDeclared by:
services.nagios.cgiConfigFile¶
Derivation for the configuration file of Nagios CGI scripts that can be used in web servers for running the Nagios web interface.
Type: package
Default:
"nagiosCGICfgFile"Declared by:
services.nagios.extraConfig¶
Configuration to add to /etc/nagios.cfg
Type: attribute set of strings
Default: ``{
}``
Example:
{ debug_file = "/var/log/nagios/debug.log"; debug_level = "-1"; }Declared by:
services.nagios.mainConfigFile¶
If non-null, overrides the main configuration file of Nagios.
Type: null or package
Default:
nullDeclared by:
services.nagios.objectDefs¶
A list of Nagios object configuration files that must define the hosts, host groups, services and contacts for the network that you want Nagios to monitor.
Type: list of paths
Example:
[ ./objects.cfg ]Declared by:
services.nagios.plugins¶
Packages to be added to the Nagios PATH. Typically used to add plugins, but can be anything.
Type: list of packages
Default:
"\[pkgs.nagiosPluginsOfficial pkgs.ssmtp pkgs.mailutils]"Declared by:
services.nagios.validateConfig¶
if true, the syntax of the nagios configuration file is checked at build time
Type: boolean
Default:
falseDeclared by:
services.nagios.virtualHost¶
Apache configuration can be done by adapting . See services.httpd.virtualHosts for further information.
Type: submodule
Example:
{ hostName = "example.org"; adminAddr = "webmaster@example.org"; enableSSL = true; sslServerCert = "/var/lib/acme/example.org/full.pem"; sslServerKey = "/var/lib/acme/example.org/key.pem"; }Declared by:
services.nagios.virtualHost.enableACME¶
Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through .
Type: boolean
Default:
falseDeclared by:
services.nagios.virtualHost.enableUserDir¶
Whether to enable serving
~/public_htmlas``/~*username*``.Type: boolean
Default:
falseDeclared by:
services.nagios.virtualHost.acmeRoot¶
Directory for the acme challenge which is PUBLIC, don’t put certs or keys in here
Type: string
Default:
"/var/lib/acme/acme-challenges"Declared by:
services.nagios.virtualHost.addSSL¶
Whether to enable HTTPS in addition to plain HTTP. This will set defaults for``listen`` to listen on all interfaces on the respective default ports (80, 443).
Type: boolean
Default:
falseDeclared by:
services.nagios.virtualHost.adminAddr¶
E-mail address of the server administrator.
Type: null or string
Default:
nullExample:
"admin@example.org"Declared by:
services.nagios.virtualHost.documentRoot¶
The path of Apache’s document root directory. If left undefined, an empty directory in the Nix store will be used as root.
Type: null or path
Default:
nullExample:
"/data/webserver/docs"Declared by:
services.nagios.virtualHost.extraConfig¶
These lines go to httpd.conf verbatim. They will go after directories and directory aliases defined by default.
Type: strings concatenated with “\n”
Default:
""Example:
'' <Directory /home> Options FollowSymlinks AllowOverride All </Directory> ''Declared by:
services.nagios.virtualHost.forceSSL¶
Whether to add a separate nginx server block that permanently redirects (301) all plain HTTP traffic to HTTPS. This will set defaults for``listen`` to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
Type: boolean
Default:
falseDeclared by:
services.nagios.virtualHost.globalRedirect¶
If set, all requests for this host are redirected permanently to the given URL.
Type: null or string
Default:
nullExample:
"http://newserver.example.org/"Declared by:
services.nagios.virtualHost.hostName¶
Canonical hostname for the server.
Type: string
Default:
"‹name›"Declared by:
services.nagios.virtualHost.http2¶
Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. However, if you use the prefork mpm, there will be severe restrictions. Refer to ` <https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config>`_ for details.
Type: boolean
Default:
falseDeclared by:
services.nagios.virtualHost.listen¶
services.nagios.virtualHost.listen.*.ip¶
IP to listen on. 0.0.0.0 for IPv4 only, * for all.
Type: string
Default:
"\*"Declared by:
services.nagios.virtualHost.listen.*.port¶
Port to listen on
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Declared by:
services.nagios.virtualHost.listen.*.ssl¶
Whether to enable SSL (https) support.
Type: boolean
Default:
falseDeclared by:
services.nagios.virtualHost.locations¶
Declarative location config. See ` <https://httpd.apache.org/docs/2.4/mod/core.html#location>`_ for details.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ "/" = { proxyPass = "http://localhost:3000"; }; "/foo/bar.png" = { alias = "/home/eelco/some-file.png"; }; };Declared by:
services.nagios.virtualHost.locations.<name>.alias¶
Alias directory for requests. See ` <https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias>`_.
Type: null or path
Default:
nullExample:
"/your/alias/directory"Declared by:
services.nagios.virtualHost.locations.<name>.extraConfig¶
These lines go to the end of the location verbatim.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.nagios.virtualHost.locations.<name>.index¶
Adds DirectoryIndex directive. See ` <https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryindex>`_.
Type: null or string
Default:
nullExample:
"index.php index.html"Declared by:
services.nagios.virtualHost.locations.<name>.priority¶
Order of this location block in relation to the others in the vhost. The semantics are the same as with `lib.mkOrder`. Smaller values have a greater priority.
Type: signed integer
Default:
1000Declared by:
services.nagios.virtualHost.locations.<name>.proxyPass¶
Sets up a simple reverse proxy as described by ` <https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html#simple>`_.
Type: null or string
Default:
nullExample:
"http://www.example.org/"Declared by:
services.nagios.virtualHost.logFormat¶
Log format for Apache’s log files. Possible values are: combined, common, referer, agent.
Type: string
Default:
"common"Example:
"combined"Declared by:
services.nagios.virtualHost.onlySSL¶
Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for
listento listen on all interfaces on port 443.Type: boolean
Default:
falseDeclared by:
services.nagios.virtualHost.robotsEntries¶
Specification of pages to be ignored by web crawlers. See ` <http://www.robotstxt.org/>`_ for details.
Type: strings concatenated with “\n”
Default:
""Example:
"Disallow: /foo/"Declared by:
services.nagios.virtualHost.servedDirs¶
services.nagios.virtualHost.servedFiles¶
This option provides a simple way to serve individual, static files.
Note
This option has been deprecated and will be removed in a future version of NixOS. You can achieve the same result by making use of the
locations.<name>.aliasoption.Type: list of attribute sets
Default: ``[
]``
Example: ``[
{ file = “/home/eelco/some-file.png”; urlPath = “/foo/bar.png”; }
]``
Declared by:
services.nagios.virtualHost.serverAliases¶
Additional names of virtual hosts served by this virtual host configuration.
Type: list of strings
Default: ``[
]``
Example:
[ "www.example.org" "www.example.org:8080" "example.org" ]Declared by:
services.nagios.virtualHost.sslServerCert¶
Path to server SSL certificate.
Type: path
Example:
"/var/host.cert"Declared by:
services.nagios.virtualHost.sslServerChain¶
Path to server SSL chain file.
Type: null or path
Default:
nullExample:
"/var/ca.pem"Declared by:
services.nagios.virtualHost.sslServerKey¶
Path to server SSL certificate key.
Type: path
Example:
"/var/host.key"Declared by:
services.nagios.virtualHost.useACMEHost¶
A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the`rate limit <https://letsencrypt.org/docs/rate-limits/>`_. Alternately, you can generate a certificate through .*Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.*
Type: null or string
Default:
nullDeclared by:
services.namecoind.enable¶
Whether to enable namecoind, Namecoin client.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.namecoind.extraNodes¶
List of additional peer IP addresses to connect to.
Type: list of strings
Default: ``[
]``
Declared by:
services.namecoind.generate¶
Whether to generate (mine) Namecoins.
Type: boolean
Default:
falseDeclared by:
services.namecoind.rpc.address¶
IP address the RPC server will bind to.
Type: string
Default:
"0.0.0.0"Declared by:
services.namecoind.rpc.allowFrom¶
List of IP address ranges allowed to use the RPC API. Wiledcards (*) can be user to specify a range.
Type: list of strings
Default:
[ "127.0.0.1" ]Declared by:
services.namecoind.rpc.certificate¶
Certificate file for securing RPC connections.
Type: null or path
Default:
nullExample:
"/var/lib/namecoind/server.cert"Declared by:
services.namecoind.rpc.key¶
Key file for securing RPC connections.
Type: null or path
Default:
nullExample:
"/var/lib/namecoind/server.pem"Declared by:
services.namecoind.rpc.password¶
Password for RPC connections.
Type: string
Default:
nullDeclared by:
services.namecoind.rpc.port¶
Port the RPC server will bind to.
Type: signed integer
Default:
8332Declared by:
services.namecoind.rpc.user¶
User name for RPC connections.
Type: null or string
Default:
nullDeclared by:
services.namecoind.trustedNodes¶
List of the only peer IP addresses to connect to. If specified no other connection will be made.
Type: list of strings
Default: ``[
]``
Declared by:
services.namecoind.wallet¶
Wallet file. The ownership of the file has to be namecoin:namecoin, and the permissions must be 0640.
Type: path
Default:
"/var/lib/namecoind/wallet.dat"Declared by:
services.ndppd.enable¶
Whether to enable daemon that proxies NDP (Neighbor Discovery Protocol) messages between interfaces.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.ndppd.configFile¶
Path to configuration file.
Type: null or path
Default:
nullDeclared by:
services.ndppd.interface¶
Interface which is on link-level with router. (Legacy option, use services.ndppd.proxies.<interface>.rules.<network> instead)
Type: null or string
Default:
nullExample:
"eth0"Declared by:
services.ndppd.network¶
Network that we proxy. (Legacy option, use services.ndppd.proxies.<interface>.rules.<network> instead)
Type: null or string
Default:
nullExample:
"1111::/64"Declared by:
services.ndppd.proxies¶
services.ndppd.proxies.<name>.interface¶
Listen for any Neighbor Solicitation messages on this interface, and respond to them according to a set of rules. Defaults to the name of the attrset.
Type: null or string
Default:
nullDeclared by:
services.ndppd.proxies.<name>.router¶
Turns on or off the router flag for Neighbor Advertisement Messages.
Type: boolean
Default:
trueDeclared by:
services.ndppd.proxies.<name>.rules¶
This is a rule that the target address is to match against. If no netmask is provided, /128 is assumed. You may have several rule sections, and the addresses may or may not overlap.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.ndppd.proxies.<name>.rules.<name>.interface¶
Interface to use when method is iface.
Type: null or string
Default:
nullDeclared by:
services.ndppd.proxies.<name>.rules.<name>.method¶
static: Immediately answer any Neighbor Solicitation Messages (if they match the IP rule). iface: Forward the Neighbor Solicitation Message through the specified interface and only respond if a matching Neighbor Advertisement Message is received. auto: Same as iface, but instead of manually specifying the outgoing interface, check for a matching route in /proc/net/ipv6_route.
Type: one of “static”, “iface”, “auto”
Default:
"auto"Declared by:
services.ndppd.proxies.<name>.rules.<name>.network¶
This is the target address is to match against. If no netmask is provided, /128 is assumed. The addresses of serveral rules may or may not overlap. Defaults to the name of the attrset.
Type: null or string
Default:
nullDeclared by:
services.ndppd.proxies.<name>.timeout¶
Controls how long to wait for a Neighbor Advertisment Message before invalidating the entry, in milliseconds.
Type: signed integer
Default:
500Declared by:
services.ndppd.proxies.<name>.ttl¶
Controls how long a valid or invalid entry remains in the cache, in milliseconds.
Type: signed integer
Default:
30000Declared by:
services.ndppd.routeTTL¶
This tells ‘ndppd’ how often to reload the route file /proc/net/ipv6_route, in milliseconds.
Type: signed integer
Default:
30000Declared by:
services.neard.enable¶
Whether to enable neard, NFC daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.neo4j.enable¶
Whether to enable Neo4j Community Edition.
Type: boolean
Default:
falseDeclared by:
services.neo4j.package¶
Neo4j package to use.
Type: package
Default:
"pkgs.neo4j"Declared by:
services.neo4j.allowUpgrade¶
Allow upgrade of Neo4j database files from an older version.
Type: boolean
Default:
falseDeclared by:
services.neo4j.bolt.enable¶
Enable the BOLT connector for Neo4j. Setting this option to``false`` will stop Neo4j from listening for incoming connections on the BOLT port (7687 by default).
Type: boolean
Default:
trueDeclared by:
services.neo4j.bolt.listenAddress¶
Neo4j listen address for BOLT traffic. The listen address is expressed in the format
<ip-address>:<port-number>.Type: string
Default:
":7687"Declared by:
services.neo4j.bolt.sslPolicy¶
Neo4j SSL policy for BOLT traffic.
The legacy policy is a special policy which is not defined in the policy configuration section, but rather derives from and associated files (by default:
neo4j.keyand:file:neo4j.cert). Its use will be deprecated.Note: This connector must be configured to support/require SSL/TLS for the legacy policy to actually be utilized. See.
Type: string
Default:
"legacy"Declared by:
services.neo4j.bolt.tlsLevel¶
SSL/TSL requirement level for BOLT traffic.
Type: one of “REQUIRED”, “OPTIONAL”, “DISABLED”
Default:
"OPTIONAL"Declared by:
services.neo4j.constrainLoadCsv¶
Sets the root directory for file URLs used with the Cypher``LOAD CSV`` clause to be that defined by. It restricts access to only those files within that directory and its subdirectories.
Setting this option to
falseintroduces possible security problems.Type: boolean
Default:
trueDeclared by:
services.neo4j.defaultListenAddress¶
Default network interface to listen for incoming connections. To listen for connections on all interfaces, use “0.0.0.0”.
Specifies the default IP address and address part of connector specific options. To bind specific connectors to a specific network interfaces, specify the entire option for that connector.
Type: string
Default:
"127.0.0.1"Declared by:
services.neo4j.directories.certificates¶
Directory for storing certificates to be used by Neo4j for TLS connections.
When setting this directory to something other than its default, ensure the directory’s existence, and that read/write permissions are given to the Neo4j daemon user
neo4j.Note that changing this directory from its default will prevent the directory structure required for each SSL policy from being automatically generated. A policy’s directory structure as defined by its , and must then be setup manually. The existence of these directories is mandatory, as well as the presence of the certificate file and the private key. Ensure the correct permissions are set on these directories and files.
Type: path
Default:
"/var/lib/neo4j/certificates"Declared by:
services.neo4j.directories.data¶
Path of the data directory. You must not configure more than one Neo4j installation to use the same data directory.
When setting this directory to something other than its default, ensure the directory’s existence, and that read/write permissions are given to the Neo4j daemon user
neo4j.Type: path
Default:
"/var/lib/neo4j/data"Declared by:
services.neo4j.directories.home¶
Path of the Neo4j home directory. Other default directories are subdirectories of this path. This directory will be created if non-existent, and its ownership will be chown to the Neo4j daemon user
neo4j.Type: path
Default:
"/var/lib/neo4j"Declared by:
services.neo4j.directories.imports¶
The root directory for file URLs used with the Cypher``LOAD CSV`` clause. Only meaningful when is set to``true``.
When setting this directory to something other than its default, ensure the directory’s existence, and that read permission is given to the Neo4j daemon user
neo4j.Type: path
Default:
"/var/lib/neo4j/import"Declared by:
services.neo4j.directories.plugins¶
Path of the database plugin directory. Compiled Java JAR files that contain database procedures will be loaded if they are placed in this directory.
When setting this directory to something other than its default, ensure the directory’s existence, and that read permission is given to the Neo4j daemon user
neo4j.Type: path
Default:
"/var/lib/neo4j/plugins"Declared by:
services.neo4j.extraServerConfig¶
Extra configuration for Neo4j Community server. Refer to the`complete reference <https://neo4j.com/docs/operations-manual/current/reference/configuration-settings/>`_ of Neo4j configuration settings.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.neo4j.http.enable¶
The HTTP connector is required for Neo4j, and cannot be disabled. Setting this option to
falsewill force the HTTP connector’s to the loopback interface to prevent connection of remote clients. To prevent all clients from connecting, block the HTTP port (7474 by default) by firewall.Type: boolean
Default:
trueDeclared by:
services.neo4j.http.listenAddress¶
Neo4j listen address for HTTP traffic. The listen address is expressed in the format
<ip-address>:<port-number>.Type: string
Default:
":7474"Declared by:
services.neo4j.https.enable¶
Enable the HTTPS connector for Neo4j. Setting this option to``false`` will stop Neo4j from listening for incoming connections on the HTTPS port (7473 by default).
Type: boolean
Default:
trueDeclared by:
services.neo4j.https.listenAddress¶
Neo4j listen address for HTTPS traffic. The listen address is expressed in the format
<ip-address>:<port-number>.Type: string
Default:
":7473"Declared by:
services.neo4j.https.sslPolicy¶
Neo4j SSL policy for HTTPS traffic.
The legacy policy is a special policy which is not defined in the policy configuration section, but rather derives from and associated files (by default:
neo4j.keyand:file:neo4j.cert). Its use will be deprecated.Type: string
Default:
"legacy"Declared by:
services.neo4j.readOnly¶
Only allow read operations from this Neo4j instance.
Type: boolean
Default:
falseDeclared by:
services.neo4j.shell.enable¶
Enable a remote shell server which Neo4j Shell clients can log in to. Only applicable to neo4j-shell.
Type: boolean
Default:
falseDeclared by:
services.neo4j.ssl.policies¶
Defines the SSL policies for use with Neo4j connectors. Each attribute of this set defines a policy, with the attribute name defining the name of the policy and its namespace. Refer to the operations manual section on Neo4j’s`SSL Framework <https://neo4j.com/docs/operations-manual/current/security/ssl-framework/>`_ for further details.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.neo4j.ssl.policies.<name>.allowKeyGeneration¶
Allows the generation of a private key and associated self-signed certificate. Only performed when both objects cannot be found for this policy. It is recommended to turn this off again after keys have been generated.
The public certificate is required to be duplicated to the directory holding trusted certificates as defined by the option.
Keys should in general be generated and distributed offline by a trusted certificate authority and not by utilizing this mode.
Type: boolean
Default:
falseDeclared by:
services.neo4j.ssl.policies.<name>.baseDirectory¶
The mandatory base directory for cryptographic objects of this policy. This path is only automatically generated when this option as well as are left at their default. Ensure read/write permissions are given to the Neo4j daemon user
neo4j.It is also possible to override each individual configuration with absolute paths. See the and policy options.
Type: path
Default:
"/var/lib/neo4j/certificates/‹name›"Declared by:
services.neo4j.ssl.policies.<name>.ciphers¶
Restrict the allowed ciphers of this policy to those defined here. The default ciphers are those of the JVM platform.
Type: null or list of strings
Default:
nullDeclared by:
services.neo4j.ssl.policies.<name>.clientAuth¶
The client authentication stance for this policy.
Type: one of “NONE”, “OPTIONAL”, “REQUIRE”
Default:
"REQUIRE"Declared by:
services.neo4j.ssl.policies.<name>.privateKey¶
The name of private PKCS #8 key file for this policy to be found in the , or the absolute path to the key file. It is mandatory that a key can be found or generated.
Type: string
Default:
"private.key"Declared by:
services.neo4j.ssl.policies.<name>.publicCertificate¶
The name of public X.509 certificate (chain) file in PEM format for this policy to be found in the , or the absolute path to the certificate file. It is mandatory that a certificate can be found or generated.
The public certificate is required to be duplicated to the directory holding trusted certificates as defined by the option.
Type: string
Default:
"public.crt"Declared by:
services.neo4j.ssl.policies.<name>.revokedDir¶
Path to directory of CRLs (Certificate Revocation Lists) in PEM format. Must be an absolute path. The existence of this directory is mandatory and will need to be created manually when: setting this option to something other than its default; setting either this policy’s or to something other than their default. Ensure read/write permissions are given to the Neo4j daemon user
neo4j.Type: path
Default:
"/var/lib/neo4j/certificates/‹name›/revoked"Declared by:
services.neo4j.ssl.policies.<name>.tlsVersions¶
Restrict the TLS protocol versions of this policy to those defined here.
Type: list of strings
Default:
[ "TLSv1.2" ]Declared by:
services.neo4j.ssl.policies.<name>.trustAll¶
Makes this policy trust all remote parties. Enabling this is not recommended and the policy’s trusted directory will be ignored. Use of this mode is discouraged. It would offer encryption but no security.
Type: boolean
Default:
falseDeclared by:
services.neo4j.ssl.policies.<name>.trustedDir¶
Path to directory of X.509 certificates in PEM format for trusted parties. Must be an absolute path. The existence of this directory is mandatory and will need to be created manually when: setting this option to something other than its default; setting either this policy’s or to something other than their default. Ensure read/write permissions are given to the Neo4j daemon user
neo4j.The public certificate as defined by is required to be duplicated to this directory.
Type: path
Default:
"/var/lib/neo4j/certificates/‹name›/trusted"Declared by:
services.neo4j.udc.enable¶
Enable the Usage Data Collector which Neo4j uses to collect usage data. Refer to the operations manual section on the`Usage Data Collector <https://neo4j.com/docs/operations-manual/current/configuration/usage-data-collector/>`_ for more information.
Type: boolean
Default:
falseDeclared by:
services.neo4j.workerCount¶
Number of Neo4j worker threads, where the default of``0`` indicates a worker count equal to the number of available processors.
Type: integer between 0 and 44738 (both inclusive)
Default:
0Declared by:
services.netatalk.enable¶
Whether to enable the Netatalk AFP fileserver.
Type: unspecified
Default:
falseDeclared by:
services.netatalk.extmap¶
File name extension mappings. See
man extmap.conffor more information.Type: strings concatenated with “\n”
Default:
""Declared by:
services.netatalk.extraConfig¶
Lines of configuration to add to the
[Global]section. Seeman apf.conffor more information.Type: strings concatenated with “\n”
Default:
""Example:
"uam list = uams_guest.so"Declared by:
services.netatalk.homes.enable¶
Enable sharing of the UNIX server user home directories.
Type: unspecified
Default:
falseDeclared by:
services.netatalk.homes.basedirRegex¶
Regex which matches the parent directory of the user homes.
Type: unspecified
Example:
"/home"Declared by:
services.netatalk.homes.extraConfig¶
Lines of configuration to add to the
[Homes]section. Seeman apf.conffor more information.Type: strings concatenated with “\n”
Default:
""Declared by:
services.netatalk.homes.path¶
Share not the whole user home but this subdirectory path.
Type: unspecified
Default:
""Example:
"afp-data"Declared by:
services.netatalk.port¶
TCP port to be used for AFP.
Type: unspecified
Default:
548Declared by:
services.netatalk.volumes¶
Set of AFP volumes to export. See
man apf.conffor more information.Type: attribute set of attribute set of unspecifiedss
Default: ``{
}``
Example:
{ srv = { hosts allow = "10.1.0.0/16 10.2.1.100 2001:0db8:1234::/48"; path = "/srv"; read only = true; } ; }Declared by:
services.netdata.enable¶
Whether to enable netdata.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.netdata.config¶
netdata.conf configuration as nix attributes. cannot be combined with configText.
Type: attribute set of attribute sets
Default: ``{
}``
Example:
global = { "debug log" = "syslog"; "access log" = "syslog"; "error log" = "syslog"; };Declared by:
services.netdata.configText¶
Verbatim netdata.conf, cannot be combined with config.
Type: null or strings concatenated with “\n”
Default:
nullExample:
'' [global] debug log = syslog access log = syslog error log = syslog ''Declared by:
services.netdata.extraPluginPaths¶
Extra paths to add to the netdata global “plugins directory” option. Useful for when you want to include your own collection scripts.
Details about writing a custom netdata plugin are available at:` <https://docs.netdata.cloud/collectors/plugins.d/>`_
Cannot be combined with configText.
Type: list of paths
Default: ``[
]``
Example:
[ "/path/to/plugins.d" ]Declared by:
services.netdata.group¶
Group under which netdata runs.
Type: string
Default:
"netdata"Declared by:
services.netdata.python.enable¶
Whether to enable python-based plugins
Type: boolean
Default:
trueDeclared by:
services.netdata.python.extraPackages¶
Extra python packages available at runtime to enable additional python plugins.
Type: unspecified
Default:
"ps: \[]"Example:
ps: [ ps.psycopg2 ps.docker ps.dnspython ]Declared by:
services.netdata.user¶
User account under which netdata runs.
Type: string
Default:
"netdata"Declared by:
services.networking.websockify.enable¶
Whether to enable websockify to forward websocket connections to TCP connections.
Type: boolean
Default:
falseDeclared by:
services.networking.websockify.portMap¶
services.networking.websockify.sslCert¶
Path to the SSL certificate.
Type: path
Declared by:
services.networking.websockify.sslKey¶
Path to the SSL key.
Type: path
Default:
"config.services.networking.websockify.sslCert"Declared by:
services.nextcloud.enable¶
Whether to enable nextcloud.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.nextcloud.autoUpdateApps.enable¶
Run regular auto update of all apps installed from the nextcloud app store.
Type: boolean
Default:
falseDeclared by:
services.nextcloud.autoUpdateApps.startAt¶
When to run the update. See `systemd.services.<name>.startAt`.
Type: string or list of strings
Default:
"05:00:00"Example:
"Sun 14:00:00"Declared by:
services.nextcloud.caching.apcu¶
Whether to load the APCu module into PHP.
Type: boolean
Default:
trueDeclared by:
services.nextcloud.caching.memcached¶
Whether to load the Memcached module into PHP. You still need to enable Memcached in your config.php. See https://docs.nextcloud.com/server/14/admin_manual/configuration_server/caching_configuration.html
Type: boolean
Default:
falseDeclared by:
services.nextcloud.caching.redis¶
Whether to load the Redis module into PHP. You still need to enable Redis in your config.php. See https://docs.nextcloud.com/server/14/admin_manual/configuration_server/caching_configuration.html
Type: boolean
Default:
falseDeclared by:
services.nextcloud.config.adminpass¶
Admin password. Use
adminpassFileto avoid this being world-readable in the/nix/store.Type: null or string
Default:
nullDeclared by:
services.nextcloud.config.adminpassFile¶
The full path to a file that contains the admin’s password.
Type: null or string
Default:
nullDeclared by:
services.nextcloud.config.adminuser¶
Admin username.
Type: string
Default:
"root"Declared by:
services.nextcloud.config.dbhost¶
Database host.
Note: for using Unix authentication with PostgreSQL, this should be set to
/run/postgresql.Type: null or string
Default:
"localhost"Declared by:
services.nextcloud.config.dbname¶
Database name.
Type: null or string
Default:
"nextcloud"Declared by:
services.nextcloud.config.dbpass¶
Database password. Use
dbpassFileto avoid this being world-readable in the/nix/store.Type: null or string
Default:
nullDeclared by:
services.nextcloud.config.dbpassFile¶
The full path to a file that contains the database password.
Type: null or string
Default:
nullDeclared by:
services.nextcloud.config.dbport¶
Database port.
Type: null or signed integer or string
Default:
nullDeclared by:
services.nextcloud.config.dbtableprefix¶
Table prefix in Nextcloud database.
Type: null or string
Default:
nullDeclared by:
services.nextcloud.config.dbtype¶
Database type.
Type: one of “sqlite”, “pgsql”, “mysql”
Default:
"sqlite"Declared by:
services.nextcloud.config.dbuser¶
Database user.
Type: null or string
Default:
"nextcloud"Declared by:
services.nextcloud.config.extraTrustedDomains¶
Trusted domains, from which the nextcloud installation will be acessible. You don’t need to add``services.nextcloud.hostname`` here.
Type: list of strings
Default: ``[
]``
Declared by:
services.nextcloud.config.overwriteProtocol¶
Force Nextcloud to always use HTTPS i.e. for link generation. Nextcloud uses the currently used protocol by default, but when behind a reverse-proxy, it may use
httpfor everything although Nextcloud may be served via HTTPS.Type: null or one of “http”, “https”
Default:
nullExample:
"https"Declared by:
services.nextcloud.config.trustedProxies¶
Trusted proxies, to provide if the nextcloud installation is being proxied to secure against e.g. spoofing.
Type: list of strings
Default: ``[
]``
Declared by:
services.nextcloud.home¶
Storage path of nextcloud.
Type: string
Default:
"/var/lib/nextcloud"Declared by:
services.nextcloud.hostName¶
FQDN for the nextcloud instance.
Type: string
Declared by:
services.nextcloud.https¶
Use https for generated links.
Type: boolean
Default:
falseDeclared by:
services.nextcloud.logLevel¶
Log level value between 0 (DEBUG) and 4 (FATAL).
Type: integer between 0 and 4 (both inclusive)
Default:
2Declared by:
services.nextcloud.maxUploadSize¶
Defines the upload limit for files. This changes the relevant options in php.ini and nginx if enabled.
Type: string
Default:
"512M"Declared by:
services.nextcloud.nginx.enable¶
Whether to enable nginx virtual host management. Further nginx configuration can be done by adapting
services.nginx.virtualHosts.<name>. See services.nginx.virtualHosts for further information.Type: boolean
Default:
falseDeclared by:
services.nextcloud.phpOptions¶
Options for PHP’s php.ini file for nextcloud.
Type: attribute set of strings
Default:
{ catch_workers_output = "yes"; display_errors = "stderr"; error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT"; expose_php = "Off"; opcache.enable_cli = "1"; opcache.fast_shutdown = "1"; opcache.interned_strings_buffer = "8"; opcache.max_accelerated_files = "10000"; opcache.memory_consumption = "128"; opcache.revalidate_freq = "1"; openssl.cafile = "/etc/ssl/certs/ca-certificates.crt"; short_open_tag = "Off"; }Declared by:
services.nextcloud.poolConfig¶
Options for nextcloud’s PHP pool. See the documentation on
php-fpm.conffor details on configuration directives.Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.nextcloud.poolSettings¶
Options for nextcloud’s PHP pool. See the documentation on
php-fpm.conffor details on configuration directives.Type: attribute set of string or signed integer or booleans
Default:
{ pm = "dynamic"; pm.max_children = "32"; pm.max_requests = "500"; pm.max_spare_servers = "4"; pm.min_spare_servers = "2"; pm.start_servers = "2"; }Declared by:
services.nextcloud.skeletonDirectory¶
The directory where the skeleton files are located. These files will be copied to the data directory of new users. Leave empty to not copy any skeleton files.
Type: string
Default:
""Declared by:
services.nextcloud.webfinger¶
Enable this option if you plan on using the webfinger plugin. The appropriate nginx rewrite rules will be added to your configuration.
Type: boolean
Default:
falseDeclared by:
services.nexus.enable¶
Whether to enable Sonatype Nexus3 OSS service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.nexus.package¶
Package which runs Nexus3
Type: package
Default:
*(build of nexus-3.20.1-01)*Declared by:
services.nexus.group¶
Group which runs Nexus3.
Type: string
Default:
"nexus"Declared by:
services.nexus.home¶
Home directory of the Nexus3 instance.
Type: string
Default:
"/var/lib/sonatype-work"Declared by:
services.nexus.jvmOpts¶
Options for the JVM written to `nexus.jvmopts`. Please refer to the docs (https://help.sonatype.com/repomanager3/installation/configuring-the-runtime-environment) for further information.
Type: strings concatenated with “\n”
Default:
'' -Xms1200M -Xmx1200M -XX:MaxDirectMemorySize=2G -XX:+UnlockDiagnosticVMOptions -XX:+UnsyncloadClass -XX:+LogVMOutput -XX:LogFile=/var/lib/sonatype-work/nexus3/log/jvm.log -XX:-OmitStackTraceInFastThrow -Djava.net.preferIPv4Stack=true -Dkaraf.home=''${pkgs.nexus} -Dkaraf.base=''${pkgs.nexus} -Dkaraf.etc=''${pkgs.nexus}/etc/karaf -Djava.util.logging.config.file=''${pkgs.nexus}/etc/karaf/java.util.logging.properties -Dkaraf.data=/var/lib/sonatype-work/nexus3 -Djava.io.tmpdir=/var/lib/sonatype-work/nexus3/tmp -Dkaraf.startLocalConsole=false -Djava.endorsed.dirs=''${pkgs.nexus}/lib/endorsed ''Declared by:
services.nexus.listenAddress¶
Address to listen on.
Type: string
Default:
"127.0.0.1"Declared by:
services.nexus.listenPort¶
Port to listen on.
Type: signed integer
Default:
8081Declared by:
services.nexus.user¶
User which runs Nexus3.
Type: string
Default:
"nexus"Declared by:
services.nfs.extraConfig¶
Extra nfs-utils configuration.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.nfs.server.enable¶
Whether to enable the kernel’s NFS server.
Type: boolean
Default:
falseDeclared by:
services.nfs.server.createMountPoints¶
Whether to create the mount points in the exports file at startup time.
Type: boolean
Default:
falseDeclared by:
services.nfs.server.exports¶
Contents of the /etc/exports file. Seeexports5 for the format.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.nfs.server.extraNfsdConfig¶
Extra configuration options for the [nfsd] section of /etc/nfs.conf.
Type: string
Default:
""Declared by:
services.nfs.server.hostName¶
Hostname or address on which NFS requests will be accepted. Default is all. See the option innfsd8.
Type: null or string
Default:
nullDeclared by:
services.nfs.server.lockdPort¶
Use a fixed port for the NFS lock manager kernel module (
lockd/nlockmgr). This is useful if the NFS server is behind a firewall.Type: null or signed integer
Default:
nullExample:
4001Declared by:
services.nfs.server.mountdPort¶
Use fixed port for rpc.mountd, useful if server is behind firewall.
Type: null or signed integer
Default:
nullExample:
4002Declared by:
services.nfs.server.nproc¶
Number of NFS server threads. Defaults to the recommended value of 8.
Type: signed integer
Default:
8Declared by:
services.nfs.server.statdPort¶
Use a fixed port for rpc.statd. This is useful if the NFS server is behind a firewall.
Type: null or signed integer
Default:
nullExample:
4000Declared by:
services.nghttpx.enable¶
Whether to enable nghttpx.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.nghttpx.backend-address-family¶
Specify address family of backend connections. If “auto” is given, both IPv4 and IPv6 are considered. If “IPv4” is given, only IPv4 address is considered. If “IPv6” is given, only IPv6 address is considered.
Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx–backend-address-family
Type: one of “auto”, “IPv4”, “IPv6”
Default:
"auto"Declared by:
services.nghttpx.backends¶
A list of backend specifications.
Type: list of submodules
Example: ``[
{ params = { proto = “http/1.1”; redirect-if-not-tls = true; } ; patterns = [ “/” ] ; server = { host = “172.16.0.22”; port = 8443; } ; }
]``
Declared by:
services.nghttpx.backends.*.params¶
Parameters to configure a backend.
Type: null or submodule
Default:
nullExample:
{ proto = "h2"; tls = true; }Declared by:
services.nghttpx.backends.*.params.affinity¶
If “ip” is given, client IP based session affinity is enabled. If “none” is given, session affinity is disabled.
Session affinity is enabled (by nghttpx) per-backend pattern. If at least one backend has a non-“none” affinity, then session affinity is enabled for all backend servers sharing the same pattern.
It is advised to set affinity on all backends explicitly if session affinity is desired. The session affinity may break if one of the backend gets unreachable, or backend settings are reloaded or replaced by API.
Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b for more detail.
Type: one of “ip”, “none”
Default:
"none"Declared by:
services.nghttpx.backends.*.params.dns¶
Name resolution of a backends host name is done at start up, or configuration reload. If “dns” is true, name resolution takes place dynamically.
This is useful if a backends address changes frequently. If “dns” is true, name resolution of a backend’s host name at start up, or configuration reload is skipped.
Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b for more detail.
Type: boolean
Default:
falseDeclared by:
services.nghttpx.backends.*.params.fall¶
If nghttpx cannot connect to the backend N times in a row, the backend is assumed to be offline and is excluded from load balancing. If N is 0 the backend is never excluded from load balancing.
Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b for more detail.
Type: signed integer
Default:
0Declared by:
services.nghttpx.backends.*.params.proto¶
This option configures the protocol the backend server expects to use.
Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b for more detail.
Type: one of “h2”, “http/1.1”
Default:
"http/1.1"Declared by:
services.nghttpx.backends.*.params.redirect-if-not-tls¶
If true, a backend match requires the frontend connection be TLS encrypted. If it is not, nghttpx responds to the request with a 308 status code and https URI the client should use instead in the Location header.
The port number in the redirect URI is 443 by default and can be changed using ‘services.nghttpx.redirect-https-port’ option.
If at least one backend has “redirect-if-not-tls” set to true, this feature is enabled for all backend servers with the same pattern. It is advised to set “redirect-if-no-tls” parameter to all backends explicitly if this feature is desired.
Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b for more detail.
Type: boolean
Default:
falseDeclared by:
services.nghttpx.backends.*.params.rise¶
If the backend is excluded from load balancing, nghttpx will periodically attempt to make a connection to the backend. If the connection is successful N times in a row the backend is re-included in load balancing. If N is 0 a backend is never reconsidered for load balancing once it falls.
Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b for more detail.
Type: signed integer
Default:
0Declared by:
services.nghttpx.backends.*.params.sni¶
Override the TLS SNI field value. This value (in nghttpx) defaults to the host value of the backend configuration.
Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b for more detail.
Type: null or string
Default:
nullDeclared by:
services.nghttpx.backends.*.params.tls¶
This option determines whether nghttpx will negotiate its connection with a backend server using TLS or not. The burden is on the backend server to provide the TLS certificate!
Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b for more detail.
Type: boolean
Default:
falseDeclared by:
services.nghttpx.backends.*.patterns¶
List of nghttpx backend patterns.
Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b for more information on the pattern syntax and nghttpxs behavior.
Type: list of strings
Default: ``[
]``
Example:
[ "\*.host.net/v1/" "host.org/v2/mypath" "/somepath" ]Declared by:
services.nghttpx.backends.*.server¶
Backend server location specified as either a host:port pair or a unix domain docket.
Type: submodule or path
Default:
{ host = "127.0.0.1"; port = 80; }Example:
{ host = "127.0.0.1"; port = 8888; }Declared by:
services.nghttpx.backlog¶
Listen backlog size.
Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx–backlog
Type: signed integer
Default:
65536Declared by:
services.nghttpx.extraConfig¶
Extra configuration options to be appended to the generated configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.nghttpx.frontends¶
A list of frontend listener specifications.
Type: list of submodules
Example: ``[
{ params = { tls = “no-tls”; } ; server = { host = “*”; port = 80; } ; }
]``
Declared by:
services.nghttpx.frontends.*.params¶
Parameters to configure a backend.
Type: null or submodule
Default:
nullExample:
{ tls = "tls"; }Declared by:
services.nghttpx.frontends.*.params.api¶
Enable API access for this frontend. This enables you to dynamically modify nghttpx at run-time therefore this feature is disabled by default and should be turned on with care.
Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-f for more detail.
Type: boolean
Default:
falseDeclared by:
services.nghttpx.frontends.*.params.healthmon¶
Make this frontend a health monitor endpoint. Any request received on this frontend is responded to with a 200 OK.
Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-f for more detail.
Type: boolean
Default:
falseDeclared by:
services.nghttpx.frontends.*.params.proxyproto¶
Accept PROXY protocol version 1 on frontend connection.
Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-f for more detail.
Type: boolean
Default:
falseDeclared by:
services.nghttpx.frontends.*.params.sni-fwd¶
When performing a match to select a backend server, SNI host name received from the client is used instead of the request host. See –backend option about the pattern match.
Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-f for more detail.
Type: boolean
Default:
falseDeclared by:
services.nghttpx.frontends.*.params.tls¶
Enable or disable TLS. If true (enabled) the key and certificate must be configured for nghttpx.
Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-f for more detail.
Type: one of “tls”, “no-tls”
Default:
"tls"Declared by:
services.nghttpx.frontends.*.server¶
Frontend server interface binding specification as either a host:port pair or a unix domain docket.
NB: a host of “*” listens on all interfaces and includes IPv6 addresses.
Type: submodule or path
Default:
{ host = "127.0.0.1"; port = 80; }Example:
{ host = "127.0.0.1"; port = 8888; }Declared by:
services.nghttpx.rlimit-nofile¶
Set maximum number of open files (RLIMIT_NOFILE) to <N>. If 0 is given, nghttpx does not set the limit.
Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx–rlimit-nofile
Type: signed integer
Default:
0Declared by:
services.nghttpx.single-process¶
Run this program in a single process mode for debugging purpose. Without this option, nghttpx creates at least 2 processes: master and worker processes. If this option is used, master and worker are unified into a single process. nghttpx still spawns additional process if neverbleed is used. In the single process mode, the signal handling feature is disabled.
Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx–single-process
Type: boolean
Default:
falseDeclared by:
services.nghttpx.single-thread¶
Run everything in one thread inside the worker process. This feature is provided for better debugging experience, or for the platforms which lack thread support. If threading is disabled, this option is always enabled.
Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx–single-thread
Type: boolean
Default:
falseDeclared by:
services.nghttpx.tls¶
TLS certificate and key paths. Note that this does not enable TLS for a frontend listener, to do so, a frontend specification must set
params.tlsto true.Type: null or submodule
Default:
nullExample:
{ crt = "/etc/ssl/certs/server.crt"; key = "/etc/ssl/keys/server.key"; }Declared by:
services.nghttpx.tls.crt¶
Path to the TLS certificate file.
Type: string
Default:
"/etc/ssl/certs/server.crt"Example:
"/etc/ssl/certs/mycert.crt"Declared by:
services.nghttpx.tls.key¶
Path to the TLS key file.
Type: string
Default:
"/etc/ssl/keys/server.key"Example:
"/etc/ssl/keys/mykeyfile.key"Declared by:
services.nghttpx.workers¶
Set the number of worker threads.
Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-n
Type: signed integer
Default:
1Declared by:
services.nginx.enable¶
Whether to enable Nginx Web Server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.nginx.enableReload¶
Reload nginx when configuration file changes (instead of restart). The configuration file is exposed at
/etc/nginx/nginx.conf. See alsosystemd.services.*.restartIfChanged.Type: boolean
Default:
falseDeclared by:
services.nginx.package¶
Nginx package to use. This defaults to the stable version. Note that the nginx team recommends to use the mainline version which available in nixpkgs as
nginxMainline.Type: package
Default:
"pkgs.nginxStable"Declared by:
services.nginx.appendConfig¶
Configuration lines appended to the generated Nginx configuration file. Commonly used by different modules providing http snippets. can be specified more than once and it’s value will be concatenated (contrary to which can be set only once).
Type: strings concatenated with “\n”
Default:
""Declared by:
services.nginx.appendHttpConfig¶
Configuration lines to be appended to the generated http block. This is mutually exclusive with using config and httpConfig for specifying the whole http block verbatim.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.nginx.clientMaxBodySize¶
Set nginx global client_max_body_size.
Type: string
Default:
"10m"Declared by:
services.nginx.commonHttpConfig¶
With nginx you must provide common http context definitions before they are used, e.g. log_format, resolver, etc. inside of server or location contexts. Use this attribute to set these definitions at the appropriate location.
Type: strings concatenated with “\n”
Default:
""Example:
'' resolver 127.0.0.1 valid=5s; log_format myformat '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; ''Declared by:
services.nginx.config¶
Verbatim nginx.conf configuration. This is mutually exclusive with the structured configuration via virtualHosts and the recommendedXyzSettings configuration options. See appendConfig for appending to the generated http block.
Type: unspecified
Default:
""Declared by:
services.nginx.eventsConfig¶
Configuration lines to be set inside the events block.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.nginx.gitweb.enable¶
If true, enable gitweb in nginx.
Type: boolean
Default:
falseDeclared by:
services.nginx.gitweb.group¶
Group that the CGI process will belong to. (Set to
config.services.gitolite.groupif you are using gitolite.)Type: string
Default:
"nginx"Declared by:
services.nginx.gitweb.location¶
Location to serve gitweb on.
Type: string
Default:
"/gitweb"Declared by:
services.nginx.gitweb.user¶
Existing user that the CGI process will belong to. (Default almost surely will do.)
Type: string
Default:
"nginx"Declared by:
services.nginx.gitweb.virtualHost¶
VirtualHost to serve gitweb on. Default is catch-all.
Type: string
Default:
"_"Declared by:
services.nginx.group¶
Group account under which nginx runs.
Type: string
Default:
"nginx"Declared by:
services.nginx.httpConfig¶
Configuration lines to be set inside the http block. This is mutually exclusive with the structured configuration via virtualHosts and the recommendedXyzSettings configuration options. See appendHttpConfig for appending to the generated http block.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.nginx.logError¶
Configures logging. The first parameter defines a file that will store the log. The special value stderr selects the standard error file. Logging to syslog can be configured by specifying the “syslog:” prefix. The second parameter determines the level of logging, and can be one of the following: debug, info, notice, warn, error, crit, alert, or emerg. Log levels above are listed in the order of increasing severity. Setting a certain log level will cause all messages of the specified and more severe log levels to be logged. If this parameter is omitted then error is used.
Type: unspecified
Default:
"stderr"Declared by:
services.nginx.mapHashBucketSize¶
Sets the bucket size for the map variables hash tables. Default value depends on the processor’s cache line size.
Type: null or one of 32, 64, 128
Default:
nullDeclared by:
services.nginx.mapHashMaxSize¶
Sets the maximum size of the map variables hash tables.
Type: null or positive integer, meaning >0
Default:
nullDeclared by:
services.nginx.preStart¶
Shell commands executed before the service’s nginx is started.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.nginx.proxyResolveWhileRunning¶
Resolves domains of proxyPass targets at runtime and not only at start, you have to set services.nginx.resolver, too.
Type: boolean
Default:
falseDeclared by:
services.nginx.recommendedGzipSettings¶
Enable recommended gzip settings.
Type: boolean
Default:
falseDeclared by:
services.nginx.recommendedOptimisation¶
Enable recommended optimisation settings.
Type: boolean
Default:
falseDeclared by:
services.nginx.recommendedProxySettings¶
Enable recommended proxy settings.
Type: boolean
Default:
falseDeclared by:
services.nginx.recommendedTlsSettings¶
Enable recommended TLS settings.
Type: boolean
Default:
falseDeclared by:
services.nginx.resolver¶
Configures name servers used to resolve names of upstream servers into addresses
Type: submodule
Default: ``{
}``
Declared by:
services.nginx.resolver.addresses¶
List of resolvers to use
Type: list of strings
Default: ``[
]``
Example:
[ "[::1]" "127.0.0.1:5353" ]Declared by:
services.nginx.resolver.ipv6¶
By default, nginx will look up both IPv4 and IPv6 addresses while resolving. If looking up of IPv6 addresses is not desired, the ipv6=off parameter can be specified.
Type: boolean
Default:
trueDeclared by:
services.nginx.resolver.valid¶
By default, nginx caches answers using the TTL value of a response. An optional valid parameter allows overriding it
Type: string
Default:
""Example:
"30s"Declared by:
services.nginx.serverTokens¶
Show nginx version in headers and error pages.
Type: boolean
Default:
falseDeclared by:
services.nginx.sslCiphers¶
Ciphers to choose from when negotiating tls handshakes.
Type: string
Default:
"EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL"Declared by:
services.nginx.sslDhparam¶
Path to DH parameters file.
Type: null or path
Default:
nullExample:
"/path/to/dhparams.pem"Declared by:
services.nginx.sslProtocols¶
Allowed TLS protocol versions.
Type: string
Default:
"TLSv1.2 TLSv1.3"Example:
"TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"Declared by:
services.nginx.sso.enable¶
Whether to enable nginx-sso service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.nginx.sso.configuration¶
nginx-sso configuration (documentation) as a Nix attribute set.
Type: attribute set of unspecifieds
Default: ``{
}``
Example:
{ listen = { addr = "127.0.0.1"; port = 8080; }; providers.token.tokens = { myuser = "MyToken"; }; acl = { rule_sets = [ { rules = [ { field = "x-application"; equals = "MyApp"; } ]; allow = [ "myuser" ]; } ]; }; }Declared by:
services.nginx.stateDir¶
Directory holding all state for nginx to run.
Type: unspecified
Default:
"/var/spool/nginx"Declared by:
services.nginx.statusPage¶
Enable status page reachable from localhost on http://127.0.0.1/nginx_status.
Type: boolean
Default:
falseDeclared by:
services.nginx.upstreams¶
Defines a group of servers to use as proxy target.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.nginx.upstreams.<name>.extraConfig¶
These lines go to the end of the upstream verbatim.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.nginx.upstreams.<name>.servers¶
Defines the address and other parameters of the upstream servers.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.nginx.upstreams.<name>.servers.<name>.backup¶
Marks the server as a backup server. It will be passed requests when the primary servers are unavailable.
Type: boolean
Default:
falseDeclared by:
services.nginx.user¶
User account under which nginx runs.
Type: string
Default:
"nginx"Declared by:
services.nginx.virtualHosts¶
Declarative vhost config
Type: attribute set of submodules
Default: ``{ localhost = {
}``
Example:
{ "hydra.example.com" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://localhost:3000"; }; }; };Declared by:
services.nginx.virtualHosts.<name>.enableACME¶
Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through .
Type: boolean
Default:
falseDeclared by:
services.nginx.virtualHosts.<name>.acmeFallbackHost¶
Host which to proxy requests to if acme challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.
Type: null or string
Default:
nullDeclared by:
services.nginx.virtualHosts.<name>.acmeRoot¶
Directory for the acme challenge which is PUBLIC, don’t put certs or keys in here
Type: string
Default:
"/var/lib/acme/acme-challenge"Declared by:
services.nginx.virtualHosts.<name>.addSSL¶
Whether to enable HTTPS in addition to plain HTTP. This will set defaults for``listen`` to listen on all interfaces on the respective default ports (80, 443).
Type: boolean
Default:
falseDeclared by:
services.nginx.virtualHosts.<name>.basicAuth¶
Basic Auth protection for a vhost.
WARNING: This is implemented to store the password in plain text in the nix store.
Type: attribute set of strings
Default: ``{
}``
Example:
{ user = "password"; };Declared by:
services.nginx.virtualHosts.<name>.basicAuthFile¶
Basic Auth password file for a vhost. Can be created via: htpasswd -c <filename> <username>
Type: null or path
Default:
nullDeclared by:
services.nginx.virtualHosts.<name>.default¶
Makes this vhost the default.
Type: boolean
Default:
falseDeclared by:
services.nginx.virtualHosts.<name>.extraConfig¶
These lines go to the end of the vhost verbatim.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.nginx.virtualHosts.<name>.forceSSL¶
Whether to add a separate nginx server block that permanently redirects (301) all plain HTTP traffic to HTTPS. This will set defaults for``listen`` to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
Type: boolean
Default:
falseDeclared by:
services.nginx.virtualHosts.<name>.globalRedirect¶
If set, all requests for this host are redirected permanently to the given hostname.
Type: null or string
Default:
nullExample:
"newserver.example.org"Declared by:
services.nginx.virtualHosts.<name>.http2¶
Whether to enable HTTP 2. Note that (as of writing) due to nginx’s implementation, to disable HTTP 2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2,then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.
Type: boolean
Default:
trueDeclared by:
services.nginx.virtualHosts.<name>.listen¶
Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides
addSSLandonlySSL.Type: list of submodules
Default: ``[
]``
Example: ``[
{ addr = “195.154.1.1”; port = 443; ssl = true; }
{ addr = “192.154.1.1”; port = 80; }
]``
Declared by:
services.nginx.virtualHosts.<name>.listen.*.addr¶
IP address.
Type: string
Declared by:
services.nginx.virtualHosts.<name>.listen.*.extraParameters¶
Extra parameters of this listen directive.
Type: list of strings
Default: ``[
]``
Example:
[ "reuseport" "deferred" ]Declared by:
services.nginx.virtualHosts.<name>.listen.*.port¶
Port number.
Type: signed integer
Default:
80Declared by:
services.nginx.virtualHosts.<name>.listen.*.ssl¶
Enable SSL.
Type: boolean
Default:
falseDeclared by:
services.nginx.virtualHosts.<name>.locations¶
Declarative location config
Type: attribute set of submodules
Default: ``{
}``
Example:
{ "/" = { proxyPass = "http://localhost:3000"; }; };Declared by:
services.nginx.virtualHosts.<name>.locations.<name>.alias¶
Alias directory for requests.
Type: null or path
Default:
nullExample:
"/your/alias/directory"Declared by:
services.nginx.virtualHosts.<name>.locations.<name>.extraConfig¶
These lines go to the end of the location verbatim.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.nginx.virtualHosts.<name>.locations.<name>.index¶
Adds index directive.
Type: null or string
Default:
nullExample:
"index.php index.html"Declared by:
services.nginx.virtualHosts.<name>.locations.<name>.priority¶
Order of this location block in relation to the others in the vhost. The semantics are the same as with `lib.mkOrder`. Smaller values have a greater priority.
Type: signed integer
Default:
1000Declared by:
services.nginx.virtualHosts.<name>.locations.<name>.proxyPass¶
Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.
Type: null or string
Default:
nullExample:
"http://www.example.org/"Declared by:
services.nginx.virtualHosts.<name>.locations.<name>.proxyWebsockets¶
Whether to supporty proxying websocket connections with HTTP/1.1.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.nginx.virtualHosts.<name>.locations.<name>.return¶
Adds a return directive, for e.g. redirections.
Type: null or string
Default:
nullExample:
"301 http://example.com\\$request_uri"Declared by:
services.nginx.virtualHosts.<name>.locations.<name>.root¶
Root directory for requests.
Type: null or path
Default:
nullExample:
"/your/root/directory"Declared by:
services.nginx.virtualHosts.<name>.locations.<name>.tryFiles¶
Adds try_files directive.
Type: null or string
Default:
nullExample:
"\\$uri =404"Declared by:
services.nginx.virtualHosts.<name>.onlySSL¶
Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for
listento listen on all interfaces on port 443.Type: boolean
Default:
falseDeclared by:
services.nginx.virtualHosts.<name>.root¶
The path of the web root directory.
Type: null or path
Default:
nullExample:
"/data/webserver/docs"Declared by:
services.nginx.virtualHosts.<name>.serverAliases¶
Additional names of virtual hosts served by this virtual host configuration.
Type: list of strings
Default: ``[
]``
Example:
[ "www.example.org" "example.org" ]Declared by:
services.nginx.virtualHosts.<name>.serverName¶
Name of this virtual host. Defaults to attribute name in virtualHosts.
Type: null or string
Default:
nullExample:
"example.org"Declared by:
services.nginx.virtualHosts.<name>.sslCertificate¶
Path to server SSL certificate.
Type: path
Example:
"/var/host.cert"Declared by:
services.nginx.virtualHosts.<name>.sslCertificateKey¶
Path to server SSL certificate key.
Type: path
Example:
"/var/host.key"Declared by:
services.nginx.virtualHosts.<name>.sslTrustedCertificate¶
Path to root SSL certificate for stapling and client certificates.
Type: null or path
Default:
nullExample:
"/var/root.cert"Declared by:
services.nginx.virtualHosts.<name>.useACMEHost¶
A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the`rate limit <https://letsencrypt.org/docs/rate-limits/>`_. Alternately, you can generate a certificate through .*Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.*
Type: null or string
Default:
nullDeclared by:
services.ngircd.enable¶
Whether to enable the ngircd IRC server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.ngircd.package¶
The ngircd package.
Type: package
Default:
"pkgs.ngircd"Declared by:
services.ngircd.config¶
The ngircd configuration (see ngircd.conf(5)).
Type: strings concatenated with “\n”
Declared by:
services.nix-serve.enable¶
Whether to enable nix-serve, the standalone Nix binary cache server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.nix-serve.bindAddress¶
IP address where nix-serve will bind its listening socket.
Type: string
Default:
"0.0.0.0"Declared by:
services.nix-serve.extraParams¶
Extra command line parameters for nix-serve.
Type: strings concatenated with ” “
Default:
""Declared by:
services.nix-serve.port¶
Port number where nix-serve will listen on.
Type: signed integer
Default:
5000Declared by:
services.nix-serve.secretKeyFile¶
The path to the file used for signing derivation data. Generate with:
` nix-store --generate-binary-cache-key key-name secret-key-file public-key-file \`Make sure user `nix-serve` has read access to the private key file.
For more details see nix-store1.
Type: null or string
Default:
nullDeclared by:
services.nixops-dns.enable¶
Whether to enable the nixops-dns resolution of NixOps virtual machines via dnsmasq and fake domain name.
Type: boolean
Default:
falseDeclared by:
services.nixops-dns.dnsmasq¶
Enable dnsmasq forwarding to nixops-dns. This allows to use nixops-dns for `services.nixops-dns.domain` resolution while forwarding the rest of the queries to original resolvers.
Type: boolean
Default:
trueDeclared by:
services.nixops-dns.domain¶
Fake domain name to resolve to NixOps virtual machines.
For example “ops” will resolve “vm.ops”.
Type: string
Default:
"ops"Example:
"ops"Declared by:
services.nixops-dns.user¶
The user the nixops-dns daemon should run as. This should be the user, which is also used for nixops and have the .nixops directory in its home.
Type: string
Declared by:
services.nixosManual.browser¶
Browser used to show the manual.
Type: path
Default:
"\\${pkgs.w3m-nographics}/bin/w3m"Declared by:
services.nixosManual.showManual¶
Whether to show the NixOS manual on one of the virtual consoles.
Type: boolean
Default:
falseDeclared by:
services.nixosManual.ttyNumber¶
Virtual console on which to show the manual.
Type: signed integer
Default:
8Declared by:
services.nntp-proxy.enable¶
Whether to enable NNTP-Proxy.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.nntp-proxy.listenAddress¶
Proxy listen address (IPv6 literal addresses need to be enclosed in “[” and “]” characters)
Type: string
Default:
"127.0.0.1"Example:
"\[::]"Declared by:
services.nntp-proxy.port¶
Proxy listen port
Type: signed integer
Default:
5555Declared by:
services.nntp-proxy.prohibitPosting¶
Whether to prohibit posting to the upstream server
Type: boolean
Default:
trueDeclared by:
services.nntp-proxy.sslCert¶
Proxy ssl certificate path
Type: string
Default:
"cert.pem"Example:
"/path/to/your/cert.file"Declared by:
services.nntp-proxy.sslKey¶
Proxy ssl key path
Type: string
Default:
"key.pem"Example:
"/path/to/your/key.file"Declared by:
services.nntp-proxy.upstreamMaxConnections¶
Upstream server maximum allowed concurrent connections
Type: signed integer
Default:
20Declared by:
services.nntp-proxy.upstreamPassword¶
Upstream server password
Type: string
Default:
""Declared by:
services.nntp-proxy.upstreamPort¶
Upstream server port
Type: signed integer
Default:
563Declared by:
services.nntp-proxy.upstreamServer¶
Upstream server address
Type: string
Default:
""Example:
"ssl-eu.astraweb.com"Declared by:
services.nntp-proxy.upstreamUser¶
Upstream server username
Type: string
Default:
""Declared by:
services.nntp-proxy.users¶
NNTP-Proxy user configuration
Type: attribute set of submodules
Default: ``{
}``
Example:
"user1" = { passwordHash = "$6$1l0t5Kn2Dk$appzivc./9l/kjq57eg5UCsBKlcfyCr0zNWYNerKoPsI1d7eAwiT0SVsOVx/CTgaBNT/u4fi2vN.iGlPfv1ek0"; maxConnections = 5; }; "anotheruser" = { passwordHash = "$6$6lwEsWB.TmsS$W7m1riUx4QrA8pKJz8hvff0dnF1NwtZXgdjmGqA1Dx2MDPj07tI9GNcb0SWlMglE.2/hBgynDdAd/XqqtRqVQ0"; maxConnections = 7; };Declared by:
services.nntp-proxy.users.<name>.maxConnections¶
Maximum number of concurrent connections to the proxy for this user
Type: signed integer
Default:
1Declared by:
services.nntp-proxy.users.<name>.passwordHash¶
SHA-512 password hash (can be generated bymkpasswd -m sha-512 <password>)
Type: string
Default:
nullExample:
"\\$6\\$GtzE7FrpE\\$wwuVgFYU.TZH4Rz.Snjxk9XGua89IeVwPQ/fEUD8eujr40q5Y021yhn0aNcsQ2Ifw.BLclyzvzgegopgKcneL0"Declared by:
services.nntp-proxy.users.<name>.username¶
Username
Type: string
Default:
nullDeclared by:
services.nntp-proxy.verbosity¶
Verbosity level
Type: one of “error”, “warning”, “notice”, “info”, “debug”
Default:
"info"Example:
"error"Declared by:
services.novacomd.enable¶
Whether to enable Novacom service for connecting to WebOS devices.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.nscd.enable¶
Whether to enable the Name Service Cache Daemon.
Type: boolean
Default:
trueDeclared by:
services.nscd.config¶
Configuration to use for Name Service Cache Daemon.
Type: strings concatenated with “\n”
Default:
'' # We basically use nscd as a proxy for forwarding nss requests to appropriate # nss modules, as we run nscd with LD_LIBRARY_PATH set to the directory # containing all such modules # Note that we can not use `enable-cache no` As this will actually cause nscd # to just reject the nss requests it receives, which then causes glibc to # fallback to trying to handle the request by itself. Which won't work as glibc # is not aware of the path in which the nss modules live. As a workaround, we # have `enable-cache yes` with an explicit ttl of 0 server-user nscd enable-cache passwd yes positive-time-to-live passwd 0 negative-time-to-live passwd 0 shared passwd yes enable-cache group yes positive-time-to-live group 0 negative-time-to-live group 0 shared group yes enable-cache netgroup yes positive-time-to-live netgroup 0 negative-time-to-live netgroup 0 shared netgroup yes enable-cache hosts yes positive-time-to-live hosts 600 negative-time-to-live hosts 0 shared hosts yes enable-cache services yes positive-time-to-live services 0 negative-time-to-live services 0 shared services yes ''Declared by:
services.nsd.enable¶
Whether to enable NSD authoritative DNS server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.nsd.bind8Stats¶
Whether to enable BIND8 like statistics.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.nsd.dnssecInterval¶
How often to check whether dnssec key rollover is required
Type: string
Default:
"1h"Declared by:
services.nsd.extraConfig¶
Extra nsd config.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.nsd.hideVersion¶
Whether NSD should answer VERSION.BIND and VERSION.SERVER CHAOS class queries.
Type: boolean
Default:
trueDeclared by:
services.nsd.identity¶
Identify the server (CH TXT ID.SERVER entry).
Type: string
Default:
"unidentified server"Declared by:
services.nsd.interfaces¶
What addresses the server should listen to.
Type: list of strings
Default:
[ "127.0.0.0" "::1" ]Declared by:
services.nsd.ipFreebind¶
Whether to bind to nonlocal addresses and interfaces that are down. Similar to ip-transparent.
Type: boolean
Default:
falseDeclared by:
services.nsd.ipTransparent¶
Allow binding to non local addresses.
Type: boolean
Default:
falseDeclared by:
services.nsd.ipv4¶
Whether to listen on IPv4 connections.
Type: boolean
Default:
trueDeclared by:
services.nsd.ipv4EDNSSize¶
Preferred EDNS buffer size for IPv4.
Type: signed integer
Default:
4096Declared by:
services.nsd.ipv6¶
Whether to listen on IPv6 connections.
Type: boolean
Default:
trueDeclared by:
services.nsd.ipv6EDNSSize¶
Preferred EDNS buffer size for IPv6.
Type: signed integer
Default:
4096Declared by:
services.nsd.keys¶
Define your TSIG keys here.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ "tsig.example.org" = { algorithm = "hmac-md5"; keyFile = "/path/to/my/key"; }; }Declared by:
services.nsd.keys.<name>.algorithm¶
Authentication algorithm for this key.
Type: string
Default:
"hmac-sha256"Declared by:
services.nsd.keys.<name>.keyFile¶
Path to the file which contains the actual base64 encoded key. The key will be copied into “/var/lib/nsd/private” before NSD starts. The copied file is only accessibly by the NSD user.
Type: path
Declared by:
services.nsd.logTimeAscii¶
Log time in ascii, if false then in unix epoch seconds.
Type: boolean
Default:
trueDeclared by:
services.nsd.nsid¶
NSID identity (hex string, or “ascii_somestring”).
Type: null or string
Default:
nullDeclared by:
services.nsd.port¶
Port the service should bind do.
Type: signed integer
Default:
53Declared by:
services.nsd.ratelimit.enable¶
Whether to enable ratelimit capabilities.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.nsd.ratelimit.ipv4PrefixLength¶
IPv4 prefix length. Addresses are grouped by netblock.
Type: null or signed integer
Default:
nullDeclared by:
services.nsd.ratelimit.ipv6PrefixLength¶
IPv6 prefix length. Addresses are grouped by netblock.
Type: null or signed integer
Default:
nullDeclared by:
services.nsd.ratelimit.ratelimit¶
Max qps allowed from any query source. 0 means unlimited. With an verbosity of 2 blocked and unblocked subnets will be logged.
Type: signed integer
Default:
200Declared by:
services.nsd.ratelimit.size¶
Size of the hashtable. More buckets use more memory but lower the chance of hash hash collisions.
Type: signed integer
Default:
1000000Declared by:
services.nsd.ratelimit.slip¶
Number of packets that get discarded before replying a SLIP response. 0 disables SLIP responses. 1 will make every response a SLIP response.
Type: null or signed integer
Default:
nullDeclared by:
services.nsd.ratelimit.whitelistRatelimit¶
Max qps allowed from whitelisted sources. 0 means unlimited. Set the rrl-whitelist option for specific queries to apply this limit instead of the default to them.
Type: signed integer
Default:
2000Declared by:
services.nsd.remoteControl.enable¶
Whether to enable remote control via nsd-control.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.nsd.remoteControl.controlCertFile¶
Path to the client certificate signed with the server certificate. This file is used by nsd-control and generated by nsd-control-setup.
Type: path
Default:
"/etc/nsd/nsd_control.pem"Declared by:
services.nsd.remoteControl.controlKeyFile¶
Path to the client private key, which is used by nsd-control but not by the server. This file is generated by nsd-control-setup.
Type: path
Default:
"/etc/nsd/nsd_control.key"Declared by:
services.nsd.remoteControl.interfaces¶
Which interfaces NSD should bind to for remote control.
Type: list of strings
Default:
[ "127.0.0.1" "::1" ]Declared by:
services.nsd.remoteControl.port¶
Port number for remote control operations (uses TLS over TCP).
Type: signed integer
Default:
8952Declared by:
services.nsd.remoteControl.serverCertFile¶
Path to the server self signed certificate, which is used by the server but and by nsd-control. This file is generated by nsd-control-setup.
Type: path
Default:
"/etc/nsd/nsd_server.pem"Declared by:
services.nsd.remoteControl.serverKeyFile¶
Path to the server private key, which is used by the server but not by nsd-control. This file is generated by nsd-control-setup.
Type: path
Default:
"/etc/nsd/nsd_server.key"Declared by:
services.nsd.reuseport¶
Whether to enable SO_REUSEPORT on all used sockets. This lets multiple processes bind to the same port. This speeds up operation especially if the server count is greater than one and makes fast restarts less prone to fail
Type: boolean
Default:
trueDeclared by:
services.nsd.rootServer¶
Whether this server will be a root server (a DNS root server, you usually don’t want that).
Type: boolean
Default:
falseDeclared by:
services.nsd.roundRobin¶
Whether to enable round robin rotation of records.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.nsd.serverCount¶
Number of NSD servers to fork. Put the number of CPUs to use here.
Type: signed integer
Default:
1Declared by:
services.nsd.statistics¶
Statistics are produced every number of seconds. Prints to log. If null no statistics are logged.
Type: null or signed integer
Default:
nullDeclared by:
services.nsd.tcpCount¶
Maximum number of concurrent TCP connections per server.
Type: signed integer
Default:
100Declared by:
services.nsd.tcpQueryCount¶
Maximum number of queries served on a single TCP connection. 0 means no maximum.
Type: signed integer
Default:
0Declared by:
services.nsd.tcpTimeout¶
TCP timeout in seconds.
Type: signed integer
Default:
120Declared by:
services.nsd.verbosity¶
Verbosity level.
Type: signed integer
Default:
0Declared by:
services.nsd.version¶
The version string replied for CH TXT version.server and version.bind queries. Will use the compiled package version on null. See hideVersion for enabling/disabling this responses.
Type: null or string
Default:
nullDeclared by:
services.nsd.xfrdReloadTimeout¶
Number of seconds between reloads triggered by xfrd.
Type: signed integer
Default:
1Declared by:
services.nsd.zonefilesCheck¶
Whether to check mtime of all zone files on start and sighup.
Type: boolean
Default:
trueDeclared by:
services.nsd.zones¶
Define your zones here. Zones can cascade other zones and therefore inherit settings from parent zones. Look at the definition of children to learn about inheritance and child zones. The given example will define 3 zones (example.(com|org|net).). Both example.com. and example.org. inherit their configuration from serverGroup1.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ "serverGroup1" = { provideXFR = [ "10.1.2.3 NOKEY" ]; children = { "example.com." = { data = '' $ORIGIN example.com. $TTL 86400 @ IN SOA a.ns.example.com. admin.example.com. ( ... ''; }; "example.org." = { data = '' $ORIGIN example.org. $TTL 86400 @ IN SOA a.ns.example.com. admin.example.com. ( ... ''; }; }; }; "example.net." = { provideXFR = [ "10.3.2.1 NOKEY" ]; data = '' ... ''; }; }Declared by:
services.nsd.zones.<name>.allowAXFRFallback¶
If NSD as secondary server should be allowed to AXFR if the primary server does not allow IXFR.
Type: boolean
Default:
trueDeclared by:
services.nsd.zones.<name>.allowNotify¶
Listed primary servers are allowed to notify this secondary server.
Format: <ip> <key-name | NOKEY | BLOCKED> <ip> either a plain IPv4/IPv6 address or range. Valid patters for ranges: * 10.0.0.0/24 # via subnet size * 10.0.0.0&255.255.255.0 # via subnet mask * 10.0.0.1-10.0.0.254 # via range A optional port number could be added with a '@': * 2001:1234::1@1234 <key-name | NOKEY | BLOCKED> * <key-name> will use the specified TSIG key * NOKEY no TSIG signature is required * BLOCKED notifies from non-listed or blocked IPs will be ignored *Type: list of strings
Default: ``[
]``
Example:
[ "192.0.2.0/24 NOKEY" "10.0.0.1-10.0.0.5 my_tsig_key_name" "10.0.3.4&255.255.0.0 BLOCKED" ]Declared by:
services.nsd.zones.<name>.children¶
Children zones inherit all options of their parents. Attributes defined in a child will overwrite the ones of its parent. Only leaf zones will be actually served. This way it’s possible to define maybe zones which share most attributes without duplicating everything. This mechanism replaces nsd’s patterns in a save and functional way.
Type: unspecified
Default: ``{
}``
Declared by:
services.nsd.zones.<name>.data¶
The actual zone data. This is the content of your zone file. Use imports or pkgs.lib.readFile if you don’t want this data in your config file.
Type: strings concatenated with “\n”
Default:
""Example:
""Declared by:
services.nsd.zones.<name>.dnssec¶
Whether to enable DNSSEC.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.nsd.zones.<name>.dnssecPolicy.algorithm¶
Which algorithm to use for DNSSEC
Type: string
Default:
"RSASHA256"Declared by:
services.nsd.zones.<name>.dnssecPolicy.coverage¶
The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time.
Type: string
Default:
"1y"Declared by:
services.nsd.zones.<name>.dnssecPolicy.keyttl¶
TTL for dnssec records
Type: string
Default:
"1h"Declared by:
services.nsd.zones.<name>.dnssecPolicy.ksk¶
Key policy for key signing keys
Type: submodule
Default:
{ keySize = 4096; postPublish = "1mo"; prePublish = "1mo"; rollPeriod = "0"; }Declared by:
services.nsd.zones.<name>.dnssecPolicy.ksk.keySize¶
Key size in bits
Type: signed integer
Declared by:
services.nsd.zones.<name>.dnssecPolicy.ksk.postPublish¶
How long after deactivation to keep a key in the zone
Type: string
Declared by:
services.nsd.zones.<name>.dnssecPolicy.ksk.prePublish¶
How long in advance to publish new keys
Type: string
Declared by:
services.nsd.zones.<name>.dnssecPolicy.ksk.rollPeriod¶
How frequently to change keys
Type: string
Declared by:
services.nsd.zones.<name>.dnssecPolicy.zsk¶
Key policy for zone signing keys
Type: submodule
Default:
{ keySize = 2048; postPublish = "1w"; prePublish = "1w"; rollPeriod = "1mo"; }Declared by:
services.nsd.zones.<name>.dnssecPolicy.zsk.keySize¶
Key size in bits
Type: signed integer
Declared by:
services.nsd.zones.<name>.dnssecPolicy.zsk.postPublish¶
How long after deactivation to keep a key in the zone
Type: string
Declared by:
services.nsd.zones.<name>.dnssecPolicy.zsk.prePublish¶
How long in advance to publish new keys
Type: string
Declared by:
services.nsd.zones.<name>.dnssecPolicy.zsk.rollPeriod¶
How frequently to change keys
Type: string
Declared by:
services.nsd.zones.<name>.maxRefreshSecs¶
Limit refresh time for secondary zones. This is the timer which checks to see if the zone has to be refetched when it expires. Normally the value from the SOA record is used, but this option restricts that value.
Type: null or signed integer
Default:
nullDeclared by:
services.nsd.zones.<name>.maxRetrySecs¶
Limit retry time for secondary zones. This is the timeout after a failed fetch attempt for the zone. Normally the value from the SOA record is used, but this option restricts that value.
Type: null or signed integer
Default:
nullDeclared by:
services.nsd.zones.<name>.minRefreshSecs¶
Limit refresh time for secondary zones.
Type: null or signed integer
Default:
nullDeclared by:
services.nsd.zones.<name>.minRetrySecs¶
Limit retry time for secondary zones.
Type: null or signed integer
Default:
nullDeclared by:
services.nsd.zones.<name>.notify¶
This primary server will notify all given secondary servers about zone changes.
Format: <ip> <key-name | NOKEY> <ip> a plain IPv4/IPv6 address with on optional port number (ip@port) <key-name | NOKEY> * <key-name> sign notifies with the specified key * NOKEY don't sign notifiesType: list of strings
Default: ``[
]``
Example:
[ "10.0.0.1@3721 my_key" "::5 NOKEY" ]Declared by:
services.nsd.zones.<name>.notifyRetry¶
Specifies the number of retries for failed notifies. Set this along with notify.
Type: signed integer
Default:
5Declared by:
services.nsd.zones.<name>.outgoingInterface¶
This address will be used for zone-transfere requests if configured as a secondary server or notifications in case of a primary server. Supply either a plain IPv4 or IPv6 address with an optional port number (ip@port).
Type: null or string
Default:
nullExample:
"2000::1@1234"Declared by:
services.nsd.zones.<name>.provideXFR¶
Allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40
Type: list of strings
Default: ``[
]``
Example:
[ "192.0.2.0/24 NOKEY" "192.0.2.0/24 my_tsig_key_name" ]Declared by:
services.nsd.zones.<name>.requestXFR¶
services.nsd.zones.<name>.rrlWhitelist¶
Whitelists the given rrl-types.
Type: list of one of “nxdomain”, “error”, “referral”, “any”, “rrsig”, “wildcard”, “nodata”, “dnskey”, “positive”, “all”s
Default: ``[
]``
Declared by:
services.nsd.zones.<name>.zoneStats¶
When set to something distinct to null NSD is able to collect statistics per zone. All statistics of this zone(s) will be added to the group specified by this given name. Use “%s” to use the zones name as the group. The groups are output from nsd-control stats and stats_noreset.
Type: null or string
Default:
nullExample:
"%s"Declared by:
services.ntopng.enable¶
Enable ntopng, a high-speed web-based traffic analysis and flow collection tool.
With the default configuration, ntopng monitors all network interfaces and displays its findings at http://localhost:3000. Default username and password is admin/admin.
See the ntopng(8) manual page and http://www.ntop.org/products/ntop/ for more info.
Note that enabling ntopng will also enable redis (key-value database server) for persistent data storage.
Type: boolean
Default:
falseDeclared by:
services.ntopng.configText¶
Overridable configuration file contents to use for ntopng. By default, use the contents automatically generated by NixOS.
Type: strings concatenated with “\n”
Default:
""Example:
'' --interface=any --http-port=3000 --disable-login ''Declared by:
services.ntopng.extraConfig¶
Configuration lines that will be appended to the generated ntopng configuration file. Note that this mechanism does not work when the manual option is used.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.ntopng.http-port¶
Sets the HTTP port of the embedded web server.
Type: signed integer
Default:
3000Declared by:
services.ntopng.interfaces¶
List of interfaces to monitor. Use “any” to monitor all interfaces.
Type: list of strings
Default:
[ "any" ]Example:
[ "eth0" "wlan0" ]Declared by:
services.ntp.enable¶
Whether to synchronise your machine’s time using ntpd, as a peer in the NTP network.
Disables
systemd.timesyncdif enabled.Type: unspecified
Default:
falseDeclared by:
services.ntp.extraFlags¶
Extra flags passed to the ntpd command.
Type: list of strings
Default: ``[
]``
Example:
[ "--interface=eth0" ]Declared by:
services.ntp.restrictDefault¶
The restriction flags to be set by default.
The default flags prevent external hosts from using ntpd as a DDoS reflector, setting system time, and querying OS/ntpd version. As recommended in section 6.5.1.1.3, answer “No” of http://support.ntp.org/bin/view/Support/AccessRestrictions
Type: list of strings
Default:
[ "limited" "kod" "nomodify" "notrap" "noquery" "nopeer" ]Declared by:
services.ntp.restrictSource¶
The restriction flags to be set on source.
The default flags allow peers to be added by ntpd from configured pool(s), but not by other means.
Type: list of strings
Default:
[ "limited" "kod" "nomodify" "notrap" "noquery" ]Declared by:
services.ntp.servers¶
The set of NTP servers from which to synchronise.
Type: unspecified
Default:
[ "0.nixos.pool.ntp.org" "1.nixos.pool.ntp.org" "2.nixos.pool.ntp.org" "3.nixos.pool.ntp.org" ]Declared by:
services.nullidentdmod.enable¶
Whether to enable the nullidentdmod identd daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.nullidentdmod.userid¶
User ID to return. Set to null to return a random string each time.
Type: null or string
Default:
nullExample:
"alice"Declared by:
services.nullmailer.enable¶
Whether to enable nullmailer daemon.
Type: boolean
Default:
falseDeclared by:
services.nullmailer.config.adminaddr¶
If set, all recipients to users at either “localhost” (the literal string) or the canonical host name (from the me control attribute) are remapped to this address. This is provided to allow local daemons to be able to send email to “somebody@localhost” and have it go somewhere sensible instead of being bounced by your relay host. To send to multiple addresses, put them all on one line separated by a comma.
Type: null or string
Default:
nullDeclared by:
services.nullmailer.config.allmailfrom¶
If set, content will override the envelope sender on all messages.
Type: null or string
Default:
nullDeclared by:
services.nullmailer.config.defaultdomain¶
The content of this attribute is appended to any host name that does not contain a period (except localhost), including defaulthost and idhost. Defaults to the value of the me attribute, if it exists, otherwise the literal name defauldomain.
Type: null or string
Default:
nullDeclared by:
services.nullmailer.config.defaulthost¶
The content of this attribute is appended to any address that is missing a host name. Defaults to the value of the me control attribute, if it exists, otherwise the literal name defaulthost.
Type: null or string
Default:
nullDeclared by:
services.nullmailer.config.doublebounceto¶
If the original sender was empty (the original message was a delivery status or disposition notification), the double bounce is sent to the address in this attribute.
Type: null or string
Default:
nullDeclared by:
services.nullmailer.config.helohost¶
Sets the environment variable $HELOHOST which is used by the SMTP protocol module to set the parameter given to the HELO command. Defaults to the value of the me configuration attribute.
Type: null or string
Default:
nullDeclared by:
services.nullmailer.config.idhost¶
The content of this attribute is used when building the message-id string for the message. Defaults to the canonicalized value of defaulthost.
Type: null or string
Default:
nullDeclared by:
services.nullmailer.config.maxpause¶
The maximum time to pause between successive queue runs, in seconds. Defaults to 24 hours (86400).
Type: null or string
Default:
nullDeclared by:
services.nullmailer.config.me¶
The fully-qualifiled host name of the computer running nullmailer. Defaults to the literal name me.
Type: null or string
Default:
nullDeclared by:
services.nullmailer.config.pausetime¶
The minimum time to pause between successive queue runs when there are messages in the queue, in seconds. Defaults to 1 minute (60). Each time this timeout is reached, the timeout is doubled to a maximum of maxpause. After new messages are injected, the timeout is reset. If this is set to 0, nullmailer-send will exit immediately after going through the queue once (one-shot mode).
Type: null or string
Default:
nullDeclared by:
services.nullmailer.config.remotes¶
A list of remote servers to which to send each message. Each line contains a remote host name or address followed by an optional protocol string, separated by white space.
See man 8 nullmailer-send for syntax and available options.
WARNING: This is stored world-readable in the nix store. If you need to specify any secret credentials here, consider using theremotesFile option instead.
Type: null or string
Default:
nullDeclared by:
services.nullmailer.config.sendtimeout¶
The time to wait for a remote module listed above to complete sending a message before killing it and trying again, in seconds. Defaults to 1 hour (3600). If this is set to 0, nullmailer-send will wait forever for messages to complete sending.
Type: null or string
Default:
nullDeclared by:
services.nullmailer.group¶
Group to use to run nullmailer-send.
Type: string
Default:
"nullmailer"Declared by:
services.nullmailer.remotesFile¶
Path to the remotes control file. This file contains a list of remote servers to which to send each message.
See man 8 nullmailer-send for syntax and available options.
Type: null or string
Default:
nullDeclared by:
services.nullmailer.setSendmail¶
Whether to set the system sendmail to nullmailer’s.
Type: boolean
Default:
trueDeclared by:
services.nullmailer.user¶
User to use to run nullmailer-send.
Type: string
Default:
"nullmailer"Declared by:
services.nylon.<name?>.enable¶
Enables nylon as a running service upon activation.
Type: boolean
Default:
falseDeclared by:
services.nylon.<name?>.acceptInterface¶
Tell nylon which interface to listen for client requests on, default is “lo”.
Type: string
Default:
"lo"Declared by:
services.nylon.<name?>.allowedIPRanges¶
Allowed client IP ranges are evaluated first, defaults to ARIN IPv4 private ranges: [ “192.168.0.0/16” “127.0.0.0/8” “172.16.0.0/12” “10.0.0.0/8” ]
Type: list of strings
Default:
[ "192.168.0.0/16" "127.0.0.1/8" "172.16.0.1/12" "10.0.0.0/8" ]Declared by:
services.nylon.<name?>.bindInterface¶
Tell nylon which interface to use as an uplink, default is “enp3s0f0”.
Type: string
Default:
"enp3s0f0"Declared by:
services.nylon.<name?>.deniedIPRanges¶
Denied client IP ranges, these gets evaluated after the allowed IP ranges, defaults to all IPv4 addresses: [ “0.0.0.0/0” ] To block all other access than the allowed.
Type: list of strings
Default:
[ "0.0.0.0/0" ]Declared by:
services.nylon.<name?>.logging¶
Enable logging, default is no logging.
Type: boolean
Default:
falseDeclared by:
services.nylon.<name?>.name¶
The name of this nylon instance.
Type: string
Default:
""Declared by:
services.nylon.<name?>.nrConnections¶
The number of allowed simultaneous connections to the daemon, default 10.
Type: signed integer
Default:
10Declared by:
services.nylon.<name?>.port¶
What port to listen for client requests, default is 1080.
Type: signed integer
Default:
1080Declared by:
services.nylon.<name?>.verbosity¶
Enable verbose output, default is to not be verbose.
Type: boolean
Default:
falseDeclared by:
services.nzbget.enable¶
Whether to enable NZBGet.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.nzbget.group¶
Group under which NZBGet runs
Type: string
Default:
"nzbget"Declared by:
services.nzbget.user¶
User account under which NZBGet runs
Type: string
Default:
"nzbget"Declared by:
services.oauth2_proxy.enable¶
Whether to enable oauth2_proxy.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.oauth2_proxy.package¶
The package that provides oauth2_proxy.
Type: package
Default:
"pkgs.oauth2_proxy"Declared by:
services.oauth2_proxy.approvalPrompt¶
OAuth approval_prompt.
Type: one of “force”, “auto”
Default:
"force"Declared by:
services.oauth2_proxy.azure.resource¶
The resource that is protected.
Type: string
Declared by:
services.oauth2_proxy.azure.tenant¶
Go to a tenant-specific or common (tenant-independent) endpoint.
Type: string
Default:
"common"Declared by:
services.oauth2_proxy.basicAuthPassword¶
The password to set when passing the HTTP Basic Auth header.
Type: null or string
Default:
nullDeclared by:
services.oauth2_proxy.clientID¶
The OAuth Client ID.
Type: null or string
Example:
"123456.apps.googleusercontent.com"Declared by:
services.oauth2_proxy.clientSecret¶
The OAuth Client Secret.
Type: null or string
Declared by:
services.oauth2_proxy.cookie.domain¶
An optional cookie domain to force cookies to.
Type: null or string
Default:
nullExample:
".yourcompany.com"Declared by:
services.oauth2_proxy.cookie.expire¶
Expire timeframe for cookie.
Type: string
Default:
"168h0m0s"Declared by:
services.oauth2_proxy.cookie.httpOnly¶
Set HttpOnly cookie flag.
Type: boolean
Default:
trueDeclared by:
services.oauth2_proxy.cookie.name¶
The name of the cookie that the oauth_proxy creates.
Type: string
Default:
"_oauth2_proxy"Declared by:
services.oauth2_proxy.cookie.refresh¶
Refresh the cookie after this duration; 0 to disable.
Type: null or string
Default:
nullExample:
"168h0m0s"Declared by:
services.oauth2_proxy.cookie.secret¶
The seed string for secure cookies.
Type: null or string
Declared by:
services.oauth2_proxy.cookie.secure¶
Set secure (HTTPS) cookie flag.
Type: boolean
Default:
trueDeclared by:
services.oauth2_proxy.customTemplatesDir¶
Path to custom HTML templates.
Type: null or path
Default:
nullDeclared by:
services.oauth2_proxy.email.addresses¶
Line-separated email addresses that are allowed to authenticate.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.oauth2_proxy.email.domains¶
Authenticate emails with the specified domains. Use``*`` to authenticate any email.
Type: list of strings
Default: ``[
]``
Declared by:
services.oauth2_proxy.extraConfig¶
services.oauth2_proxy.github.org¶
Restrict logins to members of this organisation.
Type: null or string
Default:
nullDeclared by:
services.oauth2_proxy.github.team¶
Restrict logins to members of this team.
Type: null or string
Default:
nullDeclared by:
services.oauth2_proxy.google.adminEmail¶
The Google Admin to impersonate for API calls.
Only users with access to the Admin APIs can access the Admin SDK Directory API, thus the service account needs to impersonate one of those users to access the Admin SDK Directory API.
Type: string
Declared by:
services.oauth2_proxy.google.groups¶
Restrict logins to members of these Google groups.
Type: list of strings
Default: ``[
]``
Declared by:
services.oauth2_proxy.google.serviceAccountJSON¶
The path to the service account JSON credentials.
Type: path
Declared by:
services.oauth2_proxy.htpasswd.displayForm¶
Display username / password login form if an htpasswd file is provided.
Type: boolean
Default:
trueDeclared by:
services.oauth2_proxy.htpasswd.file¶
Additionally authenticate against a htpasswd file. Entries must be created with
htpasswd -sfor SHA encryption.Type: null or path
Default:
nullDeclared by:
services.oauth2_proxy.httpAddress¶
HTTPS listening address. This module does not expose the port by default. If you want this URL to be accessible to other machines, please add the port to
networking.firewall.allowedTCPPorts.Type: string
Default:
"http://127.0.0.1:4180"Declared by:
services.oauth2_proxy.keyFile¶
oauth2_proxy allows passing sensitive configuration via environment variables. Make a file that contains lines like OAUTH2_PROXY_CLIENT_SECRET=asdfasdfasdf.apps.googleuserscontent.com and specify the path here.
Type: null or path
Default:
nullExample:
"/run/keys/oauth2_proxy"Declared by:
services.oauth2_proxy.loginURL¶
Authentication endpoint.
You only need to set this if you are using a self-hosted provider (e.g. Github Enterprise). If you’re using a publicly hosted provider (e.g github.com), then the default works.
Type: null or string
Default:
nullExample:
"https://provider.example.com/oauth/authorize"Declared by:
services.oauth2_proxy.nginx.proxy¶
The address of the reverse proxy endpoint for oauth2_proxy
Type: string
Default:
"http://127.0.0.1:4180"Declared by:
services.oauth2_proxy.nginx.virtualHosts¶
A list of nginx virtual hosts to put behind the oauth2 proxy
Type: list of strings
Default: ``[
]``
Declared by:
services.oauth2_proxy.passAccessToken¶
Pass OAuth access_token to upstream via X-Forwarded-Access-Token header.
Type: boolean
Default:
falseDeclared by:
services.oauth2_proxy.passBasicAuth¶
Pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream.
Type: boolean
Default:
trueDeclared by:
services.oauth2_proxy.passHostHeader¶
Pass the request Host Header to upstream.
Type: boolean
Default:
trueDeclared by:
services.oauth2_proxy.profileURL¶
Profile access endpoint.
Type: null or string
Default:
nullDeclared by:
services.oauth2_proxy.provider¶
OAuth provider.
Type: one of “google”, “github”, “azure”, “gitlab”, “linkedin”, “myusa”
Default:
"google"Declared by:
services.oauth2_proxy.proxyPrefix¶
The url root path that this proxy should be nested under.
Type: string
Default:
"/oauth2"Declared by:
services.oauth2_proxy.redeemURL¶
Token redemption endpoint.
You only need to set this if you are using a self-hosted provider (e.g. Github Enterprise). If you’re using a publicly hosted provider (e.g github.com), then the default works.
Type: null or string
Default:
nullExample:
"https://provider.example.com/oauth/token"Declared by:
services.oauth2_proxy.redirectURL¶
The OAuth2 redirect URL.
Type: null or string
Default:
nullExample:
"https://internalapp.yourcompany.com/oauth2/callback"Declared by:
services.oauth2_proxy.requestLogging¶
Log requests to stdout.
Type: boolean
Default:
trueDeclared by:
services.oauth2_proxy.scope¶
OAuth scope specification.
Type: null or string
Default:
nullDeclared by:
services.oauth2_proxy.setXauthrequest¶
Set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode). Setting this to ‘null’ means using the upstream default (false).
Type: null or boolean
Default:
falseDeclared by:
services.oauth2_proxy.signatureKey¶
GAP-Signature request signature key.
Type: null or string
Default:
nullExample:
"sha1:secret0"Declared by:
services.oauth2_proxy.skipAuthRegexes¶
Skip authentication for requests matching any of these regular expressions.
Type: list of strings
Default: ``[
]``
Declared by:
services.oauth2_proxy.tls.enable¶
Whether to serve over TLS.
Type: boolean
Default:
falseDeclared by:
services.oauth2_proxy.tls.certificate¶
Path to certificate file.
Type: path
Declared by:
services.oauth2_proxy.tls.httpsAddress¶
addr:portto listen on for HTTPS clients.Remember to add
portto``allowedTCPPorts`` if you want other machines to be able to connect to it.Type: string
Default:
":443"Declared by:
services.oauth2_proxy.tls.key¶
Path to private key file.
Type: path
Declared by:
services.oauth2_proxy.upstream¶
The http url(s) of the upstream endpoint or
file://paths for static files. Routing is based on the path.Type: list of strings or string convertible to it
Default: ``[
]``
Declared by:
services.oauth2_proxy.validateURL¶
Access token validation endpoint.
You only need to set this if you are using a self-hosted provider (e.g. Github Enterprise). If you’re using a publicly hosted provider (e.g github.com), then the default works.
Type: null or string
Default:
nullExample:
"https://provider.example.com/user/emails"Declared by:
services.ocserv.enable¶
Whether to enable ocserv.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.ocserv.config¶
Configuration content to start an OCServ server.
For a full configuration reference,please refer to the online documentation (https://ocserv.gitlab.io/www/manual.html), the openconnect recipes (https://github.com/openconnect/recipes) or `man ocserv`.
Type: strings concatenated with “\n”
Example:
'' # configuration examples from $out/doc without explanatory comments. # for a full reference please look at the installed man pages. auth = "plain[passwd=./sample.passwd]" tcp-port = 443 udp-port = 443 run-as-user = nobody run-as-group = nogroup socket-file = /run/ocserv-socket server-cert = certs/server-cert.pem server-key = certs/server-key.pem keepalive = 32400 dpd = 90 mobile-dpd = 1800 switch-to-tcp-timeout = 25 try-mtu-discovery = false cert-user-oid = 0.9.2342.19200300.100.1.1 tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" auth-timeout = 240 min-reauth-time = 300 max-ban-score = 80 ban-reset-time = 1200 cookie-timeout = 300 deny-roaming = false rekey-time = 172800 rekey-method = ssl use-occtl = true pid-file = /run/ocserv.pid device = vpns predictable-ips = true default-domain = example.com ipv4-network = 192.168.1.0 ipv4-netmask = 255.255.255.0 dns = 192.168.1.2 ping-leases = false route = 10.10.10.0/255.255.255.0 route = 192.168.0.0/255.255.0.0 no-route = 192.168.5.0/255.255.255.0 cisco-client-compat = true dtls-legacy = true [vhost:www.example.com] auth = "certificate" ca-cert = certs/ca.pem server-cert = certs/server-cert-secp521r1.pem server-key = cersts/certs/server-key-secp521r1.pem ipv4-network = 192.168.2.0 ipv4-netmask = 255.255.255.0 cert-user-oid = 0.9.2342.19200300.100.1.1 ''Declared by:
services.octoprint.enable¶
Whether to enable OctoPrint, web interface for 3D printers.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.octoprint.extraConfig¶
Extra options which are added to OctoPrint’s YAML configuration file.
Type: attribute set
Default: ``{
}``
Declared by:
services.octoprint.group¶
Group for the daemon.
Type: string
Default:
"octoprint"Declared by:
services.octoprint.host¶
Host to bind OctoPrint to.
Type: string
Default:
"0.0.0.0"Declared by:
services.octoprint.plugins¶
Additional plugins.
Type: unspecified
Default:
"plugins: \[]"Example:
plugins: [ m3d-fio ]Declared by:
services.octoprint.port¶
Port to bind OctoPrint to.
Type: signed integer
Default:
5000Declared by:
services.octoprint.stateDir¶
State directory of the daemon.
Type: path
Default:
"/var/lib/octoprint"Declared by:
services.octoprint.user¶
User for the daemon.
Type: string
Default:
"octoprint"Declared by:
services.offlineimap.enable¶
Whether to enable OfflineIMAP, a software to dispose your mailbox(es) as a local Maildir(s).
Type: boolean
Default:
falseExample:
trueDeclared by:
services.offlineimap.package¶
Offlineimap derivation to use.
Type: package
Default:
"pkgs.offlineimap"Declared by:
services.offlineimap.install¶
Whether to install a user service for Offlineimap. Once the service is started, emails will be fetched automatically.
The service must be manually started for each user with “systemctl –user start offlineimap” or globally through``services.offlineimap.enable``.
Type: boolean
Default:
falseDeclared by:
services.offlineimap.onCalendar¶
How often is offlineimap started. Default is ‘*:0/3’ meaning every 3 minutes. See systemd.time(7) for more information about the format.
Type: string
Default:
"\*:0/3"Declared by:
services.offlineimap.path¶
List of derivations to put in Offlineimap’s path.
Type: list of paths
Default: ``[
]``
Example:
[ pkgs.pass pkgs.bash pkgs.notmuch ]Declared by:
services.offlineimap.timeoutStartSec¶
How long waiting for offlineimap before killing it. Default is ‘120sec’ meaning every 2 minutes. See systemd.time(7) for more information about the format.
Type: string
Default:
"120sec"Declared by:
services.ofono.enable¶
Whether to enable Ofono.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.ofono.plugins¶
The list of plugins to install.
Type: list of packages
Default: ``[
]``
Example:
[ pkgs.modem-manager-gui ]Declared by:
services.oidentd.enable¶
Whether to enable ‘oidentd’, an implementation of the Ident protocol (RFC 1413). It allows remote systems to identify the name of the user associated with a TCP connection.
Type: boolean
Default:
falseDeclared by:
services.openafsClient.enable¶
Whether to enable the OpenAFS client.
Type: boolean
Default:
falseDeclared by:
services.openafsClient.packages.module¶
OpenAFS kernel module package. MUST match the userland package!
Type: package
Default:
"config.boot.kernelPackages.openafs"Declared by:
services.openafsClient.packages.programs¶
OpenAFS programs package. MUST match the kernel module package!
Type: package
Default:
"getBin pkgs.openafs"Declared by:
services.openafsClient.afsdb¶
Resolve cells via AFSDB DNS records.
Type: boolean
Default:
trueDeclared by:
services.openafsClient.cache.blocks¶
Cache size in 1KB blocks.
Type: signed integer
Default:
100000Declared by:
services.openafsClient.cache.chunksize¶
Size of each cache chunk given in powers of 2.
0resets the chunk size to its default values (13 (8 KB) for memcache, 18-20 (256 KB to 1 MB) for diskcache). Maximum value is 30. Important performance parameter. Set to higher values when dealing with large files.Type: integer between 0 and 30 (both inclusive)
Default:
0Declared by:
services.openafsClient.cache.directory¶
Cache directory.
Type: string
Default:
"/var/cache/openafs"Declared by:
services.openafsClient.cache.diskless¶
Use in-memory cache for diskless machines. Has no real performance benefit anymore.
Type: boolean
Default:
falseDeclared by:
services.openafsClient.cellName¶
Cell name.
Type: string
Default:
""Example:
"grand.central.org"Declared by:
services.openafsClient.cellServDB¶
This cell’s database server records, added to the global CellServDB. See CellServDB(5) man page for syntax. Ignored when``afsdb`` is set to
true.Type: list of submodules
Default: ``[
]``
Example:
'' [ { ip = "1.2.3.4"; dnsname = "first.afsdb.server.dns.fqdn.org"; } { ip = "2.3.4.5"; dnsname = "second.afsdb.server.dns.fqdn.org"; } ] ''Declared by:
services.openafsClient.cellServDB.*.dnsname¶
DNS full-qualified domain name of a database server
Type: string
Default:
""Example:
"afs.example.org"Declared by:
services.openafsClient.cellServDB.*.ip¶
IP Address of a database server
Type: string
Default:
""Example:
"1.2.3.4"Declared by:
services.openafsClient.crypt¶
Whether to enable (weak) protocol encryption.
Type: boolean
Default:
trueDeclared by:
services.openafsClient.daemons¶
Number of daemons to serve user requests. Numbers higher than 6 usually do no increase performance. Default is sufficient for up to five concurrent users.
Type: signed integer
Default:
2Declared by:
services.openafsClient.fakestat¶
Return fake data on stat() calls. If
true, always do so. Iffalse, only do so for cross-cell mounts (as these are potentially expensive).Type: boolean
Default:
falseDeclared by:
services.openafsClient.inumcalc¶
Inode calculation method.
compatis computationally less expensive, butmd5greatly reduces the likelihood of inode collisions in larger scenarios involving multiple cells mounted into one AFS space.Type: string matching the pattern compat|md5
Default:
"compat"Declared by:
services.openafsClient.mountPoint¶
Mountpoint of the AFS file tree, conventionally``/afs``. When set to a different value, only cross-cells that use the same value can be accessed.
Type: string
Default:
"/afs"Declared by:
services.openafsClient.sparse¶
Minimal cell list in /afs.
Type: boolean
Default:
trueDeclared by:
services.openafsClient.startDisconnected¶
Start up in disconnected mode. You need to execute``fs disco online`` (as root) to switch to connected mode. Useful for roaming devices.
Type: boolean
Default:
falseDeclared by:
services.openafsServer.enable¶
Whether to enable the OpenAFS server. An OpenAFS server needs a complex setup. So, be aware that enabling this service and setting some options does not give you a turn-key-ready solution. You need at least a running Kerberos 5 setup, as OpenAFS relies on it for authentication. See the Guide “QuickStartUnix” coming with``pkgs.openafs.doc`` for complete setup instructions.
Type: boolean
Default:
falseDeclared by:
services.openafsServer.package¶
OpenAFS package for the server binaries
Type: package
Default:
"pkgs.openafs.server or pkgs.openafs"Declared by:
services.openafsServer.advertisedAddresses¶
List of IP addresses this server is advertised under. See NetInfo(5)
Type: unspecified
Default: ``[
]``
Declared by:
services.openafsServer.cellName¶
Cell name, this server will serve.
Type: string
Default:
""Example:
"grand.central.org"Declared by:
services.openafsServer.cellServDB¶
Definition of all cell-local database server machines.
Type: list of submodules
Default: ``[
]``
Declared by:
services.openafsServer.cellServDB.*.dnsname¶
DNS full-qualified domain name of a database server
Type: string
Default:
""Example:
"afs.example.org"Declared by:
services.openafsServer.cellServDB.*.ip¶
IP Address of a database server
Type: string
Default:
""Example:
"1.2.3.4"Declared by:
services.openafsServer.dottedPrincipals¶
If enabled, allow principal names containing (.) dots. Enabling this has security implications!
Type: boolean
Default:
falseDeclared by:
services.openafsServer.roles.backup.enable¶
Backup server role. Use in conjunction with the``database`` role to maintain the Backup Database. Normally only used in conjunction with tape storage or IBM’s Tivoli Storage Manager.
Type: boolean
Default:
falseDeclared by:
services.openafsServer.roles.backup.buserverArgs¶
Arguments to the buserver process. See its man page.
Type: string
Default:
""Example:
"-p 8"Declared by:
services.openafsServer.roles.backup.cellServDB¶
Definition of all cell-local backup database server machines. Use this when your cell uses less backup database servers than other database server machines.
Type: list of submodules
Default: ``[
]``
Declared by:
services.openafsServer.roles.backup.cellServDB.*.dnsname¶
DNS full-qualified domain name of a database server
Type: string
Default:
""Example:
"afs.example.org"Declared by:
services.openafsServer.roles.backup.cellServDB.*.ip¶
IP Address of a database server
Type: string
Default:
""Example:
"1.2.3.4"Declared by:
services.openafsServer.roles.database.enable¶
Database server role, maintains the Volume Location Database, Protection Database (and Backup Database, see``backup`` role). There can be multiple servers in the database role for replication, which then need reliable network connection to each other.
Servers in this role appear in AFSDB DNS records or the CellServDB.
Type: boolean
Default:
trueDeclared by:
services.openafsServer.roles.database.ptserverArgs¶
Arguments to the ptserver process. See its man page.
Type: string
Default:
""Example:
"-restricted -default_access S---- S-M---"Declared by:
services.openafsServer.roles.database.vlserverArgs¶
Arguments to the vlserver process. See its man page.
Type: string
Default:
""Example:
"-rxbind"Declared by:
services.openafsServer.roles.fileserver.enable¶
Fileserver role, serves files and volumes from its local storage.
Type: boolean
Default:
trueDeclared by:
services.openafsServer.roles.fileserver.fileserverArgs¶
Arguments to the dafileserver process. See its man page.
Type: string
Default:
"-vattachpar 128 -vhashsize 11 -L -rxpck 400 -cb 1000000"Declared by:
services.openafsServer.roles.fileserver.salvagerArgs¶
Arguments to the dasalvager process. See its man page.
Type: string
Default:
""Example:
"-showlog -showmounts"Declared by:
services.openafsServer.roles.fileserver.salvageserverArgs¶
Arguments to the salvageserver process. See its man page.
Type: string
Default:
""Example:
"-showlog"Declared by:
services.openafsServer.roles.fileserver.volserverArgs¶
Arguments to the davolserver process. See its man page.
Type: string
Default:
""Example:
"-sync never"Declared by:
services.openafsServer.udpPacketSize¶
UDP packet size to use in Bytes. Higher values can speed up communications. The default of 1 MB is a sufficient in most cases. Make sure to increase the kernel’s UDP buffer size accordingly via
net.core(w|r|opt)mem_maxsysctl.Type: signed integer
Default:
1310720Declared by:
services.openarena.enable¶
Whether to enable OpenArena.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.openarena.extraFlags¶
Extra flags to pass to oa_ded
Type: list of strings
Default: ``[
]``
Example:
[ "+set dedicated 2" "+set sv_hostname 'My NixOS OpenArena Server'" "+map oa_dm1" ]Declared by:
services.openarena.openPorts¶
Whether to open firewall ports for OpenArena
Type: boolean
Default:
falseDeclared by:
services.opendkim.enable¶
Whether to enable the OpenDKIM sender authentication system.
Type: boolean
Default:
falseDeclared by:
services.opendkim.configFile¶
Additional opendkim configuration.
Type: null or path
Default:
nullDeclared by:
services.opendkim.domains¶
Local domains set (see
opendkim(8)for more information on datasets). Messages from them are signed, not verified.Type: string
Default:
"csl:nixos"Example:
"csl:example.com,mydomain.net"Declared by:
services.opendkim.group¶
Group for the daemon.
Type: string
Default:
"opendkim"Declared by:
services.opendkim.keyPath¶
The path that opendkim should put its generated private keys into. The DNS settings will be found in this directory with the name selector.txt.
Type: path
Default:
"/var/lib/opendkim/keys"Declared by:
services.opendkim.selector¶
Selector to use when signing.
Type: string
Declared by:
services.opendkim.socket¶
Socket which is used for communication with OpenDKIM.
Type: string
Default:
"local:/run/opendkim/opendkim.sock"Declared by:
services.opendkim.user¶
User for the daemon.
Type: string
Default:
"opendkim"Declared by:
services.openfire.enable¶
Whether to enable OpenFire XMPP server.
Type: unspecified
Default:
falseDeclared by:
services.openfire.usePostgreSQL¶
Whether you use PostgreSQL service for your storage back-end.
Type: unspecified
Default:
trueDeclared by:
services.openldap.enable¶
Whether to enable the ldap server.
Type: boolean
Default:
falseDeclared by:
services.openldap.configDir¶
Use this optional config directory instead of using slapd.conf
Type: null or path
Default:
nullExample:
"/var/db/slapd.d"Declared by:
services.openldap.dataDir¶
The database directory.
Type: path
Default:
"/var/db/openldap"Declared by:
services.openldap.database¶
Database type to use for the LDAP. This setting will be ignored if configDir is set.
Type: string
Default:
"mdb"Declared by:
services.openldap.declarativeContents¶
Declarative contents for the LDAP database, in LDIF format.
Note a few facts when using it. First, the database*must* be stored in the directory defined bydataDir. Second, all dataDir will be erased when starting the LDAP server. Third, modifications to the database are not prevented, they are just dropped on the next reboot of the server. Finally, performance-wise the database and indexes are rebuilt on each server startup, so this will slow down server startup, especially with large databases.
Type: null or strings concatenated with “\n”
Default:
nullExample:
'' dn: dc=example,dc=org objectClass: domain dc: example dn: ou=users,dc=example,dc=org objectClass = organizationalUnit ou: users # ... ''Declared by:
services.openldap.defaultSchemas¶
Include the default schemas core, cosine, inetorgperson and nis. This setting will be ignored if configDir is set.
Type: boolean
Default:
trueDeclared by:
services.openldap.extraConfig¶
slapd.conf configuration
Type: strings concatenated with “\n”
Default:
""Example:
'' include ${pkgs.openldap.out}/etc/schema/core.schema include ${pkgs.openldap.out}/etc/schema/cosine.schema include ${pkgs.openldap.out}/etc/schema/inetorgperson.schema include ${pkgs.openldap.out}/etc/schema/nis.schema database bdb suffix dc=example,dc=org rootdn cn=admin,dc=example,dc=org # NOTE: change after first start rootpw secret directory /var/db/openldap ''Declared by:
services.openldap.extraDatabaseConfig¶
slapd.conf configuration after the database option. This setting will be ignored if configDir is set.
Type: strings concatenated with “\n”
Default:
""Example:
'' # Indices to maintain for this directory # unique id so equality match only index uid eq # allows general searching on commonname, givenname and email index cn,gn,mail eq,sub # allows multiple variants on surname searching index sn eq,sub # sub above includes subintial,subany,subfinal # optimise department searches index ou eq # if searches will include objectClass uncomment following # index objectClass eq # shows use of default index parameter index default eq,sub # indices missing - uses default eq,sub index telephonenumber # other database parameters # read more in slapd.conf reference section cachesize 10000 checkpoint 128 15 ''Declared by:
services.openldap.group¶
Group account under which slapd runs.
Type: string
Default:
"openldap"Declared by:
services.openldap.logLevel¶
The log level selector of slapd.
Type: string
Default:
"0"Example:
"acl trace"Declared by:
services.openldap.rootdn¶
Specify the distinguished name that is not subject to access control or administrative limit restrictions for operations on this database. This setting will be ignored if configDir is set.
Type: string
Example:
"cn=admin,dc=example,dc=org"Declared by:
services.openldap.rootpw¶
Password for the root user. This setting will be ignored if configDir is set. Using this option will store the root password in plain text in the world-readable nix store. To avoid this the
rootpwFilecan be used.Type: null or string
Default:
nullDeclared by:
services.openldap.rootpwFile¶
Password file for the root user. The file should contain the string
rootpwfollowed by the password. e.g.:rootpw mysecurepasswordType: null or string
Default:
nullDeclared by:
services.openldap.suffix¶
Specify the DN suffix of queries that will be passed to this backend database. This setting will be ignored if configDir is set.
Type: string
Example:
"dc=example,dc=org"Declared by:
services.openldap.urlList¶
URL list slapd should listen on.
Type: list of strings
Default:
[ "ldap:///" ]Example:
[ "ldaps:///" ]Declared by:
services.openldap.user¶
User account under which slapd runs.
Type: string
Default:
"openldap"Declared by:
services.openntpd.enable¶
Whether to enable OpenNTP time synchronization server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.openntpd.extraConfig¶
Additional text appended to
openntpd.conf.Type: strings concatenated with “\n”
Default:
""Example:
'' listen on 127.0.0.1 listen on ::1 ''Declared by:
services.openntpd.extraOptions¶
Extra options used when launching openntpd.
Type: strings concatenated with ” “
Default:
""Example:
"-s"Declared by:
services.openntpd.servers¶
The set of NTP servers from which to synchronise.
Type: list of strings
Default:
[ "0.nixos.pool.ntp.org" "1.nixos.pool.ntp.org" "2.nixos.pool.ntp.org" "3.nixos.pool.ntp.org" ]Declared by:
services.opensmtpd.enable¶
Whether to enable the OpenSMTPD server.
Type: boolean
Default:
falseDeclared by:
services.opensmtpd.package¶
The OpenSMTPD package to use.
Type: package
Default:
"pkgs.opensmtpd"Declared by:
services.opensmtpd.addSendmailToSystemPath¶
Whether to add OpenSMTPD’s sendmail binary to the system path or not.
Type: boolean
Default:
trueDeclared by:
services.opensmtpd.extraServerArgs¶
Extra command line arguments provided when the smtpd process is started.
Type: list of strings
Default: ``[
]``
Example:
[ "-v" "-P mta" ]Declared by:
services.opensmtpd.procPackages¶
Packages to search for filters, tables, queues, and schedulers.
Add OpenSMTPD-extras here if you want to use the filters, etc. from that package.
Type: list of packages
Default: ``[
]``
Declared by:
services.opensmtpd.serverConfiguration¶
The contents of the smtpd.conf configuration file. See the OpenSMTPD documentation for syntax information.
Type: strings concatenated with “\n”
Example:
'' listen on lo accept for any deliver to lmtp localhost:24 ''Declared by:
services.openssh.enable¶
Whether to enable the OpenSSH secure shell daemon, which allows secure remote logins.
Type: boolean
Default:
falseDeclared by:
services.openssh.allowSFTP¶
Whether to enable the SFTP subsystem in the SSH daemon. This enables the use of commands such as sftp and:command:sshfs.
Type: boolean
Default:
trueDeclared by:
services.openssh.authorizedKeysFiles¶
services.openssh.challengeResponseAuthentication¶
Specifies whether challenge/response authentication is allowed.
Type: boolean
Default:
trueDeclared by:
services.openssh.ciphers¶
Allowed ciphers
Defaults to recommended settings from both` <https://stribika.github.io/2015/01/04/secure-secure-shell.html>`_ and` <https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29>`_
Type: list of strings
Default:
[ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes128-gcm@openssh.com" "aes256-ctr" "aes192-ctr" "aes128-ctr" ]Declared by:
services.openssh.extraConfig¶
Verbatim contents of
sshd_config.Type: strings concatenated with “\n”
Default:
""Declared by:
services.openssh.forwardX11¶
Whether to allow X11 connections to be forwarded.
Type: boolean
Default:
falseDeclared by:
services.openssh.gatewayPorts¶
Specifies whether remote hosts are allowed to connect to ports forwarded for the client. Seesshd_config5.
Type: string
Default:
"no"Declared by:
services.openssh.hostKeys¶
NixOS can automatically generate SSH host keys. This option specifies the path, type and size of each key. Seessh-keygen1 for supported types and sizes.
Type: list of attribute sets
Default: ``[
{ bits = 4096; path = “/etc/ssh/ssh_host_rsa_key”; type = “rsa”; }
{ path = “/etc/ssh/ssh_host_ed25519_key”; type = “ed25519”; }
]``
Example: ``[
{ bits = 4096; openSSHFormat = true; path = “/etc/ssh/ssh_host_rsa_key”; rounds = 100; type = “rsa”; }
{ comment = “key comment”; path = “/etc/ssh/ssh_host_ed25519_key”; rounds = 100; type = “ed25519”; }
]``
Declared by:
services.openssh.kexAlgorithms¶
Allowed key exchange algorithms
Defaults to recommended settings from both` <https://stribika.github.io/2015/01/04/secure-secure-shell.html>`_ and` <https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29>`_
Type: list of strings
Default:
[ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]Declared by:
services.openssh.knownHosts¶
Alias of .
Type: list or attribute set of submodules
Declared by:
services.openssh.knownHosts.<name?>.certAuthority¶
This public key is an SSH certificate authority, rather than an individual host’s key.
Type: boolean
Default:
falseDeclared by:
services.openssh.knownHosts.<name?>.hostNames¶
A list of host names and/or IP numbers used for accessing the host’s ssh service.
Type: list of strings
Default: ``[
]``
Declared by:
services.openssh.knownHosts.<name?>.publicKey¶
The public key data for the host. You can fetch a public key from a running SSH server with the ssh-keyscan command. The public key should not include any host names, only the key type and the key itself.
Type: null or string
Default:
nullExample:
"ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg=="Declared by:
services.openssh.knownHosts.<name?>.publicKeyFile¶
The path to the public key file for the host. The public key file is read at build time and saved in the Nix store. You can fetch a public key file from a running SSH server with the ssh-keyscan command. The content of the file should follow the same format as described for the
publicKeyoption.Type: null or path
Default:
nullDeclared by:
services.openssh.listenAddresses¶
List of addresses and ports to listen on (ListenAddress directive in config). If port is not specified for address sshd will listen on all ports specified by
portsoption. NOTE: this will override default listening on all local addresses and port 22. NOTE: setting this option won’t automatically enable given ports in firewall configuration.Type: list of submodules
Default: ``[
]``
Example: ``[
{ addr = “192.168.3.1”; port = 22; }
{ addr = “0.0.0.0”; port = 64022; }
]``
Declared by:
services.openssh.listenAddresses.*.addr¶
Host, IPv4 or IPv6 address to listen to.
Type: null or string
Default:
nullDeclared by:
services.openssh.listenAddresses.*.port¶
Port to listen to.
Type: null or signed integer
Default:
nullDeclared by:
services.openssh.logLevel¶
Gives the verbosity level that is used when logging messages from sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is VERBOSE. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. Logging with a DEBUG level violates the privacy of users and is not recommended.
LogLevel VERBOSE logs user’s key fingerprint on login. Needed to have a clear audit track of which key was used to log in.
Type: one of “QUIET”, “FATAL”, “ERROR”, “INFO”, “VERBOSE”, “DEBUG”, “DEBUG1”, “DEBUG2”, “DEBUG3”
Default:
"VERBOSE"Declared by:
services.openssh.macs¶
Allowed MACs
Defaults to recommended settings from both` <https://stribika.github.io/2015/01/04/secure-secure-shell.html>`_ and` <https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29>`_
Type: list of strings
Default:
[ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" "hmac-sha2-512" "hmac-sha2-256" "umac-128@openssh.com" ]Declared by:
services.openssh.moduliFile¶
Path to
modulifile to install in``/etc/ssh/moduli``. If this option is unset, then themodulifile shipped with OpenSSH will be used.Type: path
Example:
"/etc/my-local-ssh-moduli;"Declared by:
services.openssh.openFirewall¶
Whether to automatically open the specified ports in the firewall.
Type: boolean
Default:
trueDeclared by:
services.openssh.passwordAuthentication¶
Specifies whether password authentication is allowed.
Type: boolean
Default:
trueDeclared by:
services.openssh.permitRootLogin¶
Whether the root user can login using ssh.
Type: one of “yes”, “without-password”, “prohibit-password”, “forced-commands-only”, “no”
Default:
"prohibit-password"Declared by:
services.openssh.ports¶
Specifies on which ports the SSH daemon listens.
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)s
Default:
[ 22 ]Declared by:
services.openssh.sftpFlags¶
Commandline flags to add to sftp-server.
Type: list of strings
Default: ``[
]``
Example:
[ "-f AUTHPRIV" "-l INFO" ]Declared by:
services.openssh.startWhenNeeded¶
If set, sshd is socket-activated; that is, instead of having it permanently running as a daemon, systemd will start an instance for each incoming connection.
Type: boolean
Default:
falseDeclared by:
services.openssh.useDns¶
Specifies whether sshd(8) should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. If this option is set to no (the default) then only addresses and not host names may be used in ~/.ssh/authorized_keys from and sshd_config Match Host directives.
Type: boolean
Default:
falseDeclared by:
services.opentracker.enable¶
Whether to enable opentracker.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.opentracker.package¶
opentracker package to use
Type: package
Default:
"pkgs.opentracker"Declared by:
services.opentracker.extraOptions¶
Configuration Arguments for opentracker See https://erdgeist.org/arts/software/opentracker/ for all params
Type: strings concatenated with ” “
Default:
""Declared by:
services.opentsdb.enable¶
Whether to run OpenTSDB.
Type: boolean
Default:
falseDeclared by:
services.opentsdb.package¶
OpenTSDB package to use.
Type: package
Default:
"pkgs.opentsdb"Example:
pkgs.opentsdbDeclared by:
services.opentsdb.config¶
The contents of OpenTSDB’s configuration file
Type: strings concatenated with “\n”
Default:
'' tsd.core.auto_create_metrics = true tsd.http.request.enable_chunked = true ''Declared by:
services.opentsdb.group¶
Group account under which OpenTSDB runs.
Type: string
Default:
"opentsdb"Declared by:
services.opentsdb.port¶
Which port OpenTSDB listens on.
Type: signed integer
Default:
4242Declared by:
services.opentsdb.user¶
User account under which OpenTSDB runs.
Type: string
Default:
"opentsdb"Declared by:
services.openvpn.servers¶
Each attribute of this option defines a systemd service that runs an OpenVPN instance. These can be OpenVPN servers or clients. The name of each systemd service is``openvpn-name.service``, where name is the corresponding attribute name.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ server = { config = '' # Simplest server configuration: https://community.openvpn.net/openvpn/wiki/StaticKeyMiniHowto # server : dev tun ifconfig 10.8.0.1 10.8.0.2 secret /root/static.key ''; up = "ip route add ..."; down = "ip route del ..."; }; client = { config = '' client remote vpn.example.org dev tun proto tcp-client port 8080 ca /root/.vpn/ca.crt cert /root/.vpn/alice.crt key /root/.vpn/alice.key ''; up = "echo nameserver $nameserver | ${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev"; down = "${pkgs.openresolv}/sbin/resolvconf -d $dev"; }; }Declared by:
services.openvpn.servers.<name>.authUserPass¶
This option can be used to store the username / password credentials with the “auth-user-pass” authentication method.
WARNING: Using this option will put the credentials WORLD-READABLE in the Nix store!
Type: null or submodule
Default:
nullDeclared by:
services.openvpn.servers.<name>.authUserPass.password¶
The password to store inside the credentials file.
Type: string
Declared by:
services.openvpn.servers.<name>.authUserPass.username¶
The username to store inside the credentials file.
Type: string
Declared by:
services.openvpn.servers.<name>.autoStart¶
Whether this OpenVPN instance should be started automatically.
Type: boolean
Default:
trueDeclared by:
services.openvpn.servers.<name>.config¶
Configuration of this OpenVPN instance. Seeopenvpn8 for details.
To import an external config file, use the following definition:
config = "config /path/to/config.ovpn"Type: strings concatenated with “\n”
Declared by:
services.openvpn.servers.<name>.down¶
Shell commands executed when the instance is shutting down.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.openvpn.servers.<name>.up¶
Shell commands executed when the instance is starting.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.openvpn.servers.<name>.updateResolvConf¶
Use the script from the update-resolv-conf package to automatically update resolv.conf with the DNS information provided by openvpn. The script will be run after the “up” commands and before the “down” commands.
Type: boolean
Default:
falseDeclared by:
services.orangefs.client.enable¶
Whether to enable OrangeFS client daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.orangefs.client.extraOptions¶
services.orangefs.client.fileSystems¶
The orangefs file systems to be mounted. This option is prefered over using directly since the pvfs client service needs to be running for it to be mounted.
Type: list of submodules
Example: ``[
{ mountPoint = “/orangefs”; target = “tcp://server:3334/orangefs”; }
]``
Declared by:
services.orangefs.client.fileSystems.*.mountPoint¶
Mount point.
Type: string
Default:
"/orangefs"Declared by:
services.orangefs.client.fileSystems.*.options¶
services.orangefs.client.fileSystems.*.target¶
Target URL
Type: string
Default:
nullExample:
"tcp://server:3334/orangefs"Declared by:
services.orangefs.server.enable¶
Whether to enable OrangeFS server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.orangefs.server.BMIModules¶
List of BMI modules to load.
Type: list of strings
Default:
[ "bmi_tcp" ]Example:
[ "bmi_tcp" "bmi_ib" ]Declared by:
services.orangefs.server.dataStorageSpace¶
Directory for data storage.
Type: string
Default:
nullExample:
"/data/storage"Declared by:
services.orangefs.server.extraConfig¶
Extra config for the global section.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.orangefs.server.extraDefaults¶
Extra config for
<Defaults>section.Type: strings concatenated with “\n”
Default:
""Declared by:
services.orangefs.server.fileSystems¶
These options will create the
<FileSystem>sections of config file.Type: attribute set of submodules
Default:
{ orangefs = {}; }Example:
{ fs1 = { id = 101; }; fs2 = { id = 102; }; }Declared by:
services.orangefs.server.fileSystems.<name>.extraConfig¶
Extra config for
<FileSystem>section.Type: strings concatenated with “\n”
Default:
""Declared by:
services.orangefs.server.fileSystems.<name>.extraStorageHints¶
Extra config for
<StorageHints>section.Type: strings concatenated with “\n”
Default:
""Declared by:
services.orangefs.server.fileSystems.<name>.id¶
File system ID (must be unique within configuration).
Type: signed integer
Default:
1Declared by:
services.orangefs.server.fileSystems.<name>.rootHandle¶
File system root ID.
Type: signed integer
Default:
3Declared by:
services.orangefs.server.fileSystems.<name>.troveSyncData¶
Sync data.
Type: boolean
Default:
falseDeclared by:
services.orangefs.server.fileSystems.<name>.troveSyncMeta¶
Sync meta data.
Type: boolean
Default:
trueDeclared by:
services.orangefs.server.logType¶
Destination for log messages.
Type: one of “file”, “syslog”
Default:
"syslog"Declared by:
services.orangefs.server.metadataStorageSpace¶
Directory for meta data storage.
Type: string
Default:
nullExample:
"/data/meta"Declared by:
services.orangefs.server.servers¶
URLs for storage server including port. The attribute names define the server alias.
Type: attribute set of strings
Default: ``{
}``
Example:
'' { node1="tcp://node1:3334"; node2="tcp://node2:3334"; } ''Declared by:
services.osrm.enable¶
Enable the OSRM service.
Type: boolean
Default:
falseDeclared by:
services.osrm.address¶
IP address on which the web server will listen.
Type: string
Default:
"0.0.0.0"Declared by:
services.osrm.algorithm¶
Algorithm to use for the data. Must be one of CH, CoreCH, MLD
Type: one of “CH”, “CoreCH”, “MLD”
Default:
"MLD"Declared by:
services.osrm.dataFile¶
Data file location
Type: path
Example:
"/var/lib/osrm/berlin-latest.osrm"Declared by:
services.osrm.extraFlags¶
Extra command line arguments passed to osrm-routed
Type: list of strings
Default: ``[
]``
Example:
[ "--max-table-size 1000" "--max-matching-size 1000" ]Declared by:
services.osrm.port¶
Port on which the web server will run.
Type: signed integer
Default:
5000Declared by:
services.osrm.threads¶
Number of threads to use.
Type: signed integer
Default:
4Declared by:
services.ostinato.enable¶
Whether to enable Ostinato agent-controller (Drone).
Type: boolean
Default:
falseExample:
trueDeclared by:
services.ostinato.port¶
Port to listen on.
Type: signed integer
Default:
7878Declared by:
services.ostinato.portList.exclude¶
A list of ports does not appear on the port list managed by drone.
Type: list of strings
Default: ``[
]``
Example:
''[ "usbmon*" "eth0" ]''Declared by:
services.ostinato.portList.include¶
For a port to pass the filter and appear on the port list managed by drone, it be allowed by this include list.
Type: list of strings
Default: ``[
]``
Example:
''[ "eth*" "lo*" ]''Declared by:
services.ostinato.rateAccuracy¶
To ensure that the actual transmit rate is as close as possible to the configured transmit rate, Drone runs a busy-wait loop. While this provides the maximum accuracy possible, the CPU utilization is 100% while the transmit is on. You can however, sacrifice the accuracy to reduce the CPU load.
Type: one of “High”, “Low”
Default:
"High"Declared by:
services.ostinato.rpcServer.address¶
By default, the Drone RPC server will listen on all interfaces and local IPv4 adresses for incoming connections from clients. Specify a single IPv4 or IPv6 address if you want to restrict that. To listen on any IPv6 address, use
*Type:* stringDefault:
"0.0.0.0"Declared by:
services.owamp.enable¶
Whether to enable Enable OWAMP server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.oxidized.enable¶
Whether to enable the oxidized configuration backup service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.oxidized.configFile¶
Path to the oxidized configuration file.
Type: path
Example:
pkgs.writeText "oxidized-config.yml" '' --- debug: true use_syslog: true input: default: ssh ssh: secure: true interval: 3600 model_map: dell: powerconnect hp: procurve source: default: csv csv: delimiter: !ruby/regexp /:/ file: "/var/lib/oxidized/.config/oxidized/router.db" map: name: 0 model: 1 username: 2 password: 3 pid: "/var/lib/oxidized/.config/oxidized/pid" rest: 127.0.0.1:8888 retries: 3 # ... additional config '';Declared by:
services.oxidized.dataDir¶
State directory for the oxidized service.
Type: path
Default:
"/var/lib/oxidized"Declared by:
services.oxidized.group¶
Group under which the oxidized service runs.
Type: string
Default:
"oxidized"Declared by:
services.oxidized.routerDB¶
Path to the file/database which contains the targets for oxidized.
Type: path
Example:
pkgs.writeText "oxidized-router.db" '' hostname-sw1:powerconnect:username1:password2 hostname-sw2:procurve:username2:password2 # ... additional hosts ''Declared by:
services.oxidized.user¶
User under which the oxidized service runs.
Type: string
Default:
"oxidized"Declared by:
services.pantheon.apps.enable¶
Whether to enable Pantheon default applications.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.pantheon.contractor.enable¶
Whether to enable contractor, a desktop-wide extension service used by Pantheon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.paperless.enable¶
Enable Paperless.
When started, the Paperless database is automatically created if it doesn’t exist and updated if the Paperless package has changed. Both tasks are achieved by running a Django migration.
Type: boolean
Default:
falseDeclared by:
services.paperless.package¶
The Paperless package to use.
Type: package
Default:
"pkgs.paperless"Declared by:
services.paperless.address¶
Server listening address.
Type: string
Default:
"localhost"Declared by:
services.paperless.consumptionDir¶
Directory from which new documents are imported.
Type: string
Default:
"\\${dataDir}/consume"Declared by:
services.paperless.consumptionDirIsPublic¶
Whether all users can write to the consumption dir.
Type: boolean
Default:
falseDeclared by:
services.paperless.dataDir¶
Directory to store the Paperless data.
Type: string
Default:
"/var/lib/paperless"Declared by:
services.paperless.extraConfig¶
Extra paperless config options.
The config values are evaluated as double-quoted Bash string literals.
See
paperless-src/paperless.conf.examplefor available options.To enable user authentication, set
PAPERLESS_DISABLE_LOGIN = "false"and run the shell command$dataDir/paperless-manage createsuperuser.To define secret options without storing them in /nix/store, use the following pattern:
PAPERLESS_PASSPHRASE = "$(< /etc/my_passphrase_file)"Type: attribute set
Default: ``{
}``
Example:
{ PAPERLESS_OCR_LANGUAGE = "deu"; }Declared by:
services.paperless.manage¶
A script to manage the Paperless instance. It wraps Django’s manage.py and is also available at``$dataDir/manage-paperless``
Type: package (read only)
Default:
*(build of paperless)*Declared by:
services.paperless.ocrLanguages¶
Languages available for OCR via Tesseract, specified as``ISO 639-2/T`` language codes. If unset, defaults to all available languages.
Type: null or list of strings
Default:
nullExample:
[ "eng" "spa" "jpn" ]Declared by:
services.paperless.port¶
Server port to listen on.
Type: signed integer
Default:
28981Declared by:
services.paperless.user¶
User under which Paperless runs.
Type: string
Default:
"paperless"Declared by:
services.parsoid.enable¶
Whether to enable Parsoid – bidirectional wikitext parser.
Type: boolean
Default:
falseDeclared by:
services.parsoid.extraConfig¶
Extra configuration to add to parsoid configuration.
Type: attribute set
Default: ``{
}``
Declared by:
services.parsoid.interface¶
Interface to listen on.
Type: string
Default:
"127.0.0.1"Declared by:
services.parsoid.port¶
Port to listen on.
Type: signed integer
Default:
8000Declared by:
services.parsoid.wikis¶
Used MediaWiki API endpoints.
Type: list of string or attribute sets
Example:
[ "http://localhost/api.php" ]Declared by:
services.parsoid.workers¶
Number of Parsoid workers.
Type: signed integer
Default:
2Declared by:
services.pcscd.enable¶
Whether to enable PCSC-Lite daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.pcscd.plugins¶
Plugin packages to be used for PCSC-Lite.
Type: list of packages
Default:
"[ pkgs.ccid ]"Example:
[ pkgs.pcsc-cyberjack ]Declared by:
services.pcscd.readerConfig¶
Configuration for devices that aren’t hotpluggable.
See reader.conf5 for valid options.
Type: strings concatenated with “\n”
Default:
""Example:
'' FRIENDLYNAME "Some serial reader" DEVICENAME /dev/ttyS0 LIBPATH /path/to/serial_reader.so CHANNELID 1 ''Declared by:
services.pdns-recursor.enable¶
Whether to enable PowerDNS Recursor, a recursive DNS server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.pdns-recursor.api.address¶
IP address Recursor REST API server will bind to.
Type: string
Default:
"0.0.0.0"Declared by:
services.pdns-recursor.api.allowFrom¶
IP address ranges of clients allowed to make API requests.
Type: list of strings
Default:
[ "0.0.0.0/0" ]Declared by:
services.pdns-recursor.api.port¶
Port number Recursor REST API server will bind to.
Type: signed integer
Default:
8082Declared by:
services.pdns-recursor.dns.address¶
IP address Recursor DNS server will bind to.
Type: string
Default:
"0.0.0.0"Declared by:
services.pdns-recursor.dns.allowFrom¶
IP address ranges of clients allowed to make DNS queries.
Type: list of strings
Default:
[ "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" ]Example:
[ "0.0.0.0/0" ]Declared by:
services.pdns-recursor.dns.port¶
Port number Recursor DNS server will bind to.
Type: signed integer
Default:
53Declared by:
services.pdns-recursor.dnssecValidation¶
Controls the level of DNSSEC processing done by the PowerDNS Recursor. See https://doc.powerdns.com/md/recursor/dnssec/ for a detailed explanation.
Type: one of “off”, “process-no-validate”, “process”, “log-fail”, “validate”
Default:
"validate"Declared by:
services.pdns-recursor.exportHosts¶
Whether to export names and IP addresses defined in /etc/hosts.
Type: boolean
Default:
falseDeclared by:
services.pdns-recursor.forwardZones¶
DNS zones to be forwarded to other authoritative servers.
Type: attribute set
Default: ``{
}``
Declared by:
services.pdns-recursor.forwardZonesRecurse¶
DNS zones to be forwarded to other recursive servers.
Type: attribute set
Default: ``{
}``
Example:
{ eth = "127.0.0.1:5353"; }Declared by:
services.pdns-recursor.luaConfig¶
The content Lua configuration file for PowerDNS Recursor. See` <https://doc.powerdns.com/recursor/lua-config/index.html>`_.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.pdns-recursor.resolveDNSChainQueries¶
Resolve
.bittop-level domains using DNSChain and namecoin.Type: boolean
Default:
falseDeclared by:
services.pdns-recursor.serveRFC1918¶
Whether to directly resolve the RFC1918 reverse-mapping domains:
10.in-addr.arpa,``168.192.in-addr.arpa``,``16-31.172.in-addr.arpa`` This saves load on the AS112 servers.Type: boolean
Default:
trueDeclared by:
services.pdns-recursor.settings¶
PowerDNS Recursor settings. Use this option to configure Recursor settings not exposed in a NixOS option or to bypass one. See the full documentation at` <https://doc.powerdns.com/recursor/settings.html>`_ for the available options.
Type: attribute set of null or signed integer or string or boolean or path or list of signed integer or string or boolean or pathss
Default: ``{
}``
Example:
{ loglevel = 8; log-common-errors = true; }Declared by:
services.pdnsd.enable¶
Whether to enable pdnsd.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.pdnsd.cacheDir¶
Directory holding the pdnsd cache
Type: string
Default:
"/var/cache/pdnsd"Declared by:
services.pdnsd.extraConfig¶
Extra configuration directives that should be added to``pdnsd.conf``.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.pdnsd.globalConfig¶
Global configuration that should be added to the global directory of
pdnsd.conf.Type: strings concatenated with “\n”
Default:
""Declared by:
services.pdnsd.serverConfig¶
Server configuration that should be added to the server directory of
pdnsd.conf.Type: strings concatenated with “\n”
Default:
""Declared by:
services.peerflix.enable¶
Whether to enable peerflix service.
Type: boolean
Default:
falseDeclared by:
services.peerflix.downloadDir¶
Peerflix temporary download directory.
Type: path
Default:
"/var/lib/peerflix/torrents"Declared by:
services.peerflix.stateDir¶
Peerflix state directory.
Type: path
Default:
"/var/lib/peerflix"Declared by:
services.pfix-srsd.enable¶
Whether to run the postfix sender rewriting scheme daemon.
Type: boolean
Default:
falseDeclared by:
services.pfix-srsd.domain¶
The domain for which to enable srs
Type: string
Example:
"example.com"Declared by:
services.pfix-srsd.secretsFile¶
The secret data used to encode the SRS address. to generate, use a command like:
for n in $(seq 5); do dd if=/dev/urandom count=1 bs=1024 status=none | sha256sum | sed 's/ -$//' | sed 's/^/ /'; doneType: path
Default:
"/var/lib/pfix-srsd/secrets"Declared by:
services.pgmanage.enable¶
Whether to enable PostgreSQL Administration for the web.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.pgmanage.package¶
The pgmanage package to use.
Type: package
Default:
"pkgs.pgmanage"Declared by:
services.pgmanage.allowCustomConnections¶
This tells pgmanage whether or not to allow anyone to use a custom connection from the login screen.
Type: boolean
Default:
falseDeclared by:
services.pgmanage.connections¶
pgmanage requires at least one PostgreSQL server be defined.
Detailed information about PostgreSQL connection strings is available at:` <http://www.postgresql.org/docs/current/static/libpq-connect.html>`_
Note that you should not specify your user name or password. That information will be entered on the login screen. If you specify a username or password, it will be removed by pgmanage before attempting to connect to a database.
Type: attribute set of strings
Default: ``{
}``
Example:
{ mini-server = "hostaddr=127.0.0.1 port=5432 dbname=postgres sslmode=require"; nuc-server = "hostaddr=192.168.0.100 port=5432 dbname=postgres"; }Declared by:
services.pgmanage.localOnly¶
This tells pgmanage whether or not to set the listening socket to local addresses only.
Type: boolean
Default:
trueDeclared by:
services.pgmanage.logLevel¶
Verbosity of logs
Type: one of “error”, “warn”, “notice”, “info”
Default:
"error"Declared by:
services.pgmanage.loginGroup¶
This tells pgmanage to only allow users in a certain PostgreSQL group to login to pgmanage. Note that a connection will be made to PostgreSQL in order to test if the user is a member of the login group.
Type: null or string
Default:
nullDeclared by:
services.pgmanage.loginTimeout¶
Number of seconds of inactivity before user is automatically logged out.
Type: signed integer
Default:
3600Declared by:
services.pgmanage.port¶
This tells pgmanage what port to listen on for browser requests.
Type: signed integer
Default:
8080Declared by:
services.pgmanage.sqlRoot¶
This tells pgmanage where to put the SQL file history. All tabs are saved to this location so that if you get disconnected from pgmanage you don’t lose your work.
Type: string
Default:
"/var/lib/pgmanage"Declared by:
services.pgmanage.superOnly¶
This tells pgmanage whether or not to only allow super users to login. The recommended value is true and will restrict users who are not super users from logging in to any PostgreSQL instance through pgmanage. Note that a connection will be made to PostgreSQL in order to test if the user is a superuser.
Type: boolean
Default:
trueDeclared by:
services.pgmanage.tls¶
These options tell pgmanage where the TLS Certificate and Key files reside. If you use these options then you’ll only be able to access pgmanage through a secure TLS connection. These options are only necessary if you wish to connect directly to pgmanage using a secure TLS connection. As an alternative, you can set up pgmanage in a reverse proxy configuration. This allows your web server to terminate the secure connection and pass on the request to pgmanage. You can find help to set up this configuration in:` <https://github.com/pgManage/pgManage/blob/master/INSTALL_NGINX.md>`_
Type: null or submodule
Default:
nullDeclared by:
services.pgmanage.tls.cert¶
services.pgmanage.tls.key¶
services.pgpkeyserver-lite.enable¶
Whether to enable pgpkeyserver-lite on a nginx vHost proxying to a gpg keyserver.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.pgpkeyserver-lite.package¶
Which webgui derivation to use.
Type: package
Default:
"pkgs.pgpkeyserver-lite"Declared by:
services.pgpkeyserver-lite.hkpAddress¶
Wich ip address the sks-keyserver is listening on.
Type: string
Default:
"127.0.0.1"Declared by:
services.pgpkeyserver-lite.hkpPort¶
Which port the sks-keyserver is listening on.
Type: signed integer
Default:
11371Declared by:
services.pgpkeyserver-lite.hostname¶
Which hostname to set the vHost to that is proxying to sks.
Type: string
Declared by:
services.phpfpm.extraConfig¶
Extra configuration that should be put in the global section of the PHP-FPM configuration file. Do not specify the options``error_log`` or``daemonize`` here, since they are generated by NixOS.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.phpfpm.phpOptions¶
Options appended to the PHP configuration file
php.ini.Type: strings concatenated with “\n”
Default:
""Example:
'' date.timezone = "CET" ''Declared by:
services.phpfpm.phpPackage¶
The PHP package to use for running the PHP-FPM service.
Type: package
Default:
"pkgs.php"Declared by:
services.phpfpm.pools¶
PHP-FPM pools. If no pools are defined, the PHP-FPM service is disabled.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ mypool = { user = "php"; group = "php"; phpPackage = pkgs.php; settings = '' "pm" = "dynamic"; "pm.max_children" = 75; "pm.start_servers" = 10; "pm.min_spare_servers" = 5; "pm.max_spare_servers" = 20; "pm.max_requests" = 500; ''; } }Declared by:
services.phpfpm.pools.<name>.extraConfig¶
Extra lines that go into the pool configuration. See the documentation on
php-fpm.conffor details on configuration directives.Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.phpfpm.pools.<name>.group¶
Group account under which this pool runs.
Type: string
Declared by:
services.phpfpm.pools.<name>.listen¶
The address on which to accept FastCGI requests.
Type: string
Default:
""Example:
"/path/to/unix/socket"Declared by:
services.phpfpm.pools.<name>.phpEnv¶
Environment variables used for this PHP-FPM pool.
Type: attribute set of strings
Default: ``{
}``
Example:
{ HOSTNAME = "$HOSTNAME"; TMP = "/tmp"; TMPDIR = "/tmp"; TEMP = "/tmp"; }Declared by:
services.phpfpm.pools.<name>.phpOptions¶
“Options appended to the PHP configuration file
php.iniused for this PHP-FPM pool.”Type: strings concatenated with “\n”
Declared by:
services.phpfpm.pools.<name>.phpPackage¶
The PHP package to use for running this PHP-FPM pool.
Type: package
Default:
"config.services.phpfpm.phpPackage"Declared by:
services.phpfpm.pools.<name>.settings¶
PHP-FPM pool directives. Refer to the “List of pool directives” section of` <https://www.php.net/manual/en/install.fpm.configuration.php>`_ for details. Note that settings names must be enclosed in quotes (e.g.``”pm.max_children”`` instead of
pm.max_children).Type: attribute set of string or signed integer or booleans
Default: ``{
}``
Example:
{ "pm" = "dynamic"; "pm.max_children" = 75; "pm.start_servers" = 10; "pm.min_spare_servers" = 5; "pm.max_spare_servers" = 20; "pm.max_requests" = 500; }Declared by:
services.phpfpm.pools.<name>.socket¶
Path to the unix socket file on which to accept FastCGI requests.
Note
This option is read-only and managed by NixOS.
Type: string (read only)
Declared by:
services.phpfpm.pools.<name>.user¶
User account under which this pool runs.
Type: string
Declared by:
services.phpfpm.settings¶
PHP-FPM global directives. Refer to the “List of global php-fpm.conf directives” section of` <https://www.php.net/manual/en/install.fpm.configuration.php>`_ for details. Note that settings names must be enclosed in quotes (e.g.``”pm.max_children”`` instead of
pm.max_children). You need not specify the optionserror_logor``daemonize`` here, since they are generated by NixOS.Type: attribute set of string or signed integer or booleans
Default: ``{
}``
Declared by:
services.physlock.enable¶
Whether to enable the physlock screen locking mechanism.
Enable this and then run systemctl start physlock to securely lock the screen.
This will switch to a new virtual terminal, turn off console switching and disable SysRq mechanism (when is set) until the root or user password is given.
Type: boolean
Default:
falseDeclared by:
services.physlock.allowAnyUser¶
Whether to allow any user to lock the screen. This will install a setuid wrapper to allow any user to start physlock as root, which is a minor security risk. Call the physlock binary to use this instead of using the systemd service.
Note that you might need to relog to have the correct binary in your PATH upon changing this option.
Type: boolean
Default:
falseDeclared by:
services.physlock.disableSysRq¶
Whether to disable SysRq when locked with physlock.
Type: boolean
Default:
trueDeclared by:
services.physlock.lockOn.extraTargets¶
Other targets to lock the screen just before.
Useful if you want to e.g. both autologin to X11 so that your
~/.xsessiongets executed and still to have the screen locked so that the system can be booted relatively unattended.Type: list of strings
Default: ``[
]``
Example:
[ "display-manager.service" ]Declared by:
services.physlock.lockOn.hibernate¶
Whether to lock screen with physlock just before hibernate.
Type: boolean
Default:
trueDeclared by:
services.physlock.lockOn.suspend¶
Whether to lock screen with physlock just before suspend.
Type: boolean
Default:
trueDeclared by:
services.picom.enable¶
Whether of not to enable Picom as the X.org composite manager.
Type: boolean
Default:
falseDeclared by:
services.picom.activeOpacity¶
Opacity of active windows (number in range 0.0 - 1.0).
Type: string
Default:
"1.0"Example:
"0.8"Declared by:
services.picom.backend¶
Backend to use:
glx,xrenderorxr_glx_hybrid.Type: one of “glx”, “xrender”, “xr_glx_hybrid”
Default:
"xrender"Declared by:
services.picom.fade¶
Fade windows in and out.
Type: boolean
Default:
falseDeclared by:
services.picom.fadeDelta¶
Time between fade animation step (in ms).
Type: signed integer
Default:
10Example:
5Declared by:
services.picom.fadeExclude¶
List of conditions of windows that should not be faded. See
picom(1)man page for more examples.Type: list of strings
Default: ``[
]``
Example:
[ "window_type \*= 'menu'" "name ~= 'Firefox\\$'" "focused = 1" ]Declared by:
services.picom.fadeSteps¶
Opacity change between fade steps (in and out). (numbers in range 0.01 - 1.0)
Type: list of strings
Default:
[ "0.028" "0.03" ]Example:
[ "0.04" "0.04" ]Declared by:
services.picom.inactiveOpacity¶
Opacity of inactive windows (number in range 0.1 - 1.0).
Type: string
Default:
"1.0"Example:
"0.8"Declared by:
services.picom.opacityRules¶
Rules that control the opacity of windows, in format PERCENT:PATTERN.
Type: list of strings
Default: ``[
]``
Example:
[ "95:class_g = 'URxvt' && !_NET_WM_STATE@:32a" "0:_NET_WM_STATE@:32a \*= '_NET_WM_STATE_HIDDEN'" ]Declared by:
services.picom.refreshRate¶
Screen refresh rate (0 = automatically detect).
Type: signed integer
Default:
0Example:
60Declared by:
services.picom.settings¶
Additional Picom configuration.
Type: list of boolean or signed integer or floating point number or string or list of boolean or signed integer or floating point number or string or list of boolean or signed integer or floating point number or strings or attribute set of boolean or signed integer or floating point number or stringss or attribute set of boolean or signed integer or floating point number or string or list of boolean or signed integer or floating point number or strings or attribute set of boolean or signed integer or floating point number or stringsss or attribute set of boolean or signed integer or floating point number or string or list of boolean or signed integer or floating point number or string or list of boolean or signed integer or floating point number or strings or attribute set of boolean or signed integer or floating point number or stringss or attribute set of boolean or signed integer or floating point number or string or list of boolean or signed integer or floating point number or strings or attribute set of boolean or signed integer or floating point number or stringsss
Default: ``{
}``
Declared by:
services.picom.shadow¶
Draw window shadows.
Type: boolean
Default:
falseDeclared by:
services.picom.shadowExclude¶
List of conditions of windows that should have no shadow. See
picom(1)man page for more examples.Type: list of strings
Default: ``[
]``
Example:
[ "window_type \*= 'menu'" "name ~= 'Firefox\\$'" "focused = 1" ]Declared by:
services.picom.shadowOffsets¶
Left and right offset for shadows (in pixels).
Type: list of signed integers
Default:
[ -15 -15 ]Example:
[ -10 -15 ]Declared by:
services.picom.shadowOpacity¶
Window shadows opacity (number in range 0.0 - 1.0).
Type: string
Default:
"0.75"Example:
"0.8"Declared by:
services.picom.vSync¶
Enable vertical synchronization. Chooses the best method (drm, opengl, opengl-oml, opengl-swc, opengl-mswc) automatically. The bool value should be used, the others are just for backwards compatibility.
Type: boolean or one of “none”, “drm”, “opengl”, “opengl-oml”, “opengl-swc”, “opengl-mswc”
Default:
falseDeclared by:
services.picom.wintypes¶
Rules for specific window types.
Type: attribute set
Default:
{ dropdown_menu = { opacity = "1.0"; } ; popup_menu = { opacity = "1.0"; } ; }Example: ``{
}``
Declared by:
services.pipewire.enable¶
Whether to enable pipewire service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.pipewire.socketActivation¶
Automatically run pipewire when connections are made to the pipewire socket.
Type: boolean
Default:
trueDeclared by:
services.piwik.nginx.enableACME¶
Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through .
Type: boolean
Default:
trueDeclared by:
services.piwik.nginx.acmeFallbackHost¶
Host which to proxy requests to if acme challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.
Type: null or string
Default:
nullDeclared by:
services.piwik.nginx.acmeRoot¶
Directory for the acme challenge which is PUBLIC, don’t put certs or keys in here
Type: string
Default:
"/var/lib/acme/acme-challenge"Declared by:
services.piwik.nginx.addSSL¶
Whether to enable HTTPS in addition to plain HTTP. This will set defaults for``listen`` to listen on all interfaces on the respective default ports (80, 443).
Type: boolean
Default:
falseDeclared by:
services.piwik.nginx.basicAuth¶
Basic Auth protection for a vhost.
WARNING: This is implemented to store the password in plain text in the nix store.
Type: attribute set of strings
Default: ``{
}``
Example:
{ user = "password"; };Declared by:
services.piwik.nginx.basicAuthFile¶
Basic Auth password file for a vhost. Can be created via: htpasswd -c <filename> <username>
Type: null or path
Default:
nullDeclared by:
services.piwik.nginx.default¶
Makes this vhost the default.
Type: boolean
Default:
falseDeclared by:
services.piwik.nginx.extraConfig¶
These lines go to the end of the vhost verbatim.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.piwik.nginx.forceSSL¶
Whether to add a separate nginx server block that permanently redirects (301) all plain HTTP traffic to HTTPS. This will set defaults for``listen`` to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
Type: boolean
Default:
trueDeclared by:
services.piwik.nginx.globalRedirect¶
If set, all requests for this host are redirected permanently to the given hostname.
Type: null or string
Default:
nullExample:
"newserver.example.org"Declared by:
services.piwik.nginx.http2¶
Whether to enable HTTP 2. Note that (as of writing) due to nginx’s implementation, to disable HTTP 2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2,then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.
Type: boolean
Default:
trueDeclared by:
services.piwik.nginx.listen¶
Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides
addSSLandonlySSL.Type: list of submodules
Default: ``[
]``
Example: ``[
{ addr = “195.154.1.1”; port = 443; ssl = true; }
{ addr = “192.154.1.1”; port = 80; }
]``
Declared by:
services.piwik.nginx.listen.*.addr¶
services.piwik.nginx.listen.*.extraParameters¶
Extra parameters of this listen directive.
Type: list of strings
Default: ``[
]``
Example:
[ "reuseport" "deferred" ]Declared by:
services.piwik.nginx.listen.*.port¶
Port number.
Type: signed integer
Default:
80Declared by:
services.piwik.nginx.listen.*.ssl¶
Enable SSL.
Type: boolean
Default:
falseDeclared by:
services.piwik.nginx.locations¶
Declarative location config
Type: attribute set of submodules
Default: ``{
}``
Example:
{ "/" = { proxyPass = "http://localhost:3000"; }; };Declared by:
services.piwik.nginx.locations.<name>.alias¶
Alias directory for requests.
Type: null or path
Default:
nullExample:
"/your/alias/directory"Declared by:
services.piwik.nginx.locations.<name>.extraConfig¶
These lines go to the end of the location verbatim.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.piwik.nginx.locations.<name>.index¶
Adds index directive.
Type: null or string
Default:
nullExample:
"index.php index.html"Declared by:
services.piwik.nginx.locations.<name>.priority¶
Order of this location block in relation to the others in the vhost. The semantics are the same as with `lib.mkOrder`. Smaller values have a greater priority.
Type: signed integer
Default:
1000Declared by:
services.piwik.nginx.locations.<name>.proxyPass¶
Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.
Type: null or string
Default:
nullExample:
"http://www.example.org/"Declared by:
services.piwik.nginx.locations.<name>.proxyWebsockets¶
Whether to supporty proxying websocket connections with HTTP/1.1.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.piwik.nginx.locations.<name>.return¶
Adds a return directive, for e.g. redirections.
Type: null or string
Default:
nullExample:
"301 http://example.com\\$request_uri"Declared by:
services.piwik.nginx.locations.<name>.root¶
Root directory for requests.
Type: null or path
Default:
nullExample:
"/your/root/directory"Declared by:
services.piwik.nginx.locations.<name>.tryFiles¶
Adds try_files directive.
Type: null or string
Default:
nullExample:
"\\$uri =404"Declared by:
services.piwik.nginx.onlySSL¶
Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for
listento listen on all interfaces on port 443.Type: boolean
Default:
falseDeclared by:
services.piwik.nginx.root¶
The path of the web root directory.
Type: null or path
Default:
nullExample:
"/data/webserver/docs"Declared by:
services.piwik.nginx.serverAliases¶
Additional names of virtual hosts served by this virtual host configuration.
Type: list of strings
Default: ``[
]``
Example:
[ "www.example.org" "example.org" ]Declared by:
services.piwik.nginx.serverName¶
Name of this virtual host. Defaults to attribute name in virtualHosts.
Type: null or string
Default:
nullExample:
"example.org"Declared by:
services.piwik.nginx.sslCertificate¶
Path to server SSL certificate.
Type: path
Example:
"/var/host.cert"Declared by:
services.piwik.nginx.sslCertificateKey¶
Path to server SSL certificate key.
Type: path
Example:
"/var/host.key"Declared by:
services.piwik.nginx.sslTrustedCertificate¶
Path to root SSL certificate for stapling and client certificates.
Type: null or path
Default:
nullExample:
"/var/root.cert"Declared by:
services.piwik.nginx.useACMEHost¶
A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the`rate limit <https://letsencrypt.org/docs/rate-limits/>`_. Alternately, you can generate a certificate through .*Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.*
Type: null or string
Default:
nullDeclared by:
services.plex.enable¶
Whether to enable Plex Media Server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.plex.package¶
The Plex package to use. Plex subscribers may wish to use their own package here, pointing to subscriber-only server versions.
Type: package
Default:
"pkgs.plex"Declared by:
services.plex.dataDir¶
The directory where Plex stores its data files.
Type: string
Default:
"/var/lib/plex"Declared by:
services.plex.extraPlugins¶
A list of paths to extra plugin bundles to install in Plex’s plugin directory. Every time the systemd unit for Plex starts up, all of the symlinks in Plex’s plugin directory will be cleared and this module will symlink all of the paths specified here to that directory. If this behavior is undesired, set to false.
Type: list of paths
Default: ``[
]``
Declared by:
services.plex.group¶
Group under which Plex runs.
Type: string
Default:
"plex"Declared by:
services.plex.managePlugins¶
If set to true, this option will cause all of the symlinks in Plex’s plugin directory to be removed and symlinks for paths specified in to be added.
Type: boolean
Default:
trueDeclared by:
services.plex.openFirewall¶
Open ports in the firewall for the media server.
Type: boolean
Default:
falseDeclared by:
services.plex.user¶
User account under which Plex runs.
Type: string
Default:
"plex"Declared by:
services.polipo.enable¶
Whether to run the polipo caching web proxy.
Type: boolean
Default:
falseDeclared by:
services.polipo.allowedClients¶
List of IP addresses or network addresses that may connect to Polipo.
Type: list of strings
Default:
[ "127.0.0.1" "::1" ]Example:
[ "127.0.0.1" "::1" "134.157.168.0/24" "2001:660:116::/48" ]Declared by:
services.polipo.extraConfig¶
Polio configuration. Contents will be added verbatim to the configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.polipo.parentProxy¶
Hostname and port number of an HTTP parent proxy; it should have the form ‘host:port’.
Type: string
Default:
""Example:
"localhost:8124"Declared by:
services.polipo.proxyAddress¶
IP address on which Polipo will listen.
Type: string
Default:
"127.0.0.1"Declared by:
services.polipo.proxyPort¶
TCP port on which Polipo will listen.
Type: signed integer
Default:
8123Declared by:
services.polipo.socksParentProxy¶
Hostname and port number of an SOCKS parent proxy; it should have the form ‘host:port’.
Type: string
Default:
""Example:
"localhost:9050"Declared by:
services.postfix.enable¶
Whether to run the Postfix mail server.
Type: boolean
Default:
falseDeclared by:
services.postfix.enableHeaderChecks¶
Whether to enable postfix header checks
Type: boolean
Default:
falseExample:
trueDeclared by:
services.postfix.enableSmtp¶
Whether to enable smtp in master.cf.
Type: unspecified
Default:
trueDeclared by:
services.postfix.enableSubmission¶
Whether to enable smtp submission.
Type: boolean
Default:
falseDeclared by:
services.postfix.aliasFiles¶
Aliases’ tables to be compiled and placed into /var/lib/postfix/conf.
Type: attribute set of paths
Default: ``{
}``
Declared by:
services.postfix.aliasMapType¶
The format the alias map should have. Use regexp if you want to use regular expressions.
Type: one of “hash”, “regexp”, “pcre”
Default:
"hash"Example:
"regexp"Declared by:
services.postfix.config¶
The main.cf configuration file as key value set.
Type: attribute set of boolean or string or list of stringss
Example:
{ mail_owner = "postfix"; smtp_use_tls = true; }Declared by:
services.postfix.destination¶
Full (!) list of domains we deliver locally. Leave blank for acceptable Postfix default.
Type: null or list of strings
Default:
nullExample:
[ "localhost" ]Declared by:
services.postfix.dnsBlacklistOverrides¶
contents of check_client_access for overriding dnsBlacklists
Type: unspecified
Default:
""Declared by:
services.postfix.dnsBlacklists¶
dns blacklist servers to use with smtpd_client_restrictions
Type: list of strings
Default: ``[
]``
Declared by:
services.postfix.domain¶
Domain to use. Leave blank to use hostname minus first component.
Type: string
Default:
""Declared by:
services.postfix.extraAliases¶
Additional entries to put verbatim into aliases file, cf. man-page aliases(8).
Type: strings concatenated with “\n”
Default:
""Declared by:
services.postfix.extraConfig¶
Extra lines to be added verbatim to the main.cf configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.postfix.extraHeaderChecks¶
Extra lines to /etc/postfix/header_checks file.
Type: strings concatenated with “\n”
Default:
""Example:
"/^X-Spam-Flag:/ REDIRECT spam@example.com"Declared by:
services.postfix.extraMasterConf¶
Extra lines to append to the generated master.cf file.
Type: strings concatenated with “\n”
Default:
""Example:
"submission inet n - n - - smtpd"Declared by:
services.postfix.group¶
What to call the Postfix group (must be used only for postfix).
Type: string
Default:
"postfix"Declared by:
services.postfix.headerChecks¶
Postfix header checks.
Type: list of submodules
Default: ``[
]``
Example: ``[
{ action = “REDIRECT spam@example.com”; pattern = “/^X-Spam-Flag:/”; }
]``
Declared by:
services.postfix.headerChecks.*.action¶
The action to be executed when the pattern is matched
Type: string
Default:
"DUNNO"Example:
"BCC mail@example.com"Declared by:
services.postfix.headerChecks.*.pattern¶
A regexp pattern matching the header
Type: string
Default:
"/^.*/"Example:
"/^X-Mailer:/"Declared by:
services.postfix.hostname¶
Hostname to use. Leave blank to use just the hostname of machine. It should be FQDN.
Type: string
Default:
""Declared by:
services.postfix.localRecipients¶
List of accepted local users. Specify a bare username, an``”@domain.tld”`` wild-card, or a complete``”user@domain.tld”`` address. If set, these names end up in the local recipient map – see the local(8) man-page – and effectively replace the system user database lookup that’s otherwise used by default.
Type: null or list of strings
Default:
nullDeclared by:
services.postfix.lookupMX¶
Whether relay specified is just domain whose MX must be used.
Type: boolean
Default:
falseDeclared by:
services.postfix.mapFiles¶
Maps to be compiled and placed into /var/lib/postfix/conf.
Type: attribute set of paths
Default: ``{
}``
Declared by:
services.postfix.masterConfig¶
An attribute set of service options, which correspond to the service definitions usually done within the Postfix:file:master.cf file.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ submission = { args = [ "-o" "smtpd_tls_security_level=encrypt" ] ; type = "inet"; } ; }Declared by:
services.postfix.masterConfig.<name>.args¶
Arguments to pass to the . There is no shell processing involved and shell syntax is passed verbatim to the process.
Type: list of strings
Default: ``[
]``
Example:
[ "-o" "smtp_helo_timeout=5" ]Declared by:
services.postfix.masterConfig.<name>.chroot¶
Whether the service is chrooted to have only access to the and the closure of store paths specified by the option.
Type: boolean
Example:
trueDeclared by:
services.postfix.masterConfig.<name>.command¶
A program name specifying a Postfix service/daemon process. By default it’s the attribute .
Type: string
Default:
"‹name›"Example:
"smtpd"Declared by:
services.postfix.masterConfig.<name>.maxproc¶
The maximum number of processes to spawn for this service. If the value is
0it doesn’t have any limit. If``null`` is given it uses the postfix default of``100``.Type: signed integer
Example:
1Declared by:
services.postfix.masterConfig.<name>.name¶
The name of the service to run. Defaults to the attribute set key.
Type: string
Default:
"‹name›"Example:
"smtp"Declared by:
services.postfix.masterConfig.<name>.private¶
Whether the service’s sockets and storage directory is restricted to be only available via the mail system. If
nullis given it uses the postfix defaulttrue.Type: boolean
Example:
falseDeclared by:
services.postfix.masterConfig.<name>.privileged¶
services.postfix.masterConfig.<name>.type¶
The type of the service
Type: one of “inet”, “unix”, “fifo”, “pass”
Default:
"unix"Example:
"inet"Declared by:
services.postfix.masterConfig.<name>.wakeup¶
Automatically wake up the service after the specified number of seconds. If
0is given, never wake the service up.Type: signed integer
Example:
60Declared by:
services.postfix.masterConfig.<name>.wakeupUnusedComponent¶
If set to
falsethe component will only be woken up if it is used. This is equivalent to postfix’ notion of adding a question mark behind the wakeup time in:file:master.cfType: boolean
Example:
falseDeclared by:
services.postfix.networks¶
Net masks for trusted - allowed to relay mail to third parties - hosts. Leave empty to use mynetworks_style configuration or use default (localhost-only).
Type: null or list of strings
Default:
nullExample:
[ "192.168.0.1/24" ]Declared by:
services.postfix.networksStyle¶
Name of standard way of trusted network specification to use, leave blank if you specify it explicitly or if you want to use default (localhost-only).
Type: string
Default:
""Declared by:
services.postfix.origin¶
Origin to use in outgoing e-mail. Leave blank to use hostname.
Type: string
Default:
""Declared by:
services.postfix.postmasterAlias¶
Who should receive postmaster e-mail. Multiple values can be added by separating values with comma.
Type: string
Default:
"root"Declared by:
services.postfix.recipientDelimiter¶
Delimiter for address extension: so mail to user+test can be handled by ~user/.forward+test
Type: string
Default:
""Example:
"+"Declared by:
services.postfix.relayDomains¶
List of domains we agree to relay to. Default is empty.
Type: null or list of strings
Default:
nullExample:
[ "localdomain" ]Declared by:
services.postfix.relayHost¶
Mail relay for outbound mail.
Type: string
Default:
""Declared by:
services.postfix.relayPort¶
SMTP port for relay mail relay.
Type: signed integer
Default:
25Declared by:
services.postfix.rootAlias¶
Who should receive root e-mail. Blank for no redirection. Multiple values can be added by separating values with comma.
Type: string
Default:
""Declared by:
services.postfix.setSendmail¶
Whether to set the system sendmail to postfix’s.
Type: boolean
Default:
trueDeclared by:
services.postfix.setgidGroup¶
How to call postfix setgid group (for postdrop). Should be uniquely used group.
Type: string
Default:
"postdrop"Declared by:
services.postfix.sslCACert¶
SSL certificate of CA.
Type: string
Default:
""Declared by:
services.postfix.sslCert¶
SSL certificate to use.
Type: string
Default:
""Declared by:
services.postfix.sslKey¶
SSL key to use.
Type: string
Default:
""Declared by:
services.postfix.submissionOptions¶
Options for the submission config in master.cf
Type: attribute set
Default:
{ milter_macro_daemon_name = "ORIGINATING"; smtpd_client_restrictions = "permit_sasl_authenticated,reject"; smtpd_sasl_auth_enable = "yes"; smtpd_tls_security_level = "encrypt"; }Example:
{ milter_macro_daemon_name = "ORIGINATING"; smtpd_client_restrictions = "permit_sasl_authenticated,reject"; smtpd_sasl_auth_enable = "yes"; smtpd_sasl_type = "dovecot"; smtpd_tls_security_level = "encrypt"; }Declared by:
services.postfix.transport¶
Entries for the transport map, cf. man-page transport(8).
Type: unspecified
Default:
""Declared by:
services.postfix.useSrs¶
Whether to enable sender rewriting scheme
Type: boolean
Default:
falseDeclared by:
services.postfix.user¶
What to call the Postfix user (must be used only for postfix).
Type: string
Default:
"postfix"Declared by:
services.postfix.virtual¶
Entries for the virtual alias map, cf. man-page virtual(8).
Type: strings concatenated with “\n”
Default:
""Declared by:
services.postfix.virtualMapType¶
What type of virtual alias map file to use. Use
"regexp"for regular expressions.Type: one of “hash”, “regexp”, “pcre”
Default:
"hash"Declared by:
services.postgresql.enable¶
Whether to run PostgreSQL.
Type: boolean
Default:
falseDeclared by:
services.postgresql.enableTCPIP¶
Whether PostgreSQL should listen on all network interfaces. If disabled, the database can only be accessed via its Unix domain socket or via TCP connections to localhost.
Type: boolean
Default:
falseDeclared by:
services.postgresql.package¶
PostgreSQL package to use.
Type: package
Example:
pkgs.postgresql_11Declared by:
services.postgresql.authentication¶
Defines how users authenticate themselves to the server. By default, “trust” access to local users will always be granted along with any other custom options. If you do not want this, set this option using “lib.mkForce” to override this behaviour.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.postgresql.dataDir¶
Data directory for PostgreSQL.
Type: path
Example:
"/var/lib/postgresql/11"Declared by:
services.postgresql.ensureDatabases¶
Ensures that the specified databases exist. This option will never delete existing databases, especially not when the value of this option is changed. This means that databases created once through this option or otherwise have to be removed manually.
Type: list of strings
Default: ``[
]``
Example:
[ "gitea" "nextcloud" ]Declared by:
services.postgresql.ensureUsers¶
Ensures that the specified users exist and have at least the ensured permissions. The PostgreSQL users will be identified using peer authentication. This authenticates the Unix user with the same name only, and that without the need for a password. This option will never delete existing users or remove permissions, especially not when the value of this option is changed. This means that users created and permissions assigned once through this option or otherwise have to be removed manually.
Type: list of submodules
Default: ``[
]``
Example:
[ { name = "nextcloud"; ensurePermissions = { "DATABASE nextcloud" = "ALL PRIVILEGES"; }; } { name = "superuser"; ensurePermissions = { "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; }; } ]Declared by:
services.postgresql.ensureUsers.*.ensurePermissions¶
Permissions to ensure for the user, specified as an attribute set. The attribute names specify the database and tables to grant the permissions for. The attribute values specify the permissions to grant. You may specify one or multiple comma-separated SQL privileges here.
For more information on how to specify the target and on which privileges exist, see the`GRANT syntax <https://www.postgresql.org/docs/current/sql-grant.html>`_. The attributes are used as GRANT ${attrName} ON ${attrValue}.
Type: attribute set of strings
Default: ``{
}``
Example:
{ "DATABASE nextcloud" = "ALL PRIVILEGES"; "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; }Declared by:
services.postgresql.ensureUsers.*.name¶
Name of the user to ensure.
Type: string
Declared by:
services.postgresql.extraConfig¶
Additional text to be appended to
postgresql.conf.Type: strings concatenated with “\n”
Default:
""Declared by:
services.postgresql.extraPlugins¶
List of PostgreSQL plugins. PostgreSQL version for each plugin should match version for
services.postgresql.packagevalue.Type: list of paths
Default: ``[
]``
Example:
with pkgs.postgresql_11.pkgs; [ postgis pg_repack ]Declared by:
services.postgresql.identMap¶
Defines the mapping from system users to database users.
The general form is:
map-name system-username database-username
Type: strings concatenated with “\n”
Default:
""Declared by:
services.postgresql.initdbArgs¶
Additional arguments passed to
initdbduring data dir initialisation.Type: list of strings
Default: ``[
]``
Example:
[ "--data-checksums" "--allow-group-access" ]Declared by:
services.postgresql.initialScript¶
A file containing SQL statements to execute on first startup.
Type: null or path
Default:
nullDeclared by:
services.postgresql.port¶
The port on which PostgreSQL listens.
Type: signed integer
Default:
5432Declared by:
services.postgresql.recoveryConfig¶
Contents of the
recovery.conffile.Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.postgresqlBackup.enable¶
Whether to enable PostgreSQL dumps.
Type: unspecified
Default:
falseDeclared by:
services.postgresqlBackup.backupAll¶
Backup all databases using pg_dumpall. This option is mutual exclusive to``services.postgresqlBackup.databases``. The resulting backup dump will have the name all.sql.gz. This option is the default if no databases are specified.
Type: boolean
Default:
"services.postgresqlBackup.databases == \[]"Declared by:
services.postgresqlBackup.databases¶
services.postgresqlBackup.location¶
Location to put the gzipped PostgreSQL database dumps.
Type: unspecified
Default:
"/var/backup/postgresql"Declared by:
services.postgresqlBackup.pgdumpOptions¶
Command line options for pg_dump. This options is not used if
config.services.postgresqlBackup.backupAllis enabled. Note that config.services.postgresqlBackup.backupAll is also active, when no databases where specified.Type: strings concatenated with ” “
Default:
"-C"Declared by:
services.postgresqlBackup.startAt¶
This option defines (see
systemd.timefor format) when the databases should be dumped. The default is to update at 01:15 (at night) every day.Type: unspecified
Default:
"\*-*-* 01:15:00"Declared by:
services.postgresqlWalReceiver.receivers¶
PostgreSQL WAL receivers. Stream write-ahead logs from a PostgreSQL server using pg_receivewal (formerly pg_receivexlog). See the man page for more information.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ main = { postgresqlPackage = pkgs.postgresql_11; directory = /mnt/pg_wal/main/; slot = "main_wal_receiver"; connection = "postgresql://user@somehost"; }; }Declared by:
services.postgresqlWalReceiver.receivers.<name>.compress¶
Enables gzip compression of write-ahead logs, and specifies the compression level (
0through9,0being no compression and9being best compression). The suffix.gzwill automatically be added to all filenames.This option requires PostgreSQL >= 10.
Type: integer between 0 and 9 (both inclusive)
Default:
0Declared by:
services.postgresqlWalReceiver.receivers.<name>.connection¶
Specifies parameters used to connect to the server, as a connection string. See Section 34.1.1 of the PostgreSQL manual for more information.
Because pg_receivewal doesn’t connect to any particular database in the cluster, database name in the connection string will be ignored.
Type: string
Example:
"postgresql://user@somehost"Declared by:
services.postgresqlWalReceiver.receivers.<name>.directory¶
Directory to write the output to.
Type: path
Example:
/mnt/pg_wal/main/Declared by:
services.postgresqlWalReceiver.receivers.<name>.environment¶
Environment variables passed to the service. Usable parameters are listed in Section 34.14 of the PostgreSQL manual.
Type: attribute set of strings
Default: ``{
}``
Example:
{ PGPASSFILE = "/private/passfile"; PGSSLMODE = "require"; }Declared by:
services.postgresqlWalReceiver.receivers.<name>.extraArgs¶
A list of extra arguments to pass to the pg_receivewal command.
Type: list of strings
Default: ``[
]``
Example:
[ "--no-sync" ]Declared by:
services.postgresqlWalReceiver.receivers.<name>.postgresqlPackage¶
PostgreSQL package to use.
Type: package
Example:
pkgs.postgresql_11Declared by:
services.postgresqlWalReceiver.receivers.<name>.slot¶
Require pg_receivewal to use an existing replication slot (see`Section 26.2.6 of the PostgreSQL manual <https://www.postgresql.org/docs/current/warm-standby.html#STREAMING-REPLICATION-SLOTS>`_). When this option is used, pg_receivewal will report a flush position to the server, indicating when each segment has been synchronized to disk so that the server can remove that segment if it is not otherwise needed.
When the replication client of pg_receivewal is configured on the server as a synchronous standby, then using a replication slot will report the flush position to the server, but only when a WAL file is closed. Therefore, that configuration will cause transactions on the primary to wait for a long time and effectively not work satisfactorily. The option must be specified in addition to make this work correctly.
Type: string
Default:
""Example:
"some_slot_name"Declared by:
services.postgresqlWalReceiver.receivers.<name>.statusInterval¶
Specifies the number of seconds between status packets sent back to the server. This allows for easier monitoring of the progress from server. A value of zero disables the periodic status updates completely, although an update will still be sent when requested by the server, to avoid timeout disconnect.
Type: signed integer
Default:
10Declared by:
services.postgresqlWalReceiver.receivers.<name>.synchronous¶
Flush the WAL data to disk immediately after it has been received. Also send a status packet back to the server immediately after flushing, regardless of .
This option should be specified if the replication client of pg_receivewal is configured on the server as a synchronous standby, to ensure that timely feedback is sent to the server.
Type: boolean
Default:
falseDeclared by:
services.postgrey.enable¶
Whether to run the Postgrey daemon
Type: boolean
Default:
falseDeclared by:
services.postgrey.IPv4CIDR¶
Strip N bits from IPv4 addresses if lookupBySubnet is true
Type: signed integer
Default:
24Declared by:
services.postgrey.IPv6CIDR¶
Strip N bits from IPv6 addresses if lookupBySubnet is true
Type: signed integer
Default:
64Declared by:
services.postgrey.autoWhitelist¶
Whitelist clients after successful delivery of N messages
Type: null or signed integer
Default:
5Declared by:
services.postgrey.delay¶
Greylist for N seconds
Type: signed integer
Default:
300Declared by:
services.postgrey.greylistAction¶
Response status for greylisted messages (see access(5))
Type: string
Default:
"DEFER_IF_PERMIT"Declared by:
services.postgrey.greylistHeader¶
Prepend header to greylisted mails; use %%t for seconds delayed due to greylisting, %%v for the version of postgrey, %%d for the date, and %%h for the host
Type: string
Default:
"X-Greylist: delayed %%t seconds by postgrey-%%v at %%h; %%d"Declared by:
services.postgrey.greylistText¶
Response status text for greylisted messages; use %%s for seconds left until greylisting is over and %%r for mail domain of recipient
Type: string
Default:
"Greylisted for %%s seconds"Declared by:
services.postgrey.lookupBySubnet¶
Strip the last N bits from IP addresses, determined by IPv4CIDR and IPv6CIDR
Type: boolean
Default:
trueDeclared by:
services.postgrey.maxAge¶
Delete entries from whitelist if they haven’t been seen for N days
Type: signed integer
Default:
35Declared by:
services.postgrey.privacy¶
Store data using one-way hash functions (SHA1)
Type: boolean
Default:
trueDeclared by:
services.postgrey.retryWindow¶
Allow N days for the first retry. Use string with appended ‘h’ to specify time in hours
Type: string or signed integer
Default:
2Example:
"12h"Declared by:
services.postgrey.socket¶
Socket to bind to
Type: submodule or submodule
Default:
{ mode = "0777"; path = "/run/postgrey.sock"; }Example:
{ addr = "127.0.0.1"; port = 10030; }Declared by:
services.postgrey.whitelistClients¶
services.postgrey.whitelistRecipients¶
Recipient address whitelist files (see postgrey(8))
Type: list of paths
Default: ``[
]``
Declared by:
services.postsrsd.enable¶
Whether to enable the postsrsd SRS server for Postfix.
Type: boolean
Default:
falseDeclared by:
services.postsrsd.domain¶
Domain name for rewrite
Type: string
Declared by:
services.postsrsd.excludeDomains¶
Origin domains to exclude from rewriting in addition to primary domain
Type: list of strings
Default: ``[
]``
Declared by:
services.postsrsd.forwardPort¶
Port for the forward SRS lookup
Type: signed integer
Default:
10001Declared by:
services.postsrsd.group¶
Group for the daemon
Type: string
Default:
"postsrsd"Declared by:
services.postsrsd.reversePort¶
Port for the reverse SRS lookup
Type: signed integer
Default:
10002Declared by:
services.postsrsd.secretsFile¶
Secret keys used for signing and verification
Type: path
Default:
"/var/lib/postsrsd/postsrsd.secret"Declared by:
services.postsrsd.separator¶
First separator character in generated addresses
Type: one of “-“, “=”, “+”
Default:
"="Declared by:
services.postsrsd.timeout¶
Timeout for idle client connections in seconds
Type: signed integer
Default:
1800Declared by:
services.postsrsd.user¶
User for the daemon
Type: string
Default:
"postsrsd"Declared by:
services.powerdns.enable¶
Whether to enable Powerdns domain name server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.powerdns.extraConfig¶
Extra lines to be added verbatim to pdns.conf. Powerdns will chroot to /var/lib/powerdns. So any file, powerdns is supposed to be read, should be in /var/lib/powerdns and needs to specified relative to the chroot.
Type: strings concatenated with “\n”
Default:
"launch=bind"Declared by:
services.pppd.enable¶
Whether to enable pppd.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.pppd.package¶
pppd package to use.
Type: package
Default:
"pkgs.ppp"Declared by:
services.pppd.peers.<name>.enable¶
Whether to enable this PPP peer.
Type: boolean
Default:
trueExample:
falseDeclared by:
services.pppd.peers.<name>.autostart¶
Whether the PPP session is automatically started at boot time.
Type: boolean
Default:
trueExample:
falseDeclared by:
services.pppd.peers.<name>.config¶
pppd configuration for this peer, see the pppd(8) man page.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.pppd.peers.<name>.name¶
Name of the PPP peer.
Type: string
Default:
"‹name›"Example:
"dialup"Declared by:
services.pptpd.enable¶
Whether to enable pptpd, the Point-to-Point Tunneling Protocol daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.pptpd.clientIpRange¶
The range from which client IPs are drawn.
Type: string
Default:
"10.124.124.2-11"Declared by:
services.pptpd.extraPppdOptions¶
Adds extra lines to the pppd options file.
Type: strings concatenated with “\n”
Default:
""Example:
'' ms-dns 8.8.8.8 ms-dns 8.8.4.4 ''Declared by:
services.pptpd.extraPptpdOptions¶
Adds extra lines to the pptpd configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.pptpd.maxClients¶
The maximum number of simultaneous connections.
Type: signed integer
Default:
10Declared by:
services.pptpd.serverIp¶
The server-side IP address.
Type: string
Default:
"10.124.124.1"Declared by:
services.prayer.enable¶
Whether to run the prayer webmail http server.
Type: unspecified
Default:
falseDeclared by:
services.prayer.extraConfig¶
Extra configuration. Contents will be added verbatim to the configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.prayer.port¶
Port the prayer http server is listening to.
Type: unspecified
Default:
"2080"Declared by:
services.prey.enable¶
Enables the ` <http://preyproject.com/>`_ shell client. Be sure to specify both API and device keys. Once enabled, a cron job will run every 15 minutes to report status information.
Type: boolean
Default:
falseDeclared by:
services.prey.apiKey¶
services.prey.deviceKey¶
Device keyobtained by visiting` <https://panel.preyproject.com/devices>`_ and clicking on your device.Type: string
Declared by:
services.printing.enable¶
Whether to enable printing support through the CUPS daemon.
Type: boolean
Default:
falseDeclared by:
services.printing.browsedConf¶
The contents of the configuration. file of the CUPS Browsed daemon (
cups-browsed.conf)Type: strings concatenated with “\n”
Default:
""Example:
'' BrowsePoll cups.example.com ''Declared by:
services.printing.browsing¶
Specifies whether shared printers are advertised.
Type: boolean
Default:
falseDeclared by:
services.printing.clientConf¶
The contents of the client configuration. (
client.conf)Type: strings concatenated with “\n”
Default:
""Example:
'' ServerName server.example.com Encryption Never ''Declared by:
services.printing.drivers¶
CUPS drivers to use. Drivers provided by CUPS, cups-filters, Ghostscript and Samba are added unconditionally. If this list contains Gutenprint (i.e. a derivation with``meta.isGutenprint = true``) the PPD files in:file:/var/lib/cups/ppd will be updated automatically to avoid errors due to incompatible versions.
Type: list of paths
Default: ``[
]``
Example:
with pkgs; [ gutenprint hplip splix cups-googlecloudprint ]Declared by:
services.printing.extraConf¶
Extra contents of the configuration file of the CUPS daemon (
cupsd.conf).Type: strings concatenated with “\n”
Default:
""Example:
'' BrowsePoll cups.example.com MaxCopies 42 ''Declared by:
services.printing.extraFilesConf¶
Extra contents of the configuration file of the CUPS daemon (
cups-files.conf).Type: strings concatenated with “\n”
Default:
""Declared by:
services.printing.listenAddresses¶
A list of addresses and ports on which to listen.
Type: list of strings
Default:
[ "localhost:631" ]Example:
[ "\*:631" ]Declared by:
services.printing.logLevel¶
Specifies the cupsd logging verbosity.
Type: string
Default:
"info"Example:
"debug"Declared by:
services.printing.snmpConf¶
The contents of
/etc/cups/snmp.conf. See “man cups-snmp.conf” for a complete description.Type: strings concatenated with “\n”
Default:
'' Address @LOCAL ''Declared by:
services.printing.startWhenNeeded¶
If set, CUPS is socket-activated; that is, instead of having it permanently running as a daemon, systemd will start it on the first incoming connection.
Type: boolean
Default:
trueDeclared by:
services.printing.tempDir¶
CUPSd temporary directory.
Type: path
Default:
"/tmp"Example:
"/tmp/cups"Declared by:
services.printing.webInterface¶
Specifies whether the web interface is enabled.
Type: boolean
Default:
trueDeclared by:
services.privoxy.enable¶
Whether to enable the Privoxy non-caching filtering proxy.
Type: boolean
Default:
falseDeclared by:
services.privoxy.enableEditActions¶
Whether or not the web-based actions file editor may be used.
Type: boolean
Default:
falseDeclared by:
services.privoxy.actionsFiles¶
List of paths to Privoxy action files. These paths may either be absolute or relative to the privoxy configuration directory.
Type: list of strings
Default:
[ "match-all.action" "default.action" ]Example:
[ "match-all.action" "default.action" "/etc/privoxy/user.action" ]Declared by:
services.privoxy.extraConfig¶
Extra configuration. Contents will be added verbatim to the configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.privoxy.filterFiles¶
List of paths to Privoxy filter files. These paths may either be absolute or relative to the privoxy configuration directory.
Type: list of strings
Default:
[ "default.filter" ]Example:
[ "default.filter" "/etc/privoxy/user.filter" ]Declared by:
services.privoxy.listenAddress¶
Address the proxy server is listening to.
Type: string
Default:
"127.0.0.1:8118"Declared by:
services.prometheus.enable¶
Enable the Prometheus monitoring daemon.
Type: boolean
Default:
falseDeclared by:
services.prometheus.package¶
The prometheus package that should be used.
Type: package
Default:
"pkgs.prometheus"Declared by:
services.prometheus.alertmanager.enable¶
Whether to enable Prometheus Alertmanager.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.alertmanager.package¶
Package that should be used for alertmanager.
Type: package
Default:
"pkgs.alertmanager"Declared by:
services.prometheus.alertmanager.configText¶
Alertmanager configuration as YAML text. If non-null, this option defines the text that is written to alertmanager.yml. If null, the contents of alertmanager.yml is generated from the structured config options.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.prometheus.alertmanager.configuration¶
Alertmanager configuration as nix attribute set.
Type: null or attribute set
Default:
nullDeclared by:
services.prometheus.alertmanager.environmentFile¶
File to load as environment file. Environment variables from this file will be interpolated into the config file using envsubst with this syntax:
$ENVIRONMENT ${VARIABLE}Type: null or path
Default:
nullExample:
"/root/alertmanager.env"Declared by:
services.prometheus.alertmanager.extraFlags¶
Extra commandline options when launching the Alertmanager.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.alertmanager.listenAddress¶
Address to listen on for the web interface and API. Empty string will listen on all interfaces. “localhost” will listen on 127.0.0.1 (but not ::1).
Type: string
Default:
""Declared by:
services.prometheus.alertmanager.logFormat¶
If set use a syslog logger or JSON logging.
Type: null or string
Default:
nullDeclared by:
services.prometheus.alertmanager.logLevel¶
Only log messages with the given severity or above.
Type: one of “debug”, “info”, “warn”, “error”, “fatal”
Default:
"warn"Declared by:
services.prometheus.alertmanager.openFirewall¶
Open port in firewall for incoming connections.
Type: boolean
Default:
falseDeclared by:
services.prometheus.alertmanager.port¶
Port to listen on for the web interface and API.
Type: signed integer
Default:
9093Declared by:
services.prometheus.alertmanager.webExternalUrl¶
The URL under which Alertmanager is externally reachable (for example, if Alertmanager is served via a reverse proxy). Used for generating relative and absolute links back to Alertmanager itself. If the URL has a path portion, it will be used to prefix all HTTP endoints served by Alertmanager. If omitted, relevant URL components will be derived automatically.
Type: null or string
Default:
nullDeclared by:
services.prometheus.alertmanagerNotificationQueueCapacity¶
The capacity of the queue for pending alert manager notifications.
Type: signed integer
Default:
10000Declared by:
services.prometheus.alertmanagerTimeout¶
Alert manager HTTP API timeout (in seconds).
Type: signed integer
Default:
10Declared by:
services.prometheus.alertmanagers¶
A list of alertmanagers to send alerts to. See the official documentation for more information.
Type: list of attribute sets
Default: ``[
]``
Example:
[ { scheme = "https"; path_prefix = "/alertmanager"; static_configs = [ { targets = [ "prometheus.domain.tld" ]; } ]; } ]Declared by:
services.prometheus.configText¶
If non-null, this option defines the text that is written to prometheus.yml. If null, the contents of prometheus.yml is generated from the structured config options.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.prometheus.exporters¶
Prometheus exporter configuration
Type: submodule
Default: ``{
}``
Example:
{ node = { enable = true; enabledCollectors = [ "systemd" ]; }; varnish.enable = true; }Declared by:
services.prometheus.exporters.bind.enable¶
Whether to enable the prometheus bind exporter.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.exporters.bind.bindGroups¶
List of statistics to collect. Available: [server, view, tasks]
Type: list of one of “server”, “view”, “tasks”s
Default:
[ "server" "view" ]Declared by:
services.prometheus.exporters.bind.bindTimeout¶
Timeout for trying to get stats from Bind.
Type: string
Default:
"10s"Declared by:
services.prometheus.exporters.bind.bindURI¶
HTTP XML API address of an Bind server.
Type: string
Default:
"http://localhost:8053/"Declared by:
services.prometheus.exporters.bind.bindVersion¶
BIND statistics version. Can be detected automatically.
Type: one of “xml.v2”, “xml.v3”, “auto”
Default:
"auto"Declared by:
services.prometheus.exporters.bind.extraFlags¶
Extra commandline options to pass to the bind exporter.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.exporters.bind.firewallFilter¶
Specify a filter for iptables to use when is true. It is used as `ip46tables -I nixos-fw -j nixos-fw-accept`.
Type: string
Default:
"-p tcp -m tcp --dport 9119"Example:
"-i eth0 -p tcp -m tcp --dport 9119"Declared by:
services.prometheus.exporters.bind.group¶
Group under which the bind exporter shall be run. Has no effect when is true.
Type: string
Default:
"bind-exporter"Declared by:
services.prometheus.exporters.bind.listenAddress¶
Address to listen on.
Type: string
Default:
"0.0.0.0"Declared by:
services.prometheus.exporters.bind.openFirewall¶
Open port in firewall for incoming connections.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.bind.port¶
Port to listen on.
Type: signed integer
Default:
9119Declared by:
services.prometheus.exporters.bind.user¶
User name under which the bind exporter shall be run. Has no effect when is true.
Type: string
Default:
"bind-exporter"Declared by:
services.prometheus.exporters.blackbox.enable¶
Whether to enable the prometheus blackbox exporter.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.exporters.blackbox.enableConfigCheck¶
Whether to run a correctness check for the configuration file. This depends on the configuration file residing in the nix-store. Paths passed as string will be copied to the store.
Type: boolean
Default:
trueDeclared by:
services.prometheus.exporters.blackbox.configFile¶
Path to configuration file.
Type: path
Declared by:
services.prometheus.exporters.blackbox.extraFlags¶
Extra commandline options to pass to the blackbox exporter.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.exporters.blackbox.firewallFilter¶
Specify a filter for iptables to use when is true. It is used as `ip46tables -I nixos-fw -j nixos-fw-accept`.
Type: string
Default:
"-p tcp -m tcp --dport 9115"Example:
"-i eth0 -p tcp -m tcp --dport 9115"Declared by:
services.prometheus.exporters.blackbox.group¶
Group under which the blackbox exporter shall be run. Has no effect when is true.
Type: string
Default:
"blackbox-exporter"Declared by:
services.prometheus.exporters.blackbox.listenAddress¶
Address to listen on.
Type: string
Default:
"0.0.0.0"Declared by:
services.prometheus.exporters.blackbox.openFirewall¶
Open port in firewall for incoming connections.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.blackbox.port¶
Port to listen on.
Type: signed integer
Default:
9115Declared by:
services.prometheus.exporters.blackbox.user¶
User name under which the blackbox exporter shall be run. Has no effect when is true.
Type: string
Default:
"blackbox-exporter"Declared by:
services.prometheus.exporters.collectd.enable¶
Whether to enable the prometheus collectd exporter.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.exporters.collectd.collectdBinary.enable¶
Whether to enable collectd binary protocol receiver.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.exporters.collectd.collectdBinary.authFile¶
File mapping user names to pre-shared keys (passwords).
Type: null or path
Default:
nullDeclared by:
services.prometheus.exporters.collectd.collectdBinary.listenAddress¶
Address to listen on for binary network packets.
Type: string
Default:
"0.0.0.0"Declared by:
services.prometheus.exporters.collectd.collectdBinary.port¶
Network address on which to accept collectd binary network packets.
Type: signed integer
Default:
25826Declared by:
services.prometheus.exporters.collectd.collectdBinary.securityLevel¶
Minimum required security level for accepted packets.
Type: one of “None”, “Sign”, “Encrypt”
Default:
"None"Declared by:
services.prometheus.exporters.collectd.extraFlags¶
Extra commandline options to pass to the collectd exporter.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.exporters.collectd.firewallFilter¶
Specify a filter for iptables to use when is true. It is used as `ip46tables -I nixos-fw -j nixos-fw-accept`.
Type: string
Default:
"-p tcp -m tcp --dport 9103"Example:
"-i eth0 -p tcp -m tcp --dport 9103"Declared by:
services.prometheus.exporters.collectd.group¶
Group under which the collectd exporter shall be run. Has no effect when is true.
Type: string
Default:
"collectd-exporter"Declared by:
services.prometheus.exporters.collectd.listenAddress¶
Address to listen on.
Type: string
Default:
"0.0.0.0"Declared by:
services.prometheus.exporters.collectd.logFormat¶
Set the log target and format.
Type: string
Default:
"logger:stderr"Example:
"logger:syslog?appname=bob&local=7 or logger:stdout?json=true"Declared by:
services.prometheus.exporters.collectd.logLevel¶
Only log messages with the given severity or above.
Type: one of “debug”, “info”, “warn”, “error”, “fatal”
Default:
"info"Declared by:
services.prometheus.exporters.collectd.openFirewall¶
Open port in firewall for incoming connections.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.collectd.port¶
Port to listen on.
Type: signed integer
Default:
9103Declared by:
services.prometheus.exporters.collectd.user¶
User name under which the collectd exporter shall be run. Has no effect when is true.
Type: string
Default:
"collectd-exporter"Declared by:
services.prometheus.exporters.dnsmasq.enable¶
Whether to enable the prometheus dnsmasq exporter.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.exporters.dnsmasq.dnsmasqListenAddress¶
Address on which dnsmasq listens.
Type: string
Default:
"localhost:53"Declared by:
services.prometheus.exporters.dnsmasq.extraFlags¶
Extra commandline options to pass to the dnsmasq exporter.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.exporters.dnsmasq.firewallFilter¶
Specify a filter for iptables to use when is true. It is used as `ip46tables -I nixos-fw -j nixos-fw-accept`.
Type: string
Default:
"-p tcp -m tcp --dport 9153"Example:
"-i eth0 -p tcp -m tcp --dport 9153"Declared by:
services.prometheus.exporters.dnsmasq.group¶
Group under which the dnsmasq exporter shall be run. Has no effect when is true.
Type: string
Default:
"dnsmasq-exporter"Declared by:
services.prometheus.exporters.dnsmasq.leasesPath¶
Path to the
dnsmasq.leasesfile.Type: path
Default:
"/var/lib/misc/dnsmasq.leases"Example:
"/var/lib/dnsmasq/dnsmasq.leases"Declared by:
services.prometheus.exporters.dnsmasq.listenAddress¶
Address to listen on.
Type: string
Default:
"0.0.0.0"Declared by:
services.prometheus.exporters.dnsmasq.openFirewall¶
Open port in firewall for incoming connections.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.dnsmasq.port¶
Port to listen on.
Type: signed integer
Default:
9153Declared by:
services.prometheus.exporters.dnsmasq.user¶
User name under which the dnsmasq exporter shall be run. Has no effect when is true.
Type: string
Default:
"dnsmasq-exporter"Declared by:
services.prometheus.exporters.dovecot.enable¶
Whether to enable the prometheus dovecot exporter.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.exporters.dovecot.extraFlags¶
Extra commandline options to pass to the dovecot exporter.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.exporters.dovecot.firewallFilter¶
Specify a filter for iptables to use when is true. It is used as `ip46tables -I nixos-fw -j nixos-fw-accept`.
Type: string
Default:
"-p tcp -m tcp --dport 9166"Example:
"-i eth0 -p tcp -m tcp --dport 9166"Declared by:
services.prometheus.exporters.dovecot.group¶
Group under which the dovecot exporter shall be run. Has no effect when is true.
Type: string
Default:
"dovecot-exporter"Declared by:
services.prometheus.exporters.dovecot.listenAddress¶
Address to listen on.
Type: string
Default:
"0.0.0.0"Declared by:
services.prometheus.exporters.dovecot.openFirewall¶
Open port in firewall for incoming connections.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.dovecot.port¶
Port to listen on.
Type: signed integer
Default:
9166Declared by:
services.prometheus.exporters.dovecot.scopes¶
Stats scopes to query.
Type: list of strings
Default:
[ "user" ]Example:
[ "user" "global" ]Declared by:
services.prometheus.exporters.dovecot.socketPath¶
Path under which the stats socket is placed. The user/group under which the exporter runs, should be able to access the socket in order to scrape the metrics successfully.
Please keep in mind that the stats module has changed in`Dovecot 2.3+ <https://wiki2.dovecot.org/Upgrading/2.3>`_ which is not compatible with this exporter.
The following extra config has to be passed to Dovecot to ensure that recent versions work with this exporter:
{ services.prometheus.exporters.dovecot.enable = true; services.prometheus.exporters.dovecot.socketPath = "/var/run/dovecot2/old-stats"; services.dovecot2.extraConfig = '' mail_plugins = $mail_plugins old_stats service old-stats { unix_listener old-stats { user = dovecot-exporter group = dovecot-exporter } } ''; }Type: path
Default:
"/var/run/dovecot/stats"Example:
"/var/run/dovecot2/old-stats"Declared by:
services.prometheus.exporters.dovecot.telemetryPath¶
Path under which to expose metrics.
Type: string
Default:
"/metrics"Declared by:
services.prometheus.exporters.dovecot.user¶
User name under which the dovecot exporter shall be run. Has no effect when is true.
Type: string
Default:
"dovecot-exporter"Declared by:
services.prometheus.exporters.fritzbox.enable¶
Whether to enable the prometheus fritzbox exporter.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.exporters.fritzbox.extraFlags¶
Extra commandline options to pass to the fritzbox exporter.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.exporters.fritzbox.firewallFilter¶
Specify a filter for iptables to use when is true. It is used as `ip46tables -I nixos-fw -j nixos-fw-accept`.
Type: string
Default:
"-p tcp -m tcp --dport 9133"Example:
"-i eth0 -p tcp -m tcp --dport 9133"Declared by:
services.prometheus.exporters.fritzbox.gatewayAddress¶
The hostname or IP of the FRITZ!Box.
Type: string
Default:
"fritz.box"Declared by:
services.prometheus.exporters.fritzbox.gatewayPort¶
The port of the FRITZ!Box UPnP service.
Type: signed integer
Default:
49000Declared by:
services.prometheus.exporters.fritzbox.group¶
Group under which the fritzbox exporter shall be run. Has no effect when is true.
Type: string
Default:
"fritzbox-exporter"Declared by:
services.prometheus.exporters.fritzbox.listenAddress¶
Address to listen on.
Type: string
Default:
"0.0.0.0"Declared by:
services.prometheus.exporters.fritzbox.openFirewall¶
Open port in firewall for incoming connections.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.fritzbox.port¶
Port to listen on.
Type: signed integer
Default:
9133Declared by:
services.prometheus.exporters.fritzbox.user¶
User name under which the fritzbox exporter shall be run. Has no effect when is true.
Type: string
Default:
"fritzbox-exporter"Declared by:
services.prometheus.exporters.json.enable¶
Whether to enable the prometheus json exporter.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.exporters.json.configFile¶
Path to configuration file.
Type: path
Declared by:
services.prometheus.exporters.json.extraFlags¶
Extra commandline options to pass to the json exporter.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.exporters.json.firewallFilter¶
Specify a filter for iptables to use when is true. It is used as `ip46tables -I nixos-fw -j nixos-fw-accept`.
Type: string
Default:
"-p tcp -m tcp --dport 7979"Example:
"-i eth0 -p tcp -m tcp --dport 7979"Declared by:
services.prometheus.exporters.json.group¶
Group under which the json exporter shall be run. Has no effect when is true.
Type: string
Default:
"json-exporter"Declared by:
services.prometheus.exporters.json.openFirewall¶
Open port in firewall for incoming connections.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.json.port¶
Port to listen on.
Type: signed integer
Default:
7979Declared by:
services.prometheus.exporters.json.url¶
URL to scrape JSON from.
Type: string
Declared by:
services.prometheus.exporters.json.user¶
User name under which the json exporter shall be run. Has no effect when is true.
Type: string
Default:
"json-exporter"Declared by:
services.prometheus.exporters.mail.enable¶
Whether to enable the prometheus mail exporter.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.exporters.mail.configFile¶
Specify the mailexporter configuration file to use.
Type: null or path
Default:
nullDeclared by:
services.prometheus.exporters.mail.configuration¶
services.prometheus.exporters.mail.configuration.disableFileDelition¶
Disables the exporter’s function to delete probing mails.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.mail.configuration.mailCheckTimeout¶
Timeout until mails are considered “didn’t make it”.
Type: string
Declared by:
services.prometheus.exporters.mail.configuration.monitoringInterval¶
Time interval between two probe attempts.
Type: string
Example:
"10s"Declared by:
services.prometheus.exporters.mail.configuration.servers¶
List of servers that should be probed.
Type: list of submodules
Default: ``[
]``
Example:
[ { name = "testserver"; server = "smtp.domain.tld"; port = 587; from = "exporteruser@domain.tld"; to = "exporteruser@domain.tld"; detectionDir = "/path/to/Maildir/new"; } ]Declared by:
services.prometheus.exporters.mail.configuration.servers.*.detectionDir¶
Directory in which new mails for the exporter user are placed. Note that this needs to exist when the exporter starts.
Type: path
Example:
"/var/spool/mail/exporteruser/new"Declared by:
services.prometheus.exporters.mail.configuration.servers.*.from¶
Content of ‘From’ Header for probing mails.
Type: string
Example:
"exporteruser@domain.tld"Declared by:
services.prometheus.exporters.mail.configuration.servers.*.login¶
Username to use for SMTP authentication.
Type: null or string
Default:
nullExample:
"exporteruser@domain.tld"Declared by:
services.prometheus.exporters.mail.configuration.servers.*.name¶
Value for label ‘configname’ which will be added to all metrics.
Type: string
Declared by:
services.prometheus.exporters.mail.configuration.servers.*.passphrase¶
Password to use for SMTP authentication.
Type: null or string
Default:
nullDeclared by:
services.prometheus.exporters.mail.configuration.servers.*.port¶
Port to use for SMTP.
Type: signed integer
Example:
587Declared by:
services.prometheus.exporters.mail.configuration.servers.*.server¶
Hostname of the server that should be probed.
Type: string
Declared by:
services.prometheus.exporters.mail.configuration.servers.*.to¶
Content of ‘To’ Header for probing mails.
Type: string
Example:
"exporteruser@domain.tld"Declared by:
services.prometheus.exporters.mail.extraFlags¶
Extra commandline options to pass to the mail exporter.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.exporters.mail.firewallFilter¶
Specify a filter for iptables to use when is true. It is used as `ip46tables -I nixos-fw -j nixos-fw-accept`.
Type: string
Default:
"-p tcp -m tcp --dport 9225"Example:
"-i eth0 -p tcp -m tcp --dport 9225"Declared by:
services.prometheus.exporters.mail.group¶
Group under which the mail exporter shall be run. Has no effect when is true.
Type: string
Default:
"mail-exporter"Declared by:
services.prometheus.exporters.mail.listenAddress¶
Address to listen on.
Type: string
Default:
"0.0.0.0"Declared by:
services.prometheus.exporters.mail.openFirewall¶
Open port in firewall for incoming connections.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.mail.port¶
Port to listen on.
Type: signed integer
Default:
9225Declared by:
services.prometheus.exporters.mail.telemetryPath¶
Path under which to expose metrics.
Type: string
Default:
"/metrics"Declared by:
services.prometheus.exporters.mail.user¶
User name under which the mail exporter shall be run. Has no effect when is true.
Type: string
Default:
"mail-exporter"Declared by:
services.prometheus.exporters.minio.enable¶
Whether to enable the prometheus minio exporter.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.exporters.minio.extraFlags¶
Extra commandline options to pass to the minio exporter.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.exporters.minio.firewallFilter¶
Specify a filter for iptables to use when is true. It is used as `ip46tables -I nixos-fw -j nixos-fw-accept`.
Type: string
Default:
"-p tcp -m tcp --dport 9290"Example:
"-i eth0 -p tcp -m tcp --dport 9290"Declared by:
services.prometheus.exporters.minio.group¶
Group under which the minio exporter shall be run. Has no effect when is true.
Type: string
Default:
"minio-exporter"Declared by:
services.prometheus.exporters.minio.listenAddress¶
Address to listen on.
Type: string
Default:
"0.0.0.0"Declared by:
services.prometheus.exporters.minio.minioAccessKey¶
The value of the Minio access key. It is required in order to connect to the server. By default this uses the one from the local minio server if enabled and
config.services.minio.accessKey.Type: string
Example:
"yourMinioAccessKey"Declared by:
services.prometheus.exporters.minio.minioAccessSecret¶
The value of the Minio access secret. It is required in order to connect to the server. By default this uses the one from the local minio server if enabled and
config.services.minio.secretKey.Type: string
Declared by:
services.prometheus.exporters.minio.minioAddress¶
The URL of the minio server. Use HTTPS if Minio accepts secure connections only. By default this connects to the local minio server if enabled.
Type: string
Example:
"https://10.0.0.1:9000"Declared by:
services.prometheus.exporters.minio.minioBucketStats¶
Collect statistics about the buckets and files in buckets. It requires more computation, use it carefully in case of large buckets..
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.minio.openFirewall¶
Open port in firewall for incoming connections.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.minio.port¶
Port to listen on.
Type: signed integer
Default:
9290Declared by:
services.prometheus.exporters.minio.user¶
User name under which the minio exporter shall be run. Has no effect when is true.
Type: string
Default:
"minio-exporter"Declared by:
services.prometheus.exporters.nextcloud.enable¶
Whether to enable the prometheus nextcloud exporter.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.exporters.nextcloud.extraFlags¶
Extra commandline options to pass to the nextcloud exporter.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.exporters.nextcloud.firewallFilter¶
Specify a filter for iptables to use when is true. It is used as `ip46tables -I nixos-fw -j nixos-fw-accept`.
Type: string
Default:
"-p tcp -m tcp --dport 9205"Example:
"-i eth0 -p tcp -m tcp --dport 9205"Declared by:
services.prometheus.exporters.nextcloud.group¶
Group under which the nextcloud exporter shall be run. Has no effect when is true.
Type: string
Default:
"nextcloud-exporter"Declared by:
services.prometheus.exporters.nextcloud.listenAddress¶
Address to listen on.
Type: string
Default:
"0.0.0.0"Declared by:
services.prometheus.exporters.nextcloud.openFirewall¶
Open port in firewall for incoming connections.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.nextcloud.passwordFile¶
File containing the password for connecting to Nextcloud. Make sure that this file is readable by the exporter user.
Type: path
Example:
"/path/to/password-file"Declared by:
services.prometheus.exporters.nextcloud.port¶
Port to listen on.
Type: signed integer
Default:
9205Declared by:
services.prometheus.exporters.nextcloud.timeout¶
Timeout for getting server info document.
Type: string
Default:
"5s"Declared by:
services.prometheus.exporters.nextcloud.url¶
URL to the Nextcloud serverinfo page. Adding the path to the serverinfo API is optional, it defaults to
/ocs/v2.php/apps/serverinfo/api/v1/info.Type: string
Example:
"https://domain.tld"Declared by:
services.prometheus.exporters.nextcloud.user¶
User name under which the nextcloud exporter shall be run. Has no effect when is true.
Type: string
Default:
"nextcloud-exporter"Declared by:
services.prometheus.exporters.nextcloud.username¶
Username for connecting to Nextcloud. Note that this account needs to have admin privileges in Nextcloud.
Type: string
Default:
"nextcloud-exporter"Declared by:
services.prometheus.exporters.nginx.enable¶
Whether to enable the prometheus nginx exporter.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.exporters.nginx.extraFlags¶
Extra commandline options to pass to the nginx exporter.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.exporters.nginx.firewallFilter¶
Specify a filter for iptables to use when is true. It is used as `ip46tables -I nixos-fw -j nixos-fw-accept`.
Type: string
Default:
"-p tcp -m tcp --dport 9113"Example:
"-i eth0 -p tcp -m tcp --dport 9113"Declared by:
services.prometheus.exporters.nginx.group¶
Group under which the nginx exporter shall be run. Has no effect when is true.
Type: string
Default:
"nginx-exporter"Declared by:
services.prometheus.exporters.nginx.listenAddress¶
Address to listen on.
Type: string
Default:
"0.0.0.0"Declared by:
services.prometheus.exporters.nginx.openFirewall¶
Open port in firewall for incoming connections.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.nginx.port¶
Port to listen on.
Type: signed integer
Default:
9113Declared by:
services.prometheus.exporters.nginx.scrapeUri¶
Address to access the nginx status page. Can be enabled with services.nginx.statusPage = true.
Type: string
Default:
"http://localhost/nginx_status"Declared by:
services.prometheus.exporters.nginx.sslVerify¶
Whether to perform certificate verification for https.
Type: boolean
Default:
trueDeclared by:
services.prometheus.exporters.nginx.telemetryPath¶
Path under which to expose metrics.
Type: string
Default:
"/metrics"Declared by:
services.prometheus.exporters.nginx.user¶
User name under which the nginx exporter shall be run. Has no effect when is true.
Type: string
Default:
"nginx-exporter"Declared by:
services.prometheus.exporters.node.enable¶
Whether to enable the prometheus node exporter.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.exporters.node.enabledCollectors¶
Collectors to enable. The collectors listed here are enabled in addition to the default ones.
Type: list of strings
Default: ``[
]``
Example:
''[ "systemd" ]''Declared by:
services.prometheus.exporters.node.disabledCollectors¶
Collectors to disable which are enabled by default.
Type: list of strings
Default: ``[
]``
Example:
''[ "timex" ]''Declared by:
services.prometheus.exporters.node.extraFlags¶
Extra commandline options to pass to the node exporter.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.exporters.node.firewallFilter¶
Specify a filter for iptables to use when is true. It is used as `ip46tables -I nixos-fw -j nixos-fw-accept`.
Type: string
Default:
"-p tcp -m tcp --dport 9100"Example:
"-i eth0 -p tcp -m tcp --dport 9100"Declared by:
services.prometheus.exporters.node.group¶
Group under which the node exporter shall be run. Has no effect when is true.
Type: string
Default:
"node-exporter"Declared by:
services.prometheus.exporters.node.listenAddress¶
Address to listen on.
Type: string
Default:
"0.0.0.0"Declared by:
services.prometheus.exporters.node.openFirewall¶
Open port in firewall for incoming connections.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.node.port¶
Port to listen on.
Type: signed integer
Default:
9100Declared by:
services.prometheus.exporters.node.user¶
User name under which the node exporter shall be run. Has no effect when is true.
Type: string
Default:
"node-exporter"Declared by:
services.prometheus.exporters.postfix.enable¶
Whether to enable the prometheus postfix exporter.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.exporters.postfix.extraFlags¶
Extra commandline options to pass to the postfix exporter.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.exporters.postfix.firewallFilter¶
Specify a filter for iptables to use when is true. It is used as `ip46tables -I nixos-fw -j nixos-fw-accept`.
Type: string
Default:
"-p tcp -m tcp --dport 9154"Example:
"-i eth0 -p tcp -m tcp --dport 9154"Declared by:
services.prometheus.exporters.postfix.group¶
Group under which the postfix exporter shall be run. Has no effect when is true.
Type: string
Default:
"postfix-exporter"Declared by:
services.prometheus.exporters.postfix.listenAddress¶
Address to listen on.
Type: string
Default:
"0.0.0.0"Declared by:
services.prometheus.exporters.postfix.logfilePath¶
Path where Postfix writes log entries. This file will be truncated by this exporter!
Type: path
Default:
"/var/log/postfix_exporter_input.log"Example:
"/var/log/mail.log"Declared by:
services.prometheus.exporters.postfix.openFirewall¶
Open port in firewall for incoming connections.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.postfix.port¶
Port to listen on.
Type: signed integer
Default:
9154Declared by:
services.prometheus.exporters.postfix.showqPath¶
Path where Postfix places it’s showq socket.
Type: path
Default:
"/var/spool/postfix/public/showq"Example:
"/var/lib/postfix/queue/public/showq"Declared by:
services.prometheus.exporters.postfix.systemd.enable¶
Whether to enable reading metrics from the systemd-journal instead of from a logfile .
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.exporters.postfix.systemd.journalPath¶
Path to the systemd journal.
Type: null or path
Default:
nullDeclared by:
services.prometheus.exporters.postfix.systemd.slice¶
Name of the postfix systemd slice. This overrides the .
Type: null or string
Default:
nullDeclared by:
services.prometheus.exporters.postfix.systemd.unit¶
Name of the postfix systemd unit.
Type: string
Default:
"postfix.service"Declared by:
services.prometheus.exporters.postfix.telemetryPath¶
Path under which to expose metrics.
Type: string
Default:
"/metrics"Declared by:
services.prometheus.exporters.postfix.user¶
User name under which the postfix exporter shall be run. Has no effect when is true.
Type: string
Default:
"postfix-exporter"Declared by:
services.prometheus.exporters.postgres.enable¶
Whether to enable the prometheus postgres exporter.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.exporters.postgres.dataSourceName¶
Accepts PostgreSQL URI form and key=value form arguments.
Type: string
Default:
"user=postgres database=postgres host=/run/postgresql sslmode=disable"Example:
"postgresql://username:password@localhost:5432/postgres?sslmode=disable"Declared by:
services.prometheus.exporters.postgres.extraFlags¶
Extra commandline options to pass to the postgres exporter.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.exporters.postgres.firewallFilter¶
Specify a filter for iptables to use when is true. It is used as `ip46tables -I nixos-fw -j nixos-fw-accept`.
Type: string
Default:
"-p tcp -m tcp --dport 9187"Example:
"-i eth0 -p tcp -m tcp --dport 9187"Declared by:
services.prometheus.exporters.postgres.group¶
Group under which the postgres exporter shall be run. Has no effect when is true.
Type: string
Default:
"postgres-exporter"Declared by:
services.prometheus.exporters.postgres.listenAddress¶
Address to listen on.
Type: string
Default:
"0.0.0.0"Declared by:
services.prometheus.exporters.postgres.openFirewall¶
Open port in firewall for incoming connections.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.postgres.port¶
Port to listen on.
Type: signed integer
Default:
9187Declared by:
services.prometheus.exporters.postgres.runAsLocalSuperUser¶
Whether to run the exporter as the local ‘postgres’ super user.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.postgres.telemetryPath¶
Path under which to expose metrics.
Type: string
Default:
"/metrics"Declared by:
services.prometheus.exporters.postgres.user¶
User name under which the postgres exporter shall be run. Has no effect when is true.
Type: string
Default:
"postgres-exporter"Declared by:
services.prometheus.exporters.rspamd.enable¶
Whether to enable the prometheus rspamd exporter.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.exporters.rspamd.extraFlags¶
Extra commandline options to pass to the rspamd exporter.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.exporters.rspamd.extraLabels¶
Set of labels added to each metric.
Type: attribute set of strings
Default:
"{ host = config.networking.hostName; }"Example:
{ host = config.networking.hostName; custom_label = "some_value"; }Declared by:
services.prometheus.exporters.rspamd.firewallFilter¶
Specify a filter for iptables to use when is true. It is used as `ip46tables -I nixos-fw -j nixos-fw-accept`.
Type: string
Default:
"-p tcp -m tcp --dport 7980"Example:
"-i eth0 -p tcp -m tcp --dport 7980"Declared by:
services.prometheus.exporters.rspamd.group¶
Group under which the rspamd exporter shall be run. Has no effect when is true.
Type: string
Default:
"rspamd-exporter"Declared by:
services.prometheus.exporters.rspamd.openFirewall¶
Open port in firewall for incoming connections.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.rspamd.port¶
Port to listen on.
Type: signed integer
Default:
7980Declared by:
services.prometheus.exporters.rspamd.url¶
URL to the rspamd metrics endpoint. Defaults to http://localhost:11334/stat when is true.
Type: string
Declared by:
services.prometheus.exporters.rspamd.user¶
User name under which the rspamd exporter shall be run. Has no effect when is true.
Type: string
Default:
"rspamd-exporter"Declared by:
services.prometheus.exporters.snmp.enable¶
Whether to enable the prometheus snmp exporter.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.exporters.snmp.configuration¶
Snmp exporter configuration as nix attribute set. Mutually exclusive with ‘configurationPath’ option.
Type: null or attribute set
Default: ``{
}``
Example:
'' { "default" = { "version" = 2; "auth" = { "community" = "public"; }; }; }; ''Declared by:
services.prometheus.exporters.snmp.configurationPath¶
Path to a snmp exporter configuration file. Mutually exclusive with ‘configuration’ option.
Type: null or path
Default:
nullExample:
"./snmp.yml"Declared by:
services.prometheus.exporters.snmp.extraFlags¶
Extra commandline options to pass to the snmp exporter.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.exporters.snmp.firewallFilter¶
Specify a filter for iptables to use when is true. It is used as `ip46tables -I nixos-fw -j nixos-fw-accept`.
Type: string
Default:
"-p tcp -m tcp --dport 9116"Example:
"-i eth0 -p tcp -m tcp --dport 9116"Declared by:
services.prometheus.exporters.snmp.group¶
Group under which the snmp exporter shall be run. Has no effect when is true.
Type: string
Default:
"snmp-exporter"Declared by:
services.prometheus.exporters.snmp.listenAddress¶
Address to listen on.
Type: string
Default:
"0.0.0.0"Declared by:
services.prometheus.exporters.snmp.logFormat¶
Set the log target and format.
Type: string
Default:
"logger:stderr"Declared by:
services.prometheus.exporters.snmp.logLevel¶
Only log messages with the given severity or above.
Type: one of “debug”, “info”, “warn”, “error”, “fatal”
Default:
"info"Declared by:
services.prometheus.exporters.snmp.openFirewall¶
Open port in firewall for incoming connections.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.snmp.port¶
Port to listen on.
Type: signed integer
Default:
9116Declared by:
services.prometheus.exporters.snmp.user¶
User name under which the snmp exporter shall be run. Has no effect when is true.
Type: string
Default:
"snmp-exporter"Declared by:
services.prometheus.exporters.surfboard.enable¶
Whether to enable the prometheus surfboard exporter.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.exporters.surfboard.extraFlags¶
Extra commandline options to pass to the surfboard exporter.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.exporters.surfboard.firewallFilter¶
Specify a filter for iptables to use when is true. It is used as `ip46tables -I nixos-fw -j nixos-fw-accept`.
Type: string
Default:
"-p tcp -m tcp --dport 9239"Example:
"-i eth0 -p tcp -m tcp --dport 9239"Declared by:
services.prometheus.exporters.surfboard.group¶
Group under which the surfboard exporter shall be run. Has no effect when is true.
Type: string
Default:
"surfboard-exporter"Declared by:
services.prometheus.exporters.surfboard.listenAddress¶
Address to listen on.
Type: string
Default:
"0.0.0.0"Declared by:
services.prometheus.exporters.surfboard.modemAddress¶
The hostname or IP of the cable modem.
Type: string
Default:
"192.168.100.1"Declared by:
services.prometheus.exporters.surfboard.openFirewall¶
Open port in firewall for incoming connections.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.surfboard.port¶
Port to listen on.
Type: signed integer
Default:
9239Declared by:
services.prometheus.exporters.surfboard.user¶
User name under which the surfboard exporter shall be run. Has no effect when is true.
Type: string
Default:
"surfboard-exporter"Declared by:
services.prometheus.exporters.tor.enable¶
Whether to enable the prometheus tor exporter.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.exporters.tor.extraFlags¶
Extra commandline options to pass to the tor exporter.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.exporters.tor.firewallFilter¶
Specify a filter for iptables to use when is true. It is used as `ip46tables -I nixos-fw -j nixos-fw-accept`.
Type: string
Default:
"-p tcp -m tcp --dport 9130"Example:
"-i eth0 -p tcp -m tcp --dport 9130"Declared by:
services.prometheus.exporters.tor.group¶
Group under which the tor exporter shall be run. Has no effect when is true.
Type: string
Default:
"tor-exporter"Declared by:
services.prometheus.exporters.tor.listenAddress¶
Address to listen on.
Type: string
Default:
"0.0.0.0"Declared by:
services.prometheus.exporters.tor.openFirewall¶
Open port in firewall for incoming connections.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.tor.port¶
Port to listen on.
Type: signed integer
Default:
9130Declared by:
services.prometheus.exporters.tor.torControlAddress¶
Tor control IP address or hostname.
Type: string
Default:
"127.0.0.1"Declared by:
services.prometheus.exporters.tor.torControlPort¶
Tor control port.
Type: signed integer
Default:
9051Declared by:
services.prometheus.exporters.tor.user¶
User name under which the tor exporter shall be run. Has no effect when is true.
Type: string
Default:
"tor-exporter"Declared by:
services.prometheus.exporters.unifi.enable¶
Whether to enable the prometheus unifi exporter.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.exporters.unifi.extraFlags¶
Extra commandline options to pass to the unifi exporter.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.exporters.unifi.firewallFilter¶
Specify a filter for iptables to use when is true. It is used as `ip46tables -I nixos-fw -j nixos-fw-accept`.
Type: string
Default:
"-p tcp -m tcp --dport 9130"Example:
"-i eth0 -p tcp -m tcp --dport 9130"Declared by:
services.prometheus.exporters.unifi.group¶
Group under which the unifi exporter shall be run. Has no effect when is true.
Type: string
Default:
"unifi-exporter"Declared by:
services.prometheus.exporters.unifi.listenAddress¶
Address to listen on.
Type: string
Default:
"0.0.0.0"Declared by:
services.prometheus.exporters.unifi.openFirewall¶
Open port in firewall for incoming connections.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.unifi.port¶
Port to listen on.
Type: signed integer
Default:
9130Declared by:
services.prometheus.exporters.unifi.unifiAddress¶
URL of the UniFi Controller API.
Type: string
Example:
"https://10.0.0.1:8443"Declared by:
services.prometheus.exporters.unifi.unifiInsecure¶
If enabled skip the verification of the TLS certificate of the UniFi Controller API. Use with caution.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.unifi.unifiPassword¶
Password for authentication against UniFi Controller API.
Type: string
Declared by:
services.prometheus.exporters.unifi.unifiTimeout¶
Timeout including unit for UniFi Controller API requests.
Type: string
Default:
"5s"Example:
"2m"Declared by:
services.prometheus.exporters.unifi.unifiUsername¶
username for authentication against UniFi Controller API.
Type: string
Example:
"ReadOnlyUser"Declared by:
services.prometheus.exporters.unifi.user¶
User name under which the unifi exporter shall be run. Has no effect when is true.
Type: string
Default:
"unifi-exporter"Declared by:
services.prometheus.exporters.varnish.enable¶
Whether to enable the prometheus varnish exporter.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.exporters.varnish.extraFlags¶
Extra commandline options to pass to the varnish exporter.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.exporters.varnish.firewallFilter¶
Specify a filter for iptables to use when is true. It is used as `ip46tables -I nixos-fw -j nixos-fw-accept`.
Type: string
Default:
"-p tcp -m tcp --dport 9131"Example:
"-i eth0 -p tcp -m tcp --dport 9131"Declared by:
services.prometheus.exporters.varnish.group¶
Group under which the varnish exporter shall be run. Has no effect when is true.
Type: string
Default:
"varnish-exporter"Declared by:
services.prometheus.exporters.varnish.healthPath¶
Path under which to expose healthcheck. Disabled unless configured.
Type: null or string
Default:
nullDeclared by:
services.prometheus.exporters.varnish.instance¶
varnishstat -n value.
Type: null or string
Default:
nullDeclared by:
services.prometheus.exporters.varnish.listenAddress¶
Address to listen on.
Type: string
Default:
"0.0.0.0"Declared by:
services.prometheus.exporters.varnish.noExit¶
Do not exit server on Varnish scrape errors.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.varnish.openFirewall¶
Open port in firewall for incoming connections.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.varnish.port¶
Port to listen on.
Type: signed integer
Default:
9131Declared by:
services.prometheus.exporters.varnish.raw¶
Enable raw stdout logging without timestamps.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.varnish.telemetryPath¶
Path under which to expose metrics.
Type: string
Default:
"/metrics"Declared by:
services.prometheus.exporters.varnish.user¶
User name under which the varnish exporter shall be run. Has no effect when is true.
Type: string
Default:
"varnish-exporter"Declared by:
services.prometheus.exporters.varnish.varnishStatPath¶
Path to varnishstat.
Type: string
Default:
"varnishstat"Declared by:
services.prometheus.exporters.varnish.verbose¶
Enable verbose logging.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.varnish.withGoMetrics¶
Export go runtime and http handler metrics.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.wireguard.enable¶
Whether to enable the prometheus wireguard exporter.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.exporters.wireguard.extraFlags¶
Extra commandline options to pass to the wireguard exporter.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.exporters.wireguard.firewallFilter¶
Specify a filter for iptables to use when is true. It is used as `ip46tables -I nixos-fw -j nixos-fw-accept`.
Type: string
Default:
"-p tcp -m tcp --dport 9586"Example:
"-i eth0 -p tcp -m tcp --dport 9586"Declared by:
services.prometheus.exporters.wireguard.group¶
Group under which the wireguard exporter shall be run. Has no effect when is true.
Type: string
Default:
"wireguard-exporter"Declared by:
services.prometheus.exporters.wireguard.listenAddress¶
Address to listen on.
Type: string
Default:
"0.0.0.0"Declared by:
services.prometheus.exporters.wireguard.openFirewall¶
Open port in firewall for incoming connections.
Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.wireguard.port¶
Port to listen on.
Type: signed integer
Default:
9586Declared by:
services.prometheus.exporters.wireguard.singleSubnetPerField¶
By default, all allowed IPs and subnets are comma-separated in the``allowed_ips`` field. With this option enabled, a single IP and subnet will be listed in fields like
allowed_ip_0,``allowed_ip_1`` and so on.Type: boolean
Default:
falseDeclared by:
services.prometheus.exporters.wireguard.user¶
User name under which the wireguard exporter shall be run. Has no effect when is true.
Type: string
Default:
"wireguard-exporter"Declared by:
services.prometheus.exporters.wireguard.verbose¶
Whether to enable Verbose logging mode for prometheus-wireguard-exporter.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.exporters.wireguard.wireguardConfig¶
Path to the Wireguard Config to`add the peer’s name to the stats of a peer <https://github.com/MindFlavor/prometheus_wireguard_exporter/tree/2.0.0#usage>`_.
Please note that
networking.wg-quickis required for this feature asnetworking.wireguarduseswg8 to set the peers up.Type: null or path or string
Default:
nullDeclared by:
services.prometheus.exporters.wireguard.withRemoteIp¶
Whether or not the remote IP of a WireGuard peer should be exposed via prometheus.
Type: boolean
Default:
falseDeclared by:
services.prometheus.extraFlags¶
Extra commandline options when launching Prometheus.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.globalConfig¶
Parameters that are valid in all configuration contexts. They also serve as defaults for other configuration sections
Type: submodule
Default: ``{
}``
Declared by:
services.prometheus.globalConfig.evaluation_interval¶
How frequently to evaluate rules by default.
Defaults to
1min prometheus when set tonull.Type: null or string
Default:
nullDeclared by:
services.prometheus.globalConfig.external_labels¶
The labels to add to any time series or alerts when communicating with external systems (federation, remote storage, Alertmanager).
Type: null or attribute set of strings
Default:
nullDeclared by:
services.prometheus.globalConfig.scrape_interval¶
How frequently to scrape targets by default.
Defaults to
1min prometheus when set tonull.Type: null or string
Default:
nullDeclared by:
services.prometheus.globalConfig.scrape_timeout¶
How long until a scrape request times out.
Defaults to
10sin prometheus when set tonull.Type: null or string
Default:
nullDeclared by:
services.prometheus.listenAddress¶
Address to listen on for the web interface, API, and telemetry.
Type: string
Default:
"0.0.0.0:9090"Declared by:
services.prometheus.pushgateway.enable¶
Whether to enable Prometheus Pushgateway.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.pushgateway.package¶
Package that should be used for the prometheus pushgateway.
Type: package
Default:
"pkgs.prometheus-pushgateway"Declared by:
services.prometheus.pushgateway.extraFlags¶
Extra commandline options when launching the Pushgateway.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.pushgateway.log.format¶
Set the log target and format.
nullwill default tologger:stderr.Type: null or string
Default:
nullExample:
"logger:syslog?appname=bob&local=7"Declared by:
services.prometheus.pushgateway.log.level¶
Only log messages with the given severity or above.
nullwill default toinfo.Type: null or one of “debug”, “info”, “warn”, “error”, “fatal”
Default:
nullDeclared by:
services.prometheus.pushgateway.persistMetrics¶
Whether to persist metrics to a file.
When enabled metrics will be saved to a file called``metrics`` in the directory``/var/lib/pushgateway``. The directory below``/var/lib`` can be set using.
Type: boolean
Default:
falseDeclared by:
services.prometheus.pushgateway.persistence.interval¶
The minimum interval at which to write out the persistence file.
nullwill default to5m.Type: null or string
Default:
nullExample:
"10m"Declared by:
services.prometheus.pushgateway.stateDir¶
Directory below
/var/libto store metrics.This directory will be created automatically using systemd’s StateDirectory mechanism when is enabled.
Type: string
Default:
"pushgateway"Declared by:
services.prometheus.pushgateway.web.external-url¶
The URL under which Pushgateway is externally reachable.
Type: null or string
Default:
nullDeclared by:
services.prometheus.pushgateway.web.listen-address¶
Address to listen on for the web interface, API and telemetry.
nullwill default to:9091.Type: null or string
Default:
nullDeclared by:
services.prometheus.pushgateway.web.route-prefix¶
Prefix for the internal routes of web endpoints.
Defaults to the path of.
Type: null or string
Default:
nullDeclared by:
services.prometheus.pushgateway.web.telemetry-path¶
Path under which to expose metrics.
nullwill default to/metrics.Type: null or string
Default:
nullDeclared by:
services.prometheus.ruleFiles¶
Any additional rules files to include in this configuration.
Type: list of paths
Default: ``[
]``
Declared by:
services.prometheus.rules¶
Alerting and/or Recording rules to evaluate at runtime.
Type: list of strings
Default: ``[
]``
Declared by:
services.prometheus.scrapeConfigs¶
services.prometheus.scrapeConfigs.*.basic_auth¶
Optional http login credentials for metrics scraping.
Type: null or submodule
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.basic_auth.password¶
HTTP password
Type: string
Declared by:
services.prometheus.scrapeConfigs.*.basic_auth.username¶
HTTP username
Type: string
Declared by:
services.prometheus.scrapeConfigs.*.bearer_token¶
Sets the `Authorization` header on every scrape request with the configured bearer token. It is mutually exclusive with.
Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.bearer_token_file¶
Sets the `Authorization` header on every scrape request with the bearer token read from the configured file. It is mutually exclusive with .
Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.consul_sd_configs¶
List of Consul service discovery configurations.
Type: null or list of submodules
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.allow_stale¶
Allow stale Consul results (see ` <https://www.consul.io/api/index.html#consistency-modes>`_).
Will reduce load on Consul.
Type: null or boolean
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.datacenter¶
Consul datacenter
Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.node_meta¶
Node metadata used to filter nodes for a given service.
Type: null or attribute set of strings
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.password¶
Consul password
Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.refresh_interval¶
The time after which the provided names are refreshed.
On large setup it might be a good idea to increase this value because the catalog will change all the time.
Defaults to
30sin prometheus when set tonull.Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.scheme¶
Consul scheme Defaults to
httpin prometheus when set tonull.Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.server¶
Consul server to query.
Defaults to
localhost:8500in prometheus when set tonull.Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.services¶
A list of services for which targets are retrieved.
Type: null or list of strings
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.tag_separator¶
The string by which Consul tags are joined into the tag label.
Defaults to
,in prometheus when set tonull.Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.tags¶
An optional list of tags used to filter nodes for a given service. Services must contain all tags in the list.
Type: null or list of strings
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.tls_config¶
Configures the Consul request’s TLS settings.
Type: null or submodule
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.tls_config.ca_file¶
CA certificate to validate API server certificate with.
Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.tls_config.cert_file¶
Certificate file for client cert authentication to the server.
Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.tls_config.insecure_skip_verify¶
Disable validation of the server certificate.
Type: null or boolean
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.tls_config.key_file¶
Key file for client cert authentication to the server.
Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.tls_config.server_name¶
ServerName extension to indicate the name of the server. http://tools.ietf.org/html/rfc4366#section-3.1
Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.token¶
Consul token
Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.username¶
Consul username
Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.dns_sd_configs¶
List of DNS service discovery configurations.
Type: null or list of submodules
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.dns_sd_configs.*.names¶
A list of DNS SRV record names to be queried.
Type: list of strings
Declared by:
services.prometheus.scrapeConfigs.*.dns_sd_configs.*.refresh_interval¶
The time after which the provided names are refreshed.
Defaults to
30sin prometheus when set tonull.Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.ec2_sd_configs¶
List of EC2 service discovery configurations.
Type: null or list of submodules
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.access_key¶
The AWS API key id. If blank, the environment variable``AWS_ACCESS_KEY_ID`` is used.
Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.endpoint¶
Custom endpoint to be used.
Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.filters¶
Filters can be used optionally to filter the instance list by other criteria.
Type: null or list of submodules
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.filters.*.name¶
services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.filters.*.value¶
services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.port¶
The port to scrape metrics from. If using the public IP address, this must instead be specified in the relabeling rule.
Defaults to
80in prometheus when set tonull.Type: null or signed integer
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.profile¶
Named AWS profile used to connect to the API.
Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.refresh_interval¶
Refresh interval to re-read the instance list.
Defaults to
60sin prometheus when set tonull.Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.region¶
The AWS Region.
Type: string
Declared by:
services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.role_arn¶
AWS Role ARN, an alternative to using AWS API keys.
Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.secret_key¶
The AWS API key secret. If blank, the environment variable
AWS_SECRET_ACCESS_KEYis used.Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.file_sd_configs¶
List of file service discovery configurations.
Type: null or list of submodules
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.file_sd_configs.*.files¶
Patterns for files from which target groups are extracted. Refer to the Prometheus documentation for permitted filename patterns and formats.
Type: list of strings
Declared by:
services.prometheus.scrapeConfigs.*.file_sd_configs.*.refresh_interval¶
Refresh interval to re-read the files.
Defaults to
5min prometheus when set tonull.Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.honor_labels¶
Controls how Prometheus handles conflicts between labels that are already present in scraped data and labels that Prometheus would attach server-side (“job” and “instance” labels, manually configured target labels, and labels generated by service discovery implementations).
If honor_labels is set to “true”, label conflicts are resolved by keeping label values from the scraped data and ignoring the conflicting server-side labels.
If honor_labels is set to “false”, label conflicts are resolved by renaming conflicting labels in the scraped data to “exported_<original-label>” (for example “exported_instance”, “exported_job”) and then attaching server-side labels. This is useful for use cases such as federation, where all labels specified in the target should be preserved.
Defaults to
falsein prometheus when set tonull.Type: null or boolean
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.honor_timestamps¶
honor_timestamps controls whether Prometheus respects the timestamps present in scraped data.
If honor_timestamps is set to
true, the timestamps of the metrics exposed by the target will be used.If honor_timestamps is set to
false, the timestamps of the metrics exposed by the target will be ignored.Defaults to
truein prometheus when set tonull.Type: null or boolean
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.job_name¶
The job name assigned to scraped metrics by default.
Type: string
Declared by:
services.prometheus.scrapeConfigs.*.metrics_path¶
The HTTP resource path on which to fetch metrics from targets.
Defaults to
/metricsin prometheus when set tonull.Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.params¶
Optional HTTP URL parameters.
Type: null or attribute set of list of stringss
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.proxy_url¶
Optional proxy URL.
Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.relabel_configs¶
List of relabel configurations.
Type: null or list of submodules
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.relabel_configs.*.action¶
Action to perform based on regex matching.
Defaults to
replacein prometheus when set tonull.Type: null or one of “replace”, “keep”, “drop”
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.relabel_configs.*.modulus¶
Modulus to take of the hash of the source label values.
Type: null or signed integer
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.relabel_configs.*.regex¶
Regular expression against which the extracted value is matched.
Defaults to
(.*)in prometheus when set tonull.Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.relabel_configs.*.replacement¶
Replacement value against which a regex replace is performed if the regular expression matches.
Defaults to
$1in prometheus when set tonull.Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.relabel_configs.*.separator¶
Separator placed between concatenated source label values.
Defaults to
;in prometheus when set tonull.Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.relabel_configs.*.source_labels¶
The source labels select values from existing labels. Their content is concatenated using the configured separator and matched against the configured regular expression.
Type: null or list of strings
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.relabel_configs.*.target_label¶
Label to which the resulting value is written in a replace action. It is mandatory for replace actions.
Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.sample_limit¶
Per-scrape limit on number of scraped samples that will be accepted. If more than this number of samples are present after metric relabelling the entire scrape will be treated as failed. 0 means no limit.
Defaults to
0in prometheus when set tonull.Type: null or signed integer
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.scheme¶
The URL scheme with which to fetch metrics from targets.
Defaults to
httpin prometheus when set tonull.Type: null or one of “http”, “https”
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.scrape_interval¶
How frequently to scrape targets from this job. Defaults to the globally configured default.
Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.scrape_timeout¶
Per-target timeout when scraping this job. Defaults to the globally configured default.
Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.static_configs¶
List of labeled target groups for this job.
Type: null or list of submodules
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.static_configs.*.labels¶
Labels assigned to all metrics scraped from the targets.
Type: attribute set of strings
Default: ``{
}``
Declared by:
services.prometheus.scrapeConfigs.*.static_configs.*.targets¶
The targets specified by the target group.
Type: list of strings
Declared by:
services.prometheus.scrapeConfigs.*.tls_config¶
Configures the scrape request’s TLS settings.
Type: null or submodule
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.tls_config.ca_file¶
CA certificate to validate API server certificate with.
Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.tls_config.cert_file¶
Certificate file for client cert authentication to the server.
Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.tls_config.insecure_skip_verify¶
Disable validation of the server certificate.
Type: null or boolean
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.tls_config.key_file¶
Key file for client cert authentication to the server.
Type: null or string
Default:
nullDeclared by:
services.prometheus.scrapeConfigs.*.tls_config.server_name¶
ServerName extension to indicate the name of the server. http://tools.ietf.org/html/rfc4366#section-3.1
Type: null or string
Default:
nullDeclared by:
services.prometheus.stateDir¶
Directory below
/var/libto store Prometheus metrics data. This directory will be created automatically using systemd’s StateDirectory mechanism.Type: string
Default:
"prometheus2"Declared by:
services.prometheus.webExternalUrl¶
The URL under which Prometheus is externally reachable (for example, if Prometheus is served via a reverse proxy).
Type: null or string
Default:
nullExample:
"https://example.com/"Declared by:
services.prometheus.xmpp-alerts.enable¶
Whether to enable XMPP Web hook service for Alertmanager.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.prometheus.xmpp-alerts.configuration¶
Configuration as attribute set which will be converted to YAML
Type: attribute set
Declared by:
services.prosody.enable¶
Whether to enable the prosody server
Type: boolean
Default:
falseDeclared by:
services.prosody.package¶
Prosody package to use
Type: package
Default:
"pkgs.prosody"Example:
pkgs.prosody.override { withExtraLibs = [ pkgs.luaPackages.lpty ]; withCommunityModules = [ "auth_external" ]; };Declared by:
services.prosody.admins¶
List of administrators of the current host
Type: list of strings
Default: ``[
]``
Example:
[ "admin1@example.com" "admin2@example.com" ]Declared by:
services.prosody.allowRegistration¶
Allow account creation
Type: boolean
Default:
falseDeclared by:
services.prosody.authentication¶
Authentication mechanism used for logins.
Type: one of “internal_plain”, “internal_hashed”, “cyrus”, “anonymous”
Default:
"internal_hashed"Example:
"internal_plain"Declared by:
services.prosody.c2sRequireEncryption¶
Force clients to use encrypted connections? This option will prevent clients from authenticating unless they are using encryption.
Type: boolean
Default:
trueDeclared by:
services.prosody.dataDir¶
Directory where Prosody stores its data
Type: path
Default:
"/var/lib/prosody"Declared by:
services.prosody.extraConfig¶
Additional prosody configuration
Type: strings concatenated with “\n”
Default:
""Declared by:
services.prosody.extraModules¶
services.prosody.extraPluginPaths¶
Addtional path in which to look find plugins/modules
Type: list of paths
Default: ``[
]``
Declared by:
services.prosody.group¶
Group account under which prosody runs.
Type: string
Default:
"prosody"Declared by:
services.prosody.modules.admin_adhoc¶
Allows administration via an XMPP client that supports ad-hoc commands
Type: boolean
Default:
trueDeclared by:
services.prosody.modules.admin_telnet¶
Opens telnet console interface on localhost port 5582
Type: boolean
Default:
falseDeclared by:
services.prosody.modules.announce¶
Send announcement to all online users
Type: boolean
Default:
falseDeclared by:
services.prosody.modules.blocklist¶
Allow users to block communications with other users
Type: boolean
Default:
trueDeclared by:
services.prosody.modules.bosh¶
Enable BOSH clients, aka ‘Jabber over HTTP’
Type: boolean
Default:
falseDeclared by:
services.prosody.modules.carbons¶
Keep multiple clients in sync
Type: boolean
Default:
trueDeclared by:
services.prosody.modules.dialback¶
s2s dialback support
Type: boolean
Default:
trueDeclared by:
services.prosody.modules.disco¶
Service discovery
Type: boolean
Default:
trueDeclared by:
services.prosody.modules.groups¶
Shared roster support
Type: boolean
Default:
falseDeclared by:
services.prosody.modules.http_files¶
Serve static files from a directory over HTTP
Type: boolean
Default:
falseDeclared by:
services.prosody.modules.legacyauth¶
Legacy authentication. Only used by some old clients and bots
Type: boolean
Default:
falseDeclared by:
services.prosody.modules.limits¶
Enable bandwidth limiting for XMPP connections
Type: boolean
Default:
falseDeclared by:
services.prosody.modules.mam¶
Store messages in an archive and allow users to access it
Type: boolean
Default:
falseDeclared by:
services.prosody.modules.motd¶
Send a message to users when they log in
Type: boolean
Default:
falseDeclared by:
services.prosody.modules.pep¶
Enables users to publish their mood, activity, playing music and more
Type: boolean
Default:
trueDeclared by:
services.prosody.modules.ping¶
Replies to XMPP pings with pongs
Type: boolean
Default:
trueDeclared by:
services.prosody.modules.private¶
Private XML storage (for room bookmarks, etc.)
Type: boolean
Default:
trueDeclared by:
services.prosody.modules.proxy65¶
Enables a file transfer proxy service which clients behind NAT can use
Type: boolean
Default:
falseDeclared by:
services.prosody.modules.register¶
Allow users to register on this server using a client and change passwords
Type: boolean
Default:
trueDeclared by:
services.prosody.modules.roster¶
Allow users to have a roster
Type: boolean
Default:
trueDeclared by:
services.prosody.modules.saslauth¶
Authentication for clients and servers. Recommended if you want to log in.
Type: boolean
Default:
trueDeclared by:
services.prosody.modules.server_contact_info¶
Publish contact information for this service
Type: boolean
Default:
falseDeclared by:
services.prosody.modules.time¶
Let others know the time here on this server
Type: boolean
Default:
trueDeclared by:
services.prosody.modules.tls¶
Add support for secure TLS on c2s/s2s connections
Type: boolean
Default:
trueDeclared by:
services.prosody.modules.uptime¶
Report how long server has been running
Type: boolean
Default:
trueDeclared by:
services.prosody.modules.vcard¶
Allow users to set vCards
Type: boolean
Default:
trueDeclared by:
services.prosody.modules.version¶
Replies to server version requests
Type: boolean
Default:
trueDeclared by:
services.prosody.modules.watchregistrations¶
Alert admins of registrations
Type: boolean
Default:
falseDeclared by:
services.prosody.modules.websocket¶
Enable WebSocket support
Type: boolean
Default:
falseDeclared by:
services.prosody.modules.welcome¶
Welcome users who register accounts
Type: boolean
Default:
falseDeclared by:
services.prosody.s2sInsecureDomains¶
Some servers have invalid or self-signed certificates. You can list remote domains here that will not be required to authenticate using certificates. They will be authenticated using DNS instead, even when s2s_secure_auth is enabled.
Type: list of strings
Default: ``[
]``
Example:
[ "insecure.example.com" ]Declared by:
services.prosody.s2sRequireEncryption¶
Force servers to use encrypted connections? This option will prevent servers from authenticating unless they are using encryption. Note that this is different from authentication.
Type: boolean
Default:
trueDeclared by:
services.prosody.s2sSecureAuth¶
Force certificate authentication for server-to-server connections? This provides ideal security, but requires servers you communicate with to support encryption AND present valid, trusted certificates. For more information see https://prosody.im/doc/s2s#security
Type: boolean
Default:
falseDeclared by:
services.prosody.s2sSecureDomains¶
Even if you leave s2s_secure_auth disabled, you can still require valid certificates for some domains by specifying a list here.
Type: list of strings
Default: ``[
]``
Example:
[ "jabber.org" ]Declared by:
services.prosody.ssl¶
Paths to SSL files
Type: null or submodule
Default:
nullDeclared by:
services.prosody.ssl.cert¶
Path to the certificate file.
Type: path
Declared by:
services.prosody.ssl.extraOptions¶
services.prosody.ssl.key¶
Path to the key file.
Type: path
Declared by:
services.prosody.user¶
User account under which prosody runs.
Type: string
Default:
"prosody"Declared by:
services.prosody.virtualHosts¶
Define the virtual hosts
Type: list or attribute set of submodules
Default:
{ localhost = { domain = "localhost"; enabled = true; } ; }Example:
{ myhost = { domain = "my-xmpp-example-host.org"; enabled = true; } ; }Declared by:
services.prosody.virtualHosts.<name?>.enabled¶
Whether to enable the virtual host
Type: boolean
Default:
falseDeclared by:
services.prosody.virtualHosts.<name?>.domain¶
services.prosody.virtualHosts.<name?>.extraConfig¶
Additional virtual host specific configuration
Type: strings concatenated with “\n”
Default:
""Declared by:
services.prosody.virtualHosts.<name?>.ssl¶
Paths to SSL files
Type: null or submodule
Default:
nullDeclared by:
services.prosody.virtualHosts.<name?>.ssl.cert¶
Path to the certificate file.
Type: path
Declared by:
services.prosody.virtualHosts.<name?>.ssl.extraOptions¶
services.prosody.virtualHosts.<name?>.ssl.key¶
Path to the key file.
Type: path
Declared by:
services.psd.enable¶
Whether to enable the Profile Sync daemon.
Type: boolean
Default:
falseDeclared by:
services.psd.resyncTimer¶
The amount of time to wait before syncing browser profiles back to the disk.
Takes a systemd.unit time span. The time unit defaults to seconds if omitted.
Type: string
Default:
"1h"Example:
"1h 30min"Declared by:
services.pykms.enable¶
Whether to enable the PyKMS service.
Type: boolean
Default:
falseDeclared by:
services.pykms.listenAddress¶
The IP address on which to listen.
Type: string
Default:
"0.0.0.0"Declared by:
services.pykms.logLevel¶
How much to log
Type: one of “CRITICAL”, “ERROR”, “WARNING”, “INFO”, “DEBUG”, “MINI”
Default:
"INFO"Declared by:
services.pykms.memoryLimit¶
How much memory to use at most.
Type: string
Default:
"64M"Declared by:
services.pykms.openFirewallPort¶
Whether the listening port should be opened automatically.
Type: boolean
Default:
falseDeclared by:
services.pykms.port¶
The port on which to listen.
Type: signed integer
Default:
1688Declared by:
services.qemuGuest.enable¶
Whether to enable the qemu guest agent.
Type: boolean
Default:
falseDeclared by:
services.quagga.babel.enable¶
Whether to enable the Quagga BABEL routing protocol.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.quagga.babel.config¶
babeld configuration statements.
Type: strings concatenated with “\n”
Default:
""Example:
""Declared by:
services.quagga.babel.configFile¶
Configuration file to use for Quagga babeld. By default the NixOS generated files are used.
Type: null or path
Default:
nullExample:
"/etc/quagga/babeld.conf"Declared by:
services.quagga.babel.vtyListenAddress¶
Address to bind to for the VTY interface.
Type: string
Default:
"127.0.0.1"Declared by:
services.quagga.babel.vtyListenPort¶
TCP Port to bind to for the VTY interface.
Type: null or signed integer
Default:
nullDeclared by:
services.quagga.bgp.enable¶
Whether to enable the Quagga BGP routing protocol.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.quagga.bgp.config¶
bgpd configuration statements.
Type: strings concatenated with “\n”
Default:
""Example:
'' router bgp 65001 neighbor 10.0.0.1 remote-as 65001 ''Declared by:
services.quagga.bgp.configFile¶
Configuration file to use for Quagga bgpd. By default the NixOS generated files are used.
Type: null or path
Default:
nullExample:
"/etc/quagga/bgpd.conf"Declared by:
services.quagga.bgp.vtyListenAddress¶
Address to bind to for the VTY interface.
Type: string
Default:
"127.0.0.1"Declared by:
services.quagga.bgp.vtyListenPort¶
TCP Port to bind to for the VTY interface.
Type: null or signed integer
Default:
nullDeclared by:
services.quagga.isis.enable¶
Whether to enable the Quagga ISIS routing protocol.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.quagga.isis.config¶
isisd configuration statements.
Type: strings concatenated with “\n”
Default:
""Example:
""Declared by:
services.quagga.isis.configFile¶
Configuration file to use for Quagga isisd. By default the NixOS generated files are used.
Type: null or path
Default:
nullExample:
"/etc/quagga/isisd.conf"Declared by:
services.quagga.isis.vtyListenAddress¶
Address to bind to for the VTY interface.
Type: string
Default:
"127.0.0.1"Declared by:
services.quagga.isis.vtyListenPort¶
TCP Port to bind to for the VTY interface.
Type: null or signed integer
Default:
nullDeclared by:
services.quagga.ospf.enable¶
Whether to enable the Quagga OSPF routing protocol.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.quagga.ospf.config¶
ospfd configuration statements.
Type: strings concatenated with “\n”
Default:
""Example:
'' router ospf network 10.0.0.0/8 area 0 ''Declared by:
services.quagga.ospf.configFile¶
Configuration file to use for Quagga ospfd. By default the NixOS generated files are used.
Type: null or path
Default:
nullExample:
"/etc/quagga/ospfd.conf"Declared by:
services.quagga.ospf.vtyListenAddress¶
Address to bind to for the VTY interface.
Type: string
Default:
"127.0.0.1"Declared by:
services.quagga.ospf.vtyListenPort¶
TCP Port to bind to for the VTY interface.
Type: null or signed integer
Default:
nullDeclared by:
services.quagga.ospf6.enable¶
Whether to enable the Quagga OSPF6 routing protocol.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.quagga.ospf6.config¶
ospf6d configuration statements.
Type: strings concatenated with “\n”
Default:
""Example:
""Declared by:
services.quagga.ospf6.configFile¶
Configuration file to use for Quagga ospf6d. By default the NixOS generated files are used.
Type: null or path
Default:
nullExample:
"/etc/quagga/ospf6d.conf"Declared by:
services.quagga.ospf6.vtyListenAddress¶
Address to bind to for the VTY interface.
Type: string
Default:
"127.0.0.1"Declared by:
services.quagga.ospf6.vtyListenPort¶
TCP Port to bind to for the VTY interface.
Type: null or signed integer
Default:
nullDeclared by:
services.quagga.pim.enable¶
Whether to enable the Quagga PIM routing protocol.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.quagga.pim.config¶
pimd configuration statements.
Type: strings concatenated with “\n”
Default:
""Example:
""Declared by:
services.quagga.pim.configFile¶
Configuration file to use for Quagga pimd. By default the NixOS generated files are used.
Type: null or path
Default:
nullExample:
"/etc/quagga/pimd.conf"Declared by:
services.quagga.pim.vtyListenAddress¶
Address to bind to for the VTY interface.
Type: string
Default:
"127.0.0.1"Declared by:
services.quagga.pim.vtyListenPort¶
TCP Port to bind to for the VTY interface.
Type: null or signed integer
Default:
nullDeclared by:
services.quagga.rip.enable¶
Whether to enable the Quagga RIP routing protocol.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.quagga.rip.config¶
ripd configuration statements.
Type: strings concatenated with “\n”
Default:
""Example:
'' router rip network 10.0.0.0/8 ''Declared by:
services.quagga.rip.configFile¶
Configuration file to use for Quagga ripd. By default the NixOS generated files are used.
Type: null or path
Default:
nullExample:
"/etc/quagga/ripd.conf"Declared by:
services.quagga.rip.vtyListenAddress¶
Address to bind to for the VTY interface.
Type: string
Default:
"127.0.0.1"Declared by:
services.quagga.rip.vtyListenPort¶
TCP Port to bind to for the VTY interface.
Type: null or signed integer
Default:
nullDeclared by:
services.quagga.ripng.enable¶
Whether to enable the Quagga RIPNG routing protocol.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.quagga.ripng.config¶
ripngd configuration statements.
Type: strings concatenated with “\n”
Default:
""Example:
""Declared by:
services.quagga.ripng.configFile¶
Configuration file to use for Quagga ripngd. By default the NixOS generated files are used.
Type: null or path
Default:
nullExample:
"/etc/quagga/ripngd.conf"Declared by:
services.quagga.ripng.vtyListenAddress¶
Address to bind to for the VTY interface.
Type: string
Default:
"127.0.0.1"Declared by:
services.quagga.ripng.vtyListenPort¶
TCP Port to bind to for the VTY interface.
Type: null or signed integer
Default:
nullDeclared by:
services.quagga.zebra.enable¶
Whether to enable the Zebra routing manager.
The Zebra routing manager is automatically enabled if any routing protocols are configured.
Type: boolean
Default:
falseDeclared by:
services.quagga.zebra.config¶
zebra configuration statements.
Type: strings concatenated with “\n”
Default:
""Example:
""Declared by:
services.quagga.zebra.configFile¶
Configuration file to use for Quagga zebra. By default the NixOS generated files are used.
Type: null or path
Default:
nullExample:
"/etc/quagga/zebra.conf"Declared by:
services.quagga.zebra.vtyListenAddress¶
Address to bind to for the VTY interface.
Type: string
Default:
"127.0.0.1"Declared by:
services.quagga.zebra.vtyListenPort¶
TCP Port to bind to for the VTY interface.
Type: null or signed integer
Default:
nullDeclared by:
services.quassel.enable¶
Whether to run the Quassel IRC client daemon.
Type: unspecified
Default:
falseDeclared by:
services.quassel.package¶
The package of the quassel daemon.
Type: package
Default:
"pkgs.quasselDaemon"Example:
pkgs.quasselDaemonDeclared by:
services.quassel.certificateFile¶
Path to the certificate used for SSL connections with clients.
Type: null or string
Default:
nullDeclared by:
services.quassel.dataDir¶
The directory holding configuration files, the SQlite database and the SSL Cert.
Type: unspecified
Default:
"/home/quassel/.config/quassel-irc.org"Declared by:
services.quassel.interfaces¶
The interfaces the Quassel daemon will be listening to. If `[ 127.0.0.1 ]’, only clients on the local host can connect to it; if `[ 0.0.0.0 ]’, clients can access it from any network interface.
Type: unspecified
Default:
[ "127.0.0.1" ]Declared by:
services.quassel.portNumber¶
The port number the Quassel daemon will be listening to.
Type: unspecified
Default:
4242Declared by:
services.quassel.requireSSL¶
Require SSL for connections from clients.
Type: boolean
Default:
falseDeclared by:
services.quassel.user¶
The existing user the Quassel daemon should run as. If left empty, a default “quassel” user will be created.
Type: unspecified
Default:
nullDeclared by:
services.quicktun.<name>.localAddress¶
Type: string
Example:
"0.0.0.0"Declared by:
services.quicktun.<name>.localPort¶
Type: signed integer
Default:
2998Declared by:
services.quicktun.<name>.privateKey¶
services.quicktun.<name>.protocol¶
Type: string
Default:
"nacltai"Declared by:
services.quicktun.<name>.publicKey¶
services.quicktun.<name>.remoteAddress¶
Type: string
Example:
"tunnel.example.com"Declared by:
services.quicktun.<name>.remoteFloat¶
Type: signed integer
Default:
0Declared by:
services.quicktun.<name>.remotePort¶
Type: signed integer
Default:
2998Declared by:
services.quicktun.<name>.timeWindow¶
Type: signed integer
Default:
5Declared by:
services.quicktun.<name>.tunMode¶
Type: signed integer
Default:
0Example:
1Declared by:
services.quicktun.<name>.upScript¶
Type: strings concatenated with “\n”
Default:
""Declared by:
services.rabbitmq.enable¶
Whether to enable the RabbitMQ server, an Advanced Message Queuing Protocol (AMQP) broker.
Type: unspecified
Default:
falseDeclared by:
services.rabbitmq.package¶
Which rabbitmq package to use.
Type: package
Default:
"pkgs.rabbitmq-server"Declared by:
services.rabbitmq.config¶
Verbatim advanced configuration file contents using the Erlang syntax. This is also known as the
advanced.configfile or the old config format.
configItemsis preferred whenever possible. However, nested data structures can only be expressed properly using theconfigoption.The contents of this option will be merged into the
configItemsby RabbitMQ at runtime to form the final configuration.See the second table on https://www.rabbitmq.com/configure.html#config-items For the distinct formats, see https://www.rabbitmq.com/configure.html#config-file-formats
Type: string
Default:
""Declared by:
services.rabbitmq.configItems¶
Configuration options in RabbitMQ’s new config file format, which is a simple key-value format that can not express nested data structures. This is known as the
rabbitmq.conffile, although outside NixOS that filename may have Erlang syntax, particularly prior to RabbitMQ 3.7.0.If you do need to express nested data structures, you can use``config`` option. Configuration from
configwill be merged into these options by RabbitMQ at runtime to form the final configuration.See https://www.rabbitmq.com/configure.html#config-items For the distinct formats, see https://www.rabbitmq.com/configure.html#config-file-formats
Type: attribute set of strings
Default: ``{
}``
Example:
{ "auth_backends.1.authn" = "rabbit_auth_backend_ldap"; "auth_backends.1.authz" = "rabbit_auth_backend_internal"; }Declared by:
services.rabbitmq.cookie¶
Erlang cookie is a string of arbitrary length which must be the same for several nodes to be allowed to communicate. Leave empty to generate automatically.
Type: string
Default:
""Declared by:
services.rabbitmq.dataDir¶
Data directory for rabbitmq.
Type: path
Default:
"/var/lib/rabbitmq"Declared by:
services.rabbitmq.listenAddress¶
IP address on which RabbitMQ will listen for AMQP connections. Set to the empty string to listen on all interfaces. Note that RabbitMQ creates a user named``guest`` with password``guest`` by default, so you should delete this user if you intend to allow external access.
Together with ‘port’ setting it’s mostly an alias for configItems.”listeners.tcp.1” and it’s left for backwards compatibility with previous version of this module.
Type: string
Default:
"127.0.0.1"Example:
""Declared by:
services.rabbitmq.pluginDirs¶
The list of directories containing external plugins
Type: list of paths
Default: ``[
]``
Declared by:
services.rabbitmq.plugins¶
services.rabbitmq.port¶
Port on which RabbitMQ will listen for AMQP connections.
Type: signed integer
Default:
5672Declared by:
services.racoon.enable¶
Whether to enable racoon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.racoon.config¶
Contents of racoon configuration file.
Type: string
Default:
""Declared by:
services.racoon.configPath¶
Location of racoon config if config is not provided.
Type: path
Default:
"/etc/racoon/racoon.conf"Declared by:
services.radarr.enable¶
Whether to enable Radarr.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.radarr.dataDir¶
The directory where Radarr stores its data files.
Type: string
Default:
"/var/lib/radarr/.config/Radarr"Declared by:
services.radarr.group¶
Group under which Radarr runs.
Type: string
Default:
"radarr"Declared by:
services.radarr.openFirewall¶
Open ports in the firewall for the Radarr web interface.
Type: boolean
Default:
falseDeclared by:
services.radarr.user¶
User account under which Radarr runs.
Type: string
Default:
"radarr"Declared by:
services.radicale.enable¶
Enable Radicale CalDAV and CardDAV server.
Type: boolean
Default:
falseDeclared by:
services.radicale.package¶
Radicale package to use. This defaults to version 1.x if``system.stateVersion < 17.09`` and version 2.x otherwise.
Type: package
Default:
"pkgs.radicale2"Declared by:
services.radicale.config¶
Radicale configuration, this will set the service configuration file.
Type: string
Default:
""Declared by:
services.radicale.extraArgs¶
services.radvd.enable¶
Whether to enable the Router Advertisement Daemon (radvd), which provides link-local advertisements of IPv6 router addresses and prefixes using the Neighbor Discovery Protocol (NDP). This enables stateless address autoconfiguration in IPv6 clients on the network.
Type: unspecified
Default:
falseDeclared by:
services.radvd.config¶
The contents of the radvd configuration file.
Type: unspecified
Example:
'' interface eth0 { AdvSendAdvert on; prefix 2001:db8:1234:5678::/64 { }; }; ''Declared by:
services.railcar.enable¶
Whether to enable railcar.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.railcar.package¶
Railcar package to use
Type: package
Default:
*(build of railcar-1.0.4)*Declared by:
services.railcar.containers¶
Declarative container configuration
Type: list or attribute set of submodules
Default: ``{
}``
Declared by:
services.railcar.containers.<name?>.arch¶
Computer architecture type of the container
Type: string
Default:
"x86_64"Declared by:
services.railcar.containers.<name?>.cmd¶
Command or script to run inside the container
Type: strings concatenated with “\n”
Declared by:
services.railcar.containers.<name?>.mounts¶
A set of mounts inside the container.
The defaults have been chosen for simple bindmounts, meaning that you only need to provide the “source” parameter.
Type: attribute set of submodules
Default: ``{
}``
Example:
'' { "/data" = { source = "/var/lib/data"; }; } ''Declared by:
services.railcar.containers.<name?>.mounts.<name>.options¶
Mount options of the filesystem to be used.
Support optoions are listed in the mount(8) man page. Note that both filesystem-independent and filesystem-specific options are listed.
Type: list or attribute set of strings
Default:
[ "bind" ]Declared by:
services.railcar.containers.<name?>.mounts.<name>.source¶
Source for the in-container mount
Type: string
Declared by:
services.railcar.containers.<name?>.mounts.<name>.type¶
The type of the filesystem to be mounted. Linux: filesystem types supported by the kernel as listed in `/proc/filesystems` (e.g., “minix”, “ext2”, “ext3”, “jfs”, “xfs”, “reiserfs”, “msdos”, “proc”, “nfs”, “iso9660”). For bind mounts (when options include either bind or rbind), the type is a dummy, often “none” (not listed in /proc/filesystems).
Type: string
Default:
"none"Declared by:
services.railcar.containers.<name?>.os¶
OS type of the container
Type: string
Default:
"linux"Declared by:
services.railcar.containers.<name?>.runType¶
The systemd service run type
Type: string
Default:
"oneshot"Declared by:
services.railcar.stateDir¶
Railcar persistent state directory
Type: path
Default:
"/var/railcar"Declared by:
services.ratbagd.enable¶
Whether to enable ratbagd for configuring gaming mice.
Type: unspecified
Default:
falseDeclared by:
services.rdnssd.enable¶
Whether to enable the RDNSS daemon (rdnssd), which configures DNS servers in:file:/etc/resolv.conf from RDNSS advertisements sent by IPv6 routers.
Type: unspecified
Default:
falseDeclared by:
services.redis.enable¶
Whether to enable the Redis server. Note that the NixOS module for Redis disables kernel support for Transparent Huge Pages (THP), because this features causes major performance problems for Redis, e.g. (https://redis.io/topics/latency).
Type: boolean
Default:
falseDeclared by:
services.redis.package¶
Which Redis derivation to use.
Type: package
Default:
"pkgs.redis"Declared by:
services.redis.appendFsync¶
How often to fsync the append-only log, options: no, always, everysec.
Type: string
Default:
"everysec"Declared by:
services.redis.appendOnly¶
By default data is only periodically persisted to disk, enable this option to use an append-only file for improved persistence.
Type: boolean
Default:
falseDeclared by:
services.redis.bind¶
The IP interface to bind to.
Type: null or string
Default:
nullExample:
"127.0.0.1"Declared by:
services.redis.databases¶
Set the number of databases.
Type: signed integer
Default:
16Declared by:
services.redis.extraConfig¶
Extra configuration options for redis.conf.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.redis.logLevel¶
Specify the server verbosity level, options: debug, verbose, notice, warning.
Type: string
Default:
"notice"Example:
"debug"Declared by:
services.redis.logfile¶
Specify the log file name. Also ‘stdout’ can be used to force Redis to log on the standard output.
Type: string
Default:
"/dev/null"Example:
"/var/log/redis.log"Declared by:
services.redis.masterAuth¶
If the master is password protected (using the requirePass configuration) it is possible to tell the slave to authenticate before starting the replication synchronization process, otherwise the master will refuse the slave request. (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)
Type: unspecified
Default:
nullDeclared by:
services.redis.openFirewall¶
Whether to open ports in the firewall for the server.
Type: boolean
Default:
falseDeclared by:
services.redis.port¶
The port for Redis to listen to.
Type: signed integer
Default:
6379Declared by:
services.redis.requirePass¶
Password for database (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE). Use requirePassFile to store it outside of the nix store in a dedicated file.
Type: null or string
Default:
nullExample:
"letmein!"Declared by:
services.redis.requirePassFile¶
File with password for the database.
Type: null or path
Default:
nullExample:
"/run/keys/redis-password"Declared by:
services.redis.save¶
The schedule in which data is persisted to disk, represented as a list of lists where the first element represent the amount of seconds and the second the number of changes.
Type: list of list of signed integerss
Default: ``[
[ 900 1 ]
[ 300 10 ]
[ 60 10000 ]
]``
Example: ``[
[ 900 1 ]
[ 300 10 ]
[ 60 10000 ]
]``
Declared by:
services.redis.slaveOf¶
An attribute set with two attributes: ip and port to which this redis instance acts as a slave.
Type: unspecified
Default:
nullExample:
{ ip = "192.168.1.100"; port = 6379; }Declared by:
services.redis.slowLogLogSlowerThan¶
Log queries whose execution take longer than X in milliseconds.
Type: signed integer
Default:
10000Example:
1000Declared by:
services.redis.slowLogMaxLen¶
Maximum number of items to keep in slow log.
Type: signed integer
Default:
128Declared by:
services.redis.syslog¶
Enable logging to the system logger.
Type: boolean
Default:
trueDeclared by:
services.redis.unixSocket¶
The path to the socket to bind to.
Type: null or path
Default:
nullExample:
"/run/redis/redis.sock"Declared by:
services.redis.vmOverCommit¶
Set vm.overcommit_memory to 1 (Suggested for Background Saving: http://redis.io/topics/faq)
Type: boolean
Default:
falseDeclared by:
services.redmine.enable¶
Whether to enable Redmine.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.redmine.package¶
Which Redmine package to use.
Type: package
Default:
*(build of redmine-4.1.0)*Example:
"pkgs.redmine.override { ruby = pkgs.ruby_2_7; }"Declared by:
services.redmine.database.createLocally¶
Create the database and database user locally.
Type: boolean
Default:
trueDeclared by:
services.redmine.database.host¶
Database host address.
Type: string
Default:
"localhost"Declared by:
services.redmine.database.name¶
Database name.
Type: string
Default:
"redmine"Declared by:
services.redmine.database.password¶
The password corresponding to . Warning: this is stored in cleartext in the Nix store! Use instead.
Type: string
Default:
""Declared by:
services.redmine.database.passwordFile¶
A file containing the password corresponding to.
Type: null or path
Default:
nullExample:
"/run/keys/redmine-dbpassword"Declared by:
services.redmine.database.port¶
Database host port.
Type: signed integer
Default:
"3306"Declared by:
services.redmine.database.socket¶
Path to the unix socket file to use for authentication.
Type: null or path
Default:
"/run/mysqld/mysqld.sock"Example:
"/run/mysqld/mysqld.sock"Declared by:
services.redmine.database.type¶
Database engine to use.
Type: one of “mysql2”, “postgresql”
Default:
"mysql2"Example:
"postgresql"Declared by:
services.redmine.database.user¶
Database user.
Type: string
Default:
"redmine"Declared by:
services.redmine.extraConfig¶
Extra configuration in configuration.yml.
See ` <https://guides.rubyonrails.org/action_mailer_basics.html#action-mailer-configuration>`_ for details.
Type: strings concatenated with “\n”
Default:
""Example:
email_delivery: delivery_method: smtp smtp_settings: address: mail.example.com port: 25Declared by:
services.redmine.extraEnv¶
Extra configuration in additional_environment.rb.
See ` <https://svn.redmine.org/redmine/trunk/config/additional_environment.rb.example>`_ for details.
Type: strings concatenated with “\n”
Default:
""Example:
config.logger.level = Logger::DEBUGDeclared by:
services.redmine.group¶
Group under which Redmine is ran.
Type: string
Default:
"redmine"Declared by:
services.redmine.plugins¶
Set of plugins.
Type: attribute set of paths
Default: ``{
}``
Example:
{ redmine_env_auth = builtins.fetchurl { url = https://github.com/Intera/redmine_env_auth/archive/0.6.zip; sha256 = "0yyr1yjd8gvvh832wdc8m3xfnhhxzk2pk3gm2psg5w9jdvd6skak"; }; }Declared by:
services.redmine.port¶
Port on which Redmine is ran.
Type: signed integer
Default:
3000Declared by:
services.redmine.stateDir¶
The state directory, logs and plugins are stored here.
Type: string
Default:
"/var/lib/redmine"Declared by:
services.redmine.themes¶
Set of themes.
Type: attribute set of paths
Default: ``{
}``
Example:
{ dkuk-redmine_alex_skin = builtins.fetchurl { url = https://bitbucket.org/dkuk/redmine_alex_skin/get/1842ef675ef3.zip; sha256 = "0hrin9lzyi50k4w2bd2b30vrf1i4fi1c0gyas5801wn8i7kpm9yl"; }; }Declared by:
services.redmine.user¶
User under which Redmine is ran.
Type: string
Default:
"redmine"Declared by:
services.redshift.enable¶
Enable Redshift to change your screen’s colour temperature depending on the time of day.
Type: boolean
Default:
falseDeclared by:
services.redshift.package¶
redshift derivation to use.
Type: package
Default:
"pkgs.redshift"Declared by:
services.redshift.brightness.day¶
Screen brightness to apply during the day, between
0.1and1.0.Type: string
Default:
"1"Declared by:
services.redshift.brightness.night¶
Screen brightness to apply during the night, between
0.1and1.0.Type: string
Default:
"1"Declared by:
services.redshift.extraOptions¶
Additional command-line arguments to pass to:command:redshift.
Type: list of strings
Default: ``[
]``
Example:
[ "-v" "-m randr" ]Declared by:
services.redshift.temperature.day¶
Colour temperature to use during the day, between``1000`` and
25000K.Type: signed integer
Default:
5500Declared by:
services.redshift.temperature.night¶
Colour temperature to use at night, between``1000`` and
25000K.Type: signed integer
Default:
3700Declared by:
services.redsocks.enable¶
Whether to enable redsocks.
Type: boolean
Default:
falseDeclared by:
services.redsocks.chroot¶
Chroot under which to run redsocks. Log file is opened before chroot, but if logging to syslog /etc/localtime may be required.
Type: null or string
Default:
nullDeclared by:
services.redsocks.log¶
Where to send logs.
Possible values are: - stderr - file:/path/to/file - syslog:FACILITY where FACILITY is any of “daemon”, “local0”, etc.
Type: string
Default:
"stderr"Declared by:
services.redsocks.log_debug¶
Log connection progress.
Type: boolean
Default:
falseDeclared by:
services.redsocks.log_info¶
Log start and end of client sessions.
Type: boolean
Default:
falseDeclared by:
services.redsocks.redsocks¶
Local port to proxy associations to be performed.
The example shows how to configure a proxy to handle port 80 as HTTP relay, and all other ports as HTTP connect.
Type: list of submodules
Example: ``[
{ doNotRedirect = [ “-d 1.2.0.0/16” ] ; port = 23456; proxy = “1.2.3.4:8080”; redirectCondition = “–dport 80”; type = “http-relay”; }
{ doNotRedirect = [ “-d 1.2.0.0/16” ] ; port = 23457; proxy = “1.2.3.4:8080”; redirectCondition = true; type = “http-connect”; }
]``
Declared by:
services.redsocks.redsocks.*.disclose_src¶
Way to disclose client IP to the proxy. - “false”: do not disclose http-connect supports the following ways: - “X-Forwarded-For”: add header “X-Forwarded-For: IP” - “Forwarded_ip”: add header “Forwarded: for=IP” (see RFC7239) - “Forwarded_ipport”: add header ‘Forwarded: for=”IP:port”’
Type: one of “false”, “X-Forwarded-For”, “Forwarded_ip”, “Forwarded_ipport”
Default:
"false"Declared by:
services.redsocks.redsocks.*.doNotRedirect¶
Iptables filters that if matched will get the packet off of redsocks.
Type: list of strings
Default: ``[
]``
Example:
[ "-d 1.2.3.4" ]Declared by:
services.redsocks.redsocks.*.ip¶
IP on which redsocks should listen. Defaults to 127.0.0.1 for security reasons.
Type: string
Default:
"127.0.0.1"Declared by:
services.redsocks.redsocks.*.login¶
Login to send to proxy.
Type: null or string
Default:
nullDeclared by:
services.redsocks.redsocks.*.password¶
Password to send to proxy. WARNING, this will end up world-readable in the store! Awaiting https://github.com/NixOS/nix/issues/8 to be able to fix.
Type: null or string
Default:
nullDeclared by:
services.redsocks.redsocks.*.port¶
Port on which redsocks should listen.
Type: signed integer
Default:
12345Declared by:
services.redsocks.redsocks.*.proxy¶
Proxy through which redsocks should forward incoming traffic. Example: “example.org:8080”
Type: string
Declared by:
services.redsocks.redsocks.*.redirectCondition¶
Conditions to make outbound packets go through this redsocks instance.
If set to false, no packet will be forwarded. If set to true, all packets will be forwarded (except packets excluded by redirectInternetOnly).
If set to a string, this is an iptables filter that will be matched against packets before getting them into redsocks. For example, setting it to “–dport 80” will only send packets to port 80 to redsocks. Note “-p tcp” is always implicitly added, as udp can only be proxied through redudp or the like.
Type: boolean or string
Default:
falseDeclared by:
services.redsocks.redsocks.*.redirectInternetOnly¶
Exclude all non-globally-routable IPs from redsocks
Type: boolean
Default:
trueDeclared by:
services.redsocks.redsocks.*.type¶
Type of proxy.
Type: one of “socks4”, “socks5”, “http-connect”, “http-relay”
Declared by:
services.resilio.enable¶
If enabled, start the Resilio Sync daemon. Once enabled, you can interact with the service through the Web UI, or configure it in your NixOS configuration.
Type: boolean
Default:
falseDeclared by:
services.resilio.enableWebUI¶
Enable Web UI for administration. Bound to the specified``httpListenAddress`` and``httpListenPort``.
Type: boolean
Default:
falseDeclared by:
services.resilio.apiKey¶
API key, which enables the developer API.
Type: string
Default:
""Declared by:
services.resilio.checkForUpdates¶
Determines whether to check for updates and alert the user about them in the UI.
Type: boolean
Default:
trueDeclared by:
services.resilio.deviceName¶
Name of the Resilio Sync device.
Type: string
Default:
"nixos"Example:
"Voltron"Declared by:
services.resilio.directoryRoot¶
Default directory to add folders in the web UI.
Type: string
Default:
""Example:
"/media"Declared by:
services.resilio.downloadLimit¶
Download speed limit. 0 is unlimited (default).
Type: signed integer
Default:
0Example:
1024Declared by:
services.resilio.encryptLAN¶
Encrypt LAN data.
Type: boolean
Default:
trueDeclared by:
services.resilio.httpListenAddr¶
HTTP address to bind to.
Type: string
Default:
"0.0.0.0"Example:
"1.2.3.4"Declared by:
services.resilio.httpListenPort¶
HTTP port to bind on.
Type: signed integer
Default:
9000Declared by:
services.resilio.httpLogin¶
HTTP web login username.
Type: string
Default:
""Example:
"allyourbase"Declared by:
services.resilio.httpPass¶
HTTP web login password.
Type: string
Default:
""Example:
"arebelongtous"Declared by:
services.resilio.listeningPort¶
Listening port. Defaults to 0 which randomizes the port.
Type: signed integer
Default:
0Example:
44444Declared by:
services.resilio.storagePath¶
Where BitTorrent Sync will store it’s database files (containing things like username info and licenses). Generally, you should not need to ever change this.
Type: path
Default:
"/var/lib/resilio-sync/"Declared by:
services.resilio.uploadLimit¶
Upload speed limit. 0 is unlimited (default).
Type: signed integer
Default:
0Example:
1024Declared by:
services.resilio.useUpnp¶
Use Universal Plug-n-Play (UPnP)
Type: boolean
Default:
trueDeclared by:
services.resolved.enable¶
Whether to enable the systemd DNS resolver daemon.
Type: boolean
Default:
falseDeclared by:
services.resolved.dnssec¶
If set to
"true"all DNS lookups are DNSSEC-validated locally (excluding LLMNR and Multicast DNS). Note that this mode requires a DNS server that supports DNSSEC. If the DNS server does not properly support DNSSEC all validations will fail.
"allow-downgrade"DNSSEC validation is attempted, but if the server does not support DNSSEC properly, DNSSEC mode is automatically disabled. Note that this mode makes DNSSEC validation vulnerable to “downgrade” attacks, where an attacker might be able to trigger a downgrade to non-DNSSEC mode by synthesizing a DNS response that suggests DNSSEC was not supported.
"false"DNS lookups are not DNSSEC validated.Type: one of “true”, “allow-downgrade”, “false”
Default:
"allow-downgrade"Example:
"true"Declared by:
services.resolved.domains¶
A list of domains. These domains are used as search suffixes when resolving single-label host names (domain names which contain no dot), in order to qualify them into fully-qualified domain names (FQDNs).
For compatibility reasons, if this setting is not specified, the search domains listed in:file:/etc/resolv.conf are used instead, if that file exists and any domains are configured in it.
Type: list of strings
Default: ``[
]``
Example:
[ "example.com" ]Declared by:
services.resolved.extraConfig¶
Extra config to append to resolved.conf.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.resolved.fallbackDns¶
A list of IPv4 and IPv6 addresses to use as the fallback DNS servers. If this option is empty, a compiled-in list of DNS servers is used instead.
Type: list of strings
Default: ``[
]``
Example:
[ "8.8.8.8" "2001:4860:4860::8844" ]Declared by:
services.resolved.llmnr¶
Controls Link-Local Multicast Name Resolution support (RFC 4795) on the local host.
If set to
"true"Enables full LLMNR responder and resolver support.
"false"Disables both.
"resolve"Only resolution support is enabled, but responding is disabled.Type: one of “true”, “resolve”, “false”
Default:
"true"Example:
"false"Declared by:
services.restic.backups¶
Periodic backups to create with Restic.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ localbackup = { initialize = true; passwordFile = "/etc/nixos/secrets/restic-password"; paths = [ "/home" ] ; repository = "/mnt/backup-hdd"; } ; remotebackup = { extraOptions = [ "sftp.command='ssh backup@host -i /etc/nixos/secrets/backup-private-key -s sftp'" ] ; passwordFile = "/etc/nixos/secrets/restic-password"; paths = [ "/home" ] ; repository = "sftp:backup@host:/backups/home"; timerConfig = { OnCalendar = "00:05"; RandomizedDelaySec = "5h"; } ; } ; }Declared by:
services.restic.backups.<name>.dynamicFilesFrom¶
A script that produces a list of files to back up. The results of this command are given to the ‘–files-from’ option.
Type: null or string
Default:
nullExample:
"find /home/matt/git -type d -name .git"Declared by:
services.restic.backups.<name>.extraBackupArgs¶
Extra arguments passed to restic backup.
Type: list of strings
Default: ``[
]``
Example:
[ "--exclude-file=/etc/nixos/restic-ignore" ]Declared by:
services.restic.backups.<name>.extraOptions¶
Extra extended options to be passed to the restic –option flag.
Type: list of strings
Default: ``[
]``
Example:
[ "sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp'" ]Declared by:
services.restic.backups.<name>.initialize¶
Create the repository if it doesn’t exist.
Type: boolean
Default:
falseDeclared by:
services.restic.backups.<name>.passwordFile¶
Read the repository password from a file.
Type: string
Example:
"/etc/nixos/restic-password"Declared by:
services.restic.backups.<name>.paths¶
Which paths to backup.
Type: list of strings
Default: ``[
]``
Example:
[ "/var/lib/postgresql" "/home/user/backup" ]Declared by:
services.restic.backups.<name>.pruneOpts¶
A list of options (–keep-* et al.) for ‘restic forget –prune’, to automatically prune old snapshots. The ‘forget’ command is run *after* the ‘backup’ command, so keep that in mind when constructing the –keep-* options.
Type: list of strings
Default: ``[
]``
Example:
[ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]Declared by:
services.restic.backups.<name>.repository¶
repository to backup to.
Type: string
Example:
"sftp:backup@192.168.1.100:/backups/‹name›"Declared by:
services.restic.backups.<name>.s3CredentialsFile¶
file containing the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY for an S3-hosted repository, in the format of an EnvironmentFile as described by systemd.exec(5)
Type: null or string
Default:
nullDeclared by:
services.restic.backups.<name>.timerConfig¶
When to run the backup. See man systemd.timer for details.
Type: attribute set of systemd options
Default:
{ OnCalendar = "daily"; }Example:
{ OnCalendar = "00:05"; RandomizedDelaySec = "5h"; }Declared by:
services.restic.backups.<name>.user¶
As which user the backup should run.
Type: string
Default:
"root"Example:
"postgresql"Declared by:
services.restic.server.enable¶
Whether to enable Restic REST Server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.restic.server.package¶
Restic REST server package to use.
Type: package
Default:
"pkgs.restic-rest-server"Declared by:
services.restic.server.appendOnly¶
Enable append only mode. This mode allows creation of new backups but prevents deletion and modification of existing backups. This can be useful when backing up systems that have a potential of being hacked.
Type: boolean
Default:
falseDeclared by:
services.restic.server.dataDir¶
The directory for storing the restic repository.
Type: path
Default:
"/var/lib/restic"Declared by:
services.restic.server.extraFlags¶
Extra commandline options to pass to Restic REST server.
Type: list of strings
Default: ``[
]``
Declared by:
services.restic.server.listenAddress¶
Listen on a specific IP address and port.
Type: string
Default:
":8000"Example:
"127.0.0.1:8080"Declared by:
services.restic.server.privateRepos¶
Enable private repos. Grants access only when a subdirectory with the same name as the user is specified in the repository URL.
Type: boolean
Default:
falseDeclared by:
services.restic.server.prometheus¶
Enable Prometheus metrics at /metrics.
Type: boolean
Default:
falseDeclared by:
services.restya-board.enable¶
Whether to enable restya-board.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.restya-board.dataDir¶
Data of the application.
Type: path
Default:
"/var/lib/restya-board"Example:
"/var/lib/restya-board"Declared by:
services.restya-board.database.host¶
Host of the database. Leave ‘null’ to use a local PostgreSQL database. A local PostgreSQL database is initialized automatically.
Type: null or string
Default:
nullDeclared by:
services.restya-board.database.name¶
Name of the database. The database must exist.
Type: string
Default:
"restya_board"Declared by:
services.restya-board.database.passwordFile¶
The database user’s password. ‘null’ if no password is set.
Type: null or path
Default:
nullDeclared by:
services.restya-board.database.port¶
The database’s port.
Type: null or signed integer
Default:
5432Declared by:
services.restya-board.database.user¶
The database user. The user must exist and have access to the specified database.
Type: string
Default:
"restya_board"Declared by:
services.restya-board.email.login¶
SMTP authentication login used when sending outgoing mail.
Type: string
Default:
""Declared by:
services.restya-board.email.password¶
SMTP authentication password used when sending outgoing mail.
ATTENTION: The password is stored world-readable in the nix-store!
Type: string
Default:
""Declared by:
services.restya-board.email.port¶
Port used to connect to SMTP server.
Type: signed integer
Default:
25Declared by:
services.restya-board.email.server¶
Hostname to send outgoing mail. Null to use the system MTA.
Type: null or string
Default:
nullExample:
"localhost"Declared by:
services.restya-board.group¶
Group account under which the web-application runs.
Type: string
Default:
"nginx"Example:
"nginx"Declared by:
services.restya-board.timezone¶
Timezone the web-app runs in.
Type: strings concatenated with “\n”
Default:
"GMT"Declared by:
services.restya-board.user¶
User account under which the web-application runs.
Type: string
Default:
"restya-board"Example:
"restya-board"Declared by:
services.restya-board.virtualHost.listenHost¶
Listen address for the virtualhost to use.
Type: string
Default:
"localhost"Declared by:
services.restya-board.virtualHost.listenPort¶
Listen port for the virtualhost to use.
Type: signed integer
Default:
3000Declared by:
services.restya-board.virtualHost.serverName¶
Name of the nginx virtualhost to use.
Type: string
Default:
"restya.board"Declared by:
services.riak.enable¶
Whether to enable riak.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.riak.package¶
Riak package to use.
Type: package
Default:
"pkgs.riak"Example:
pkgs.riakDeclared by:
services.riak.dataDir¶
Data directory for Riak.
Type: path
Default:
"/var/db/riak"Declared by:
services.riak.distributedCookie¶
Cookie for distributed node communication. All nodes in the same cluster should use the same cookie or they will not be able to communicate.
Type: string
Default:
"riak"Declared by:
services.riak.extraAdvancedConfig¶
Additional text to be appended to
advanced.config.Type: strings concatenated with “\n”
Default:
""Declared by:
services.riak.extraConfig¶
Additional text to be appended to
riak.conf.Type: strings concatenated with “\n”
Default:
""Declared by:
services.riak.logDir¶
Log directory for Riak.
Type: path
Default:
"/var/log/riak"Declared by:
services.riak.nodeName¶
Name of the Erlang node.
Type: string
Default:
"riak@127.0.0.1"Declared by:
services.riak-cs.enable¶
Whether to enable riak-cs.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.riak-cs.package¶
Riak package to use.
Type: package
Default:
"pkgs.riak-cs"Example:
pkgs.riak-csDeclared by:
services.riak-cs.anonymousUserCreation¶
Anonymous user creation.
Type: boolean
Default:
falseDeclared by:
services.riak-cs.dataDir¶
Data directory for Riak CS.
Type: path
Default:
"/var/db/riak-cs"Declared by:
services.riak-cs.distributedCookie¶
Cookie for distributed node communication. All nodes in the same cluster should use the same cookie or they will not be able to communicate.
Type: string
Default:
"riak"Declared by:
services.riak-cs.extraAdvancedConfig¶
Additional text to be appended to
advanced.config.Type: strings concatenated with “\n”
Default:
""Declared by:
services.riak-cs.extraConfig¶
Additional text to be appended to
riak-cs.conf.Type: strings concatenated with “\n”
Default:
""Declared by:
services.riak-cs.listener¶
Name of Riak CS listening service.
Type: string
Default:
"127.0.0.1:8080"Declared by:
services.riak-cs.logDir¶
Log directory for Riak CS.
Type: path
Default:
"/var/log/riak-cs"Declared by:
services.riak-cs.nodeName¶
Name of the Erlang node.
Type: string
Default:
"riak-cs@127.0.0.1"Declared by:
services.riak-cs.riakHost¶
Name of riak hosting service.
Type: string
Default:
"127.0.0.1:8087"Declared by:
services.riak-cs.stanchionHost¶
Name of stanchion hosting service.
Type: string
Default:
"127.0.0.1:8085"Declared by:
services.riak-cs.stanchionSsl¶
Tell stanchion to use SSL.
Type: boolean
Default:
trueDeclared by:
services.riemann.enable¶
Enable the Riemann network monitoring daemon.
Type: boolean
Default:
falseDeclared by:
services.riemann.config¶
Contents of the Riemann configuration file. For more complicated config you should use configFile.
Type: strings concatenated with “\n”
Declared by:
services.riemann.configFile¶
A Riemann config file. Any files in the same directory as this file will be added to the classpath by Riemann.
Type: string
Declared by:
services.riemann.configFiles¶
Extra files containing Riemann configuration. These files will be loaded at runtime by Riemann (with Clojure’s``load-file`` function) at the end of the configuration if you use the config option, this is ignored if you use configFile.
Type: list of paths
Default: ``[
]``
Declared by:
services.riemann.extraClasspathEntries¶
Extra entries added to the Java classpath when running Riemann.
Type: list of strings
Default: ``[
]``
Declared by:
services.riemann.extraJavaOpts¶
services.riemann-dash.enable¶
Enable the riemann-dash dashboard daemon.
Type: boolean
Default:
falseDeclared by:
services.riemann-dash.config¶
Contents added to the end of the riemann-dash configuration file.
Type: strings concatenated with “\n”
Declared by:
services.riemann-dash.dataDir¶
Location of the riemann-base dir. The dashboard configuration file is is stored to this directory. The directory is created automatically on service start, and owner is set to the riemanndash user.
Type: string
Default:
"/var/riemann-dash"Declared by:
services.riemann-tools.enableHealth¶
Enable the riemann-health daemon.
Type: boolean
Default:
falseDeclared by:
services.riemann-tools.extraArgs¶
A list of commandline-switches forwarded to a riemann-tool. See for example `riemann-health –help` for available options.
Type: list of strings
Default: ``[
]``
Example:
[ "-p 5555" "--timeout=30" "--attribute=myattribute=42" ]Declared by:
services.riemann-tools.riemannHost¶
Address of the host riemann node. Defaults to localhost.
Type: string
Default:
"127.0.0.1"Declared by:
services.rippleDataApi.enable¶
Whether to enable ripple data api.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.rippleDataApi.couchdb.create¶
Whether to create couchdb database needed by ripple data api.
Type: boolean
Default:
trueDeclared by:
services.rippleDataApi.couchdb.db¶
Ripple data api couchdb database.
Type: string
Default:
"rippled"Declared by:
services.rippleDataApi.couchdb.host¶
Ripple data api couchdb host.
Type: string
Default:
"localhost"Declared by:
services.rippleDataApi.couchdb.pass¶
Ripple data api couchdb password.
Type: string
Default:
""Declared by:
services.rippleDataApi.couchdb.port¶
Ripple data api couchdb port.
Type: signed integer
Default:
5984Declared by:
services.rippleDataApi.couchdb.user¶
Ripple data api couchdb username.
Type: string
Default:
"rippled"Declared by:
services.rippleDataApi.importMode¶
Ripple data api import mode.
Type: one of “live”, “liveOnly”
Default:
"liveOnly"Declared by:
services.rippleDataApi.maxLedger¶
Ripple data api maximal ledger to fetch.
Type: null or signed integer
Default:
nullDeclared by:
services.rippleDataApi.minLedger¶
Ripple data api minimal ledger to fetch.
Type: null or signed integer
Default:
nullDeclared by:
services.rippleDataApi.port¶
Ripple data api port
Type: signed integer
Default:
5993Declared by:
services.rippleDataApi.redis.enable¶
Whether to enable caching of ripple data to redis.
Type: boolean
Default:
trueDeclared by:
services.rippleDataApi.redis.host¶
Ripple data api redis host.
Type: string
Default:
"localhost"Declared by:
services.rippleDataApi.redis.port¶
Ripple data api redis port.
Type: signed integer
Default:
5984Declared by:
services.rippleDataApi.rippleds¶
List of rippleds to be used by ripple data api.
Type: list of strings
Default:
[ "http://s_east.ripple.com:51234" "http://s_west.ripple.com:51234" ]Declared by:
services.rippled.enable¶
Whether to enable rippled.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.rippled.package¶
Which rippled package to use.
Type: package
Default:
"pkgs.rippled"Declared by:
services.rippled.databasePath¶
Path to the ripple database.
Type: path
Default:
"/var/lib/rippled"Declared by:
services.rippled.extraConfig¶
Extra lines to be added verbatim to the rippled.cfg configuration file.
Type: unspecified
Default:
""Declared by:
services.rippled.fetchDepth¶
The number of past ledgers to serve to other peers that request historical ledger data (or “full” for no limit).
Type: signed integer or one of “full”
Default:
"full"Declared by:
services.rippled.importDb¶
Settings for performing a one-time import.
Type: null or submodule
Default:
nullDeclared by:
services.rippled.importDb.advisoryDelete¶
If set, then require administrative RPC call “can_delete” to enable online deletion of ledger records.
Type: null or boolean
Default:
nullDeclared by:
services.rippled.importDb.compression¶
Whether to enable snappy compression.
Type: null or boolean
Default:
nullDeclared by:
services.rippled.importDb.extraOpts¶
Extra database options.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.rippled.importDb.onlineDelete¶
Enable automatic purging of older ledger information.
Type: null or signed integer
Default:
1296000Declared by:
services.rippled.importDb.path¶
Location to store the database.
Type: path
Default:
"/var/lib/rippled"Declared by:
services.rippled.importDb.type¶
Rippled database type.
Type: one of “rocksdb”, “nudb”
Default:
"rocksdb"Declared by:
services.rippled.ips¶
List of hostnames or ips where the Ripple protocol is served. For a starter list, you can either copy entries from: https://ripple.com/ripple.txt or if you prefer you can let it default to r.ripple.com 51235
A port may optionally be specified after adding a space to the address. By convention, if known, IPs are listed in from most to least trusted.
Type: list of strings
Default:
[ "r.ripple.com 51235" ]Declared by:
services.rippled.ipsFixed¶
List of IP addresses or hostnames to which rippled should always attempt to maintain peer connections with. This is useful for manually forming private networks, for example to configure a validation server that connects to the Ripple network through a public-facing server, or for building a set of cluster peers.
A port may optionally be specified after adding a space to the address
Type: list of strings
Default: ``[
]``
Declared by:
services.rippled.ledgerHistory¶
The number of past ledgers to acquire on server startup and the minimum to maintain while running.
Type: signed integer or one of “full”
Default:
1296000Declared by:
services.rippled.logLevel¶
Logging verbosity.
Type: one of “debug”, “error”, “info”
Default:
"error"Declared by:
services.rippled.nodeDb¶
Rippled main database options.
Type: null or submodule
Default:
{ extraOpts = "open_files=2000\\nfilter_bits=12\\ncache_mb=256\\nfile_size_pb=8\\nfile_size_mult=2;\\n"; type = "rocksdb"; }Declared by:
services.rippled.nodeDb.advisoryDelete¶
If set, then require administrative RPC call “can_delete” to enable online deletion of ledger records.
Type: null or boolean
Default:
nullDeclared by:
services.rippled.nodeDb.compression¶
Whether to enable snappy compression.
Type: null or boolean
Default:
nullDeclared by:
services.rippled.nodeDb.extraOpts¶
Extra database options.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.rippled.nodeDb.onlineDelete¶
Enable automatic purging of older ledger information.
Type: null or signed integer
Default:
1296000Declared by:
services.rippled.nodeDb.path¶
Location to store the database.
Type: path
Default:
"/var/lib/rippled"Declared by:
services.rippled.nodeDb.type¶
Rippled database type.
Type: one of “rocksdb”, “nudb”
Default:
"rocksdb"Declared by:
services.rippled.nodeSize¶
Rippled size of the node you are running. “tiny”, “small”, “medium”, “large”, and “huge”
Type: one of “tiny”, “small”, “medium”, “large”, “huge”
Default:
"small"Declared by:
services.rippled.ports¶
Ports exposed by rippled
Type: attribute set of submodules
Default:
{ peer = { ip = "0.0.0.0"; port = 51235; protocol = [ "peer" ] ; } ; rpc = { admin = [ "127.0.0.1" ] ; port = 5005; protocol = [ "http" ] ; } ; ws_public = { ip = "0.0.0.0"; port = 5006; protocol = [ "ws" "wss" ] ; } ; }Declared by:
services.rippled.ports.<name>.admin¶
A comma-separated list of admin IP addresses.
Type: list of strings
Default:
[ "127.0.0.1" ]Declared by:
services.rippled.ports.<name>.ip¶
Ip where rippled listens.
Type: string
Default:
"127.0.0.1"Declared by:
services.rippled.ports.<name>.password¶
When set, these credentials will be required on HTTP/S requests.
Type: string
Default:
""Declared by:
services.rippled.ports.<name>.port¶
Port where rippled listens.
Type: signed integer
Declared by:
services.rippled.ports.<name>.protocol¶
Protocols expose by rippled.
Type: list of one of “http”, “https”, “ws”, “wss”, “peer”s
Declared by:
services.rippled.ports.<name>.ssl.cert¶
Specifies the path to the SSL certificate file in PEM format. This is not needed if the chain includes it.
Type: null or path
Default:
nullDeclared by:
services.rippled.ports.<name>.ssl.chain¶
If you need a certificate chain, specify the path to the certificate chain here. The chain may include the end certificate.
Type: null or path
Default:
nullDeclared by:
services.rippled.ports.<name>.ssl.key¶
Specifies the filename holding the SSL key in PEM format.
Type: null or path
Default:
nullDeclared by:
services.rippled.ports.<name>.user¶
When set, these credentials will be required on HTTP/S requests.
Type: string
Default:
""Declared by:
services.rippled.sntpServers¶
IP address or domain of NTP servers to use for time synchronization.;
Type: list of strings
Default:
[ "time.windows.com" "time.apple.com" "time.nist.gov" "pool.ntp.org" ]Declared by:
services.rippled.statsd.enable¶
Whether to enable statsd monitoring for rippled.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.rippled.statsd.address¶
The UDP address and port of the listening StatsD server.
Type: string
Default:
"127.0.0.1:8125"Declared by:
services.rippled.statsd.prefix¶
A string prepended to each collected metric.
Type: string
Default:
""Declared by:
services.rippled.tempDb¶
Rippled temporary database options.
Type: null or submodule
Default:
nullDeclared by:
services.rippled.tempDb.advisoryDelete¶
If set, then require administrative RPC call “can_delete” to enable online deletion of ledger records.
Type: null or boolean
Default:
nullDeclared by:
services.rippled.tempDb.compression¶
Whether to enable snappy compression.
Type: null or boolean
Default:
nullDeclared by:
services.rippled.tempDb.extraOpts¶
Extra database options.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.rippled.tempDb.onlineDelete¶
Enable automatic purging of older ledger information.
Type: null or signed integer
Default:
1296000Declared by:
services.rippled.tempDb.path¶
Location to store the database.
Type: path
Default:
"/var/lib/rippled"Declared by:
services.rippled.tempDb.type¶
Rippled database type.
Type: one of “rocksdb”, “nudb”
Default:
"rocksdb"Declared by:
services.rippled.validationQuorum¶
The minimum number of trusted validations a ledger must have before the server considers it fully validated.
Type: signed integer
Default:
3Declared by:
services.rippled.validators¶
List of nodes to always accept as validators. Nodes are specified by domain or public key.
Type: list of strings
Default:
[ "n949f75evCHwgyP4fPVgaHqNHxUVN15PsJEZ3B3HnXPcPjcZAoy7 RL1" "n9MD5h24qrQqiyBC8aeqqCWvpiBiYQ3jxSr91uiDvmrkyHRdYLUj RL2" "n9L81uNCaPgtUJfaHh89gmdvXKAmSt5Gdsw2g1iPWaPkAHW5Nm4C RL3" "n9KiYM9CgngLvtRCQHZwgC2gjpdaZcCcbt3VboxiNFcKuwFVujzS RL4" "n9LdgEtkmGB9E2h3K4Vp7iGUaKuq23Zr32ehxiU8FWY7xoxbWTSA RL5" ]Declared by:
services.rogue.enable¶
Whether to enable the Rogue game on one of the virtual consoles.
Type: boolean
Default:
falseDeclared by:
services.rogue.tty¶
Virtual console on which to run Rogue.
Type: string
Default:
"tty9"Declared by:
services.roon-server.enable¶
Whether to enable Roon Server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.roon-server.group¶
Group to run the Roon Server as.
Type: string
Default:
"roon-server"Declared by:
services.roon-server.openFirewall¶
Open ports in the firewall for the server.
UDP: 9003 TCP: 9100 - 9200
Type: boolean
Default:
falseDeclared by:
services.roon-server.user¶
User to run the Roon Server as.
Type: string
Default:
"roon-server"Declared by:
services.roundcube.enable¶
Whether to enable roundcube.
Also enables nginx virtual host management. Further nginx configuration can be done by adapting
services.nginx.virtualHosts.<name>. See services.nginx.virtualHosts for further information.Type: boolean
Default:
falseDeclared by:
services.roundcube.package¶
The package which contains roundcube’s sources. Can be overriden to create an environment which contains roundcube and third-party plugins.
Type: package
Default:
*(build of roundcube-1.4.3)*Example:
roundcube.withPlugins (plugins: [ plugins.persistent_login ])Declared by:
services.roundcube.database.dbname¶
Name of the postgresql database
Type: string
Default:
"roundcube"Declared by:
services.roundcube.database.host¶
Host of the postgresql server. If this is not set to``localhost``, you have to create the postgresql user and database yourself, with appropriate permissions.
Type: string
Default:
"localhost"Declared by:
services.roundcube.database.password¶
Password for the postgresql connection. Do not use: the password will be stored world readable in the store; use
passwordFileinstead.Type: string
Default:
""Declared by:
services.roundcube.database.passwordFile¶
Password file for the postgresql connection. Must be readable by user
nginx. Ignored ifdatabase.hostis set tolocalhost, as peer authentication will be used.Type: string
Declared by:
services.roundcube.database.username¶
Username for the postgresql connection. If
database.hostis set tolocalhost, a unix user and group of the same name will be created as well.Type: string
Default:
"roundcube"Declared by:
services.roundcube.extraConfig¶
Extra configuration for roundcube webmail instance
Type: strings concatenated with “\n”
Default:
""Declared by:
services.roundcube.hostName¶
Hostname to use for the nginx vhost
Type: string
Example:
"webmail.example.com"Declared by:
services.roundcube.plugins¶
List of roundcube plugins to enable. Currently, only those directly shipped with Roundcube are supported.
Type: list of strings
Default: ``[
]``
Declared by:
services.rpcbind.enable¶
Whether to enable `rpcbind’, an ONC RPC directory service notably used by NFS and NIS, and which can be queried using the rpcinfo(1) command. `rpcbind` is a replacement for `portmap`.
Type: boolean
Default:
falseDeclared by:
services.rsnapshot.enable¶
Whether to enable rsnapshot backups.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.rsnapshot.enableManualRsnapshot¶
Whether to enable manual usage of the rsnapshot command with this module.
Type: boolean
Default:
trueDeclared by:
services.rsnapshot.cronIntervals¶
Periodicity at which intervals should be run by cron. Note that the intervals also have to exist in configuration as retain options.
Type: attribute set of strings
Default: ``{
}``
Example:
{ daily = "50 21 * * \*"; hourly = "0 * * * \*"; }Declared by:
services.rsnapshot.extraConfig¶
rsnapshot configuration option in addition to the defaults from rsnapshot and this module.
Note that tabs are required to separate option arguments, and directory names require trailing slashes.
The “extra” in the option name might be a little misleading right now, as it is required to get a functional configuration.
Type: strings concatenated with “\n”
Default:
""Example:
'' retains hourly 24 retain daily 365 backup /home/ localhost/ ''Declared by:
services.rspamd.enable¶
Whether to enable rspamd, the Rapid spam filtering system.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.rspamd.debug¶
Whether to run the rspamd daemon in debug mode.
Type: boolean
Default:
falseDeclared by:
services.rspamd.extraConfig¶
Extra configuration to add at the end of the rspamd configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.rspamd.group¶
Group to use when no root privileges are required.
Type: string
Default:
"rspamd"Declared by:
services.rspamd.localLuaRules¶
Path of file to link to
/etc/rspamd/rspamd.local.luafor local rules written in LuaType: null or path
Default:
nullDeclared by:
services.rspamd.locals¶
Local configuration files, written into
/etc/rspamd/local.d/name.Type: attribute set of submodules
Default: ``{
}``
Example:
{ "redis.conf".source = "/nix/store/.../etc/dir/redis.conf"; "arc.conf".text = "allow_envfrom_empty = true;"; }Declared by:
services.rspamd.locals.<name>.enable¶
Whether this file locals should be generated. This option allows specific locals files to be disabled.
Type: boolean
Default:
trueDeclared by:
services.rspamd.locals.<name>.source¶
services.rspamd.locals.<name>.text¶
Text of the file.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.rspamd.overrides¶
Overridden configuration files, written into
/etc/rspamd/override.d/name.Type: attribute set of submodules
Default: ``{
}``
Example:
{ "redis.conf".source = "/nix/store/.../etc/dir/redis.conf"; "arc.conf".text = "allow_envfrom_empty = true;"; }Declared by:
services.rspamd.overrides.<name>.enable¶
Whether this file overrides should be generated. This option allows specific overrides files to be disabled.
Type: boolean
Default:
trueDeclared by:
services.rspamd.overrides.<name>.source¶
services.rspamd.overrides.<name>.text¶
Text of the file.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.rspamd.postfix.enable¶
Add rspamd milter to postfix main.conf
Type: boolean
Default:
falseDeclared by:
services.rspamd.postfix.config¶
Addon to postfix configuration
Type: attribute set of boolean or string or list of stringss
Default:
{ non_smtpd_milters = [ "unix:/run/rspamd/rspamd-milter.sock" ] ; smtpd_milters = [ "unix:/run/rspamd/rspamd-milter.sock" ] ; }Example:
{ non_smtpd_milters = [ "unix:/run/rspamd/rspamd-milter.sock" ] ; smtpd_milters = [ "unix:/run/rspamd/rspamd-milter.sock" ] ; }Declared by:
services.rspamd.user¶
User to use when no root privileges are required.
Type: string
Default:
"rspamd"Declared by:
services.rspamd.workers¶
Attribute set of workers to start.
Type: attribute set of submodules
Default: ``{ controller = {
} ; normal = {
}``
Example:
{ normal = { includes = [ "$CONFDIR/worker-normal.inc" ]; bindSockets = [{ socket = "/run/rspamd/rspamd.sock"; mode = "0660"; owner = "rspamd"; group = "rspamd"; }]; }; controller = { includes = [ "$CONFDIR/worker-controller.inc" ]; bindSockets = [ "[::1]:11334" ]; }; }Declared by:
services.rspamd.workers.<name>.enable¶
Whether to run the rspamd worker.
Type: null or boolean
Default:
nullDeclared by:
services.rspamd.workers.<name>.bindSockets¶
services.rspamd.workers.<name>.count¶
Number of worker instances to run
Type: null or signed integer
Default:
nullDeclared by:
services.rspamd.workers.<name>.extraConfig¶
Additional entries to put verbatim into worker section of rspamd config file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.rspamd.workers.<name>.includes¶
services.rspamd.workers.<name>.name¶
Name of the worker
Type: null or string
Default:
"‹name›"Declared by:
services.rspamd.workers.<name>.type¶
The type of this worker. The type
proxyis deprecated and only kept for backwards compatibility and should be replaced withrspamd_proxy.Type: null or one of “normal”, “controller”, “fuzzy”, “rspamd_proxy”, “lua”, “proxy”
Declared by:
services.rss2email.enable¶
Whether to enable rss2email.
Type: boolean
Default:
falseDeclared by:
services.rss2email.config¶
The configuration to give rss2email.
Default will use system-wide
sendmailto send the email. This is rss2email’s default when running``r2e new``.This set contains key-value associations that will be set in the``[DEFAULT]`` block along with the``to`` parameter.
See
man r2efor more information on which parameters are accepted.Type: attribute set of string or signed integer or booleans
Default: ``{
}``
Declared by:
services.rss2email.feeds¶
The feeds to watch.
Type: attribute set of submodules
Declared by:
services.rss2email.feeds.<name>.to¶
Email address to which to send feed items.
If
null, this will not be set in the configuration file, and rss2email will make it default to``rss2email.to``.Type: null or string
Default:
nullDeclared by:
services.rss2email.feeds.<name>.url¶
The URL at which to fetch the feed.
Type: string
Declared by:
services.rss2email.interval¶
How often to check the feeds, in systemd interval format
Type: string
Default:
"12h"Declared by:
services.rss2email.to¶
Mail address to which to send emails
Type: string
Declared by:
services.rsyncd.enable¶
Whether to enable the rsync daemon.
Type: unspecified
Default:
falseDeclared by:
services.rsyncd.address¶
IP address the daemon will listen on; rsyncd will listen on all addresses if this is not specified.
Type: unspecified
Default:
""Example:
"192.168.1.2"Declared by:
services.rsyncd.extraConfig¶
Lines of configuration to add to rsyncd globally. See man rsyncd.conf for options.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.rsyncd.group¶
The group to run the daemon as. By default the daemon runs as root.
Type: string
Default:
"root"Declared by:
services.rsyncd.modules¶
A set describing exported directories. See man rsyncd.conf for options.
Type: attribute set of attribute set of stringss
Default: ``{
}``
Example:
{ srv = { comment = "Public rsync share."; path = "/srv"; read only = "yes"; } ; }Declared by:
services.rsyncd.motd¶
Message of the day to display to clients on each connect. This usually contains site information and any legal notices.
Type: string
Default:
""Declared by:
services.rsyncd.port¶
TCP port the daemon will listen on.
Type: signed integer
Default:
873Declared by:
services.rsyncd.user¶
The user to run the daemon as. By default the daemon runs as root.
Type: string
Default:
"root"Declared by:
services.rsyslogd.enable¶
Whether to enable syslogd. Note that systemd also logs syslog messages, so you normally don’t need to run syslogd.
Type: boolean
Default:
falseDeclared by:
services.rsyslogd.defaultConfig¶
The default
syslog.conffile configures a fairly standard setup of log files, which can be extended by means ofextraConfig.Type: strings concatenated with “\n”
Default:
'' # "local1" is used for dhcpd messages. local1.* -/var/log/dhcpd mail.* -/var/log/mail *.=warning;*.=err -/var/log/warn *.crit /var/log/warn *.*;mail.none;local1.none -/var/log/messages ''Declared by:
services.rsyslogd.extraConfig¶
Additional text appended to
syslog.conf, i.e. the contents ofdefaultConfig.Type: strings concatenated with “\n”
Default:
""Example:
"news.* -/var/log/news"Declared by:
services.rsyslogd.extraParams¶
Additional parameters passed to rsyslogd.
Type: list of strings
Default: ``[
]``
Example:
[ "-m 0" ]Declared by:
services.sabnzbd.enable¶
Whether to enable the sabnzbd server.
Type: unspecified
Default:
falseDeclared by:
services.sabnzbd.configFile¶
Path to config file.
Type: unspecified
Default:
"/var/lib/sabnzbd/sabnzbd.ini"Declared by:
services.sabnzbd.group¶
Group to run the service as
Type: unspecified
Default:
"sabnzbd"Declared by:
services.sabnzbd.user¶
User to run the service as
Type: unspecified
Default:
"sabnzbd"Declared by:
services.safeeyes.enable¶
Whether to enable the safeeyes OSGi service
Type: unspecified
Default:
falseDeclared by:
services.salt.master.enable¶
Whether to enable Salt master service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.salt.master.configuration¶
services.salt.minion.enable¶
Whether to enable Salt minion service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.salt.minion.configuration¶
Salt minion configuration as Nix attribute set. See ` <https://docs.saltstack.com/en/latest/ref/configuration/minion.html>`_ for details.
Type: attribute set
Default: ``{
}``
Declared by:
services.samba.enable¶
Whether to enable Samba, which provides file and print services to Windows clients through the SMB/CIFS protocol.
Note
If you use the firewall consider adding the following:
networking.firewall.allowedTCPPorts = [ 139 445 ]; networking.firewall.allowedUDPPorts = [ 137 138 ];Type: boolean
Default:
falseDeclared by:
services.samba.enableNmbd¶
Whether to enable Samba’s nmbd, which replies to NetBIOS over IP name service requests. It also participates in the browsing protocols which make up the Windows “Network Neighborhood” view.
Type: boolean
Default:
trueDeclared by:
services.samba.enableWinbindd¶
Whether to enable Samba’s winbindd, which provides a number of services to the Name Service Switch capability found in most modern C libraries, to arbitrary applications via PAM and ntlm_auth and to Samba itself.
Type: boolean
Default:
trueDeclared by:
services.samba.package¶
Defines which package should be used for the samba server.
Type: package
Default:
"pkgs.samba"Example:
pkgs.samba4FullDeclared by:
services.samba.configText¶
Verbatim contents of smb.conf. If null (default), use the autogenerated file from NixOS instead.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.samba.extraConfig¶
Additional global section and extra section lines go in here.
Type: strings concatenated with “\n”
Default:
""Example:
'' guest account = nobody map to guest = bad user ''Declared by:
services.samba.invalidUsers¶
List of users who are denied to login via Samba.
Type: list of strings
Default:
[ "root" ]Declared by:
services.samba.nsswins¶
Whether to enable the WINS NSS (Name Service Switch) plug-in. Enabling it allows applications to resolve WINS/NetBIOS names (a.k.a. Windows machine names) by transparently querying the winbindd daemon.
Type: boolean
Default:
falseDeclared by:
services.samba.securityType¶
Samba security type
Type: string
Default:
"user"Example:
"share"Declared by:
services.samba.syncPasswordsByPam¶
Enabling this will add a line directly after pam_unix.so. Whenever a password is changed the samba password will be updated as well. However, you still have to add the samba password once, using smbpasswd -a user. If you don’t want to maintain an extra password database, you still can send plain text passwords which is not secure.
Type: boolean
Default:
falseDeclared by:
services.saned.enable¶
Enable saned network daemon for remote connection to scanners.
saned would be runned from
scanneruser; to allow access to hardware that doesn’t havescannergroup you should add needed groups to this user.Type: boolean
Default:
falseDeclared by:
services.saned.extraConfig¶
Extra saned configuration lines.
Type: strings concatenated with “\n”
Default:
""Example:
"192.168.0.0/24"Declared by:
services.sanoid.enable¶
Whether to enable Sanoid ZFS snapshotting service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.sanoid.datasets¶
services.sanoid.datasets.<name>.autoprune¶
Whether to automatically prune old snapshots.
Type: boolean
Default:
trueDeclared by:
services.sanoid.datasets.<name>.autosnap¶
Whether to automatically take snapshots.
Type: boolean
Default:
trueDeclared by:
services.sanoid.datasets.<name>.daily¶
Number of daily snapshots.
Type: unsigned integer, meaning >=0
Default:
90Declared by:
services.sanoid.datasets.<name>.hourly¶
Number of hourly snapshots.
Type: unsigned integer, meaning >=0
Default:
48Declared by:
services.sanoid.datasets.<name>.monthly¶
Number of monthly snapshots.
Type: unsigned integer, meaning >=0
Default:
6Declared by:
services.sanoid.datasets.<name>.processChildrenOnly¶
Whether to only snapshot child datasets if recursing.
Type: boolean
Default:
falseDeclared by:
services.sanoid.datasets.<name>.recursive¶
Whether to recursively snapshot dataset children.
Type: boolean
Default:
falseDeclared by:
services.sanoid.datasets.<name>.settings¶
Free-form settings for this template/dataset. See` <https://github.com/jimsalterjrs/sanoid/blob/master/sanoid.defaults.conf>`_ for allowed values.
Type: dataset/template options
Declared by:
services.sanoid.datasets.<name>.useTemplate¶
Names of the templates to use for this dataset.
Type: list of template names
Default: ``[
]``
Declared by:
services.sanoid.datasets.<name>.yearly¶
Number of yearly snapshots.
Type: unsigned integer, meaning >=0
Default:
0Declared by:
services.sanoid.extraArgs¶
Extra arguments to pass to sanoid. See` <https://github.com/jimsalterjrs/sanoid/#sanoid-command-line-options>`_ for allowed options.
Type: list of strings
Default: ``[
]``
Example:
[ "--verbose" "--readonly" "--debug" ]Declared by:
services.sanoid.interval¶
Run sanoid at this interval. The default is to run hourly.
The format is described insystemd.time7.
Type: string
Default:
"hourly"Example:
"daily"Declared by:
services.sanoid.settings¶
Free-form settings written directly to the config file. See` <https://github.com/jimsalterjrs/sanoid/blob/master/sanoid.defaults.conf>`_ for allowed values.
Type: attribute set of dataset/template optionss
Declared by:
services.sanoid.templates¶
services.sanoid.templates.<name>.autoprune¶
Whether to automatically prune old snapshots.
Type: boolean
Default:
trueDeclared by:
services.sanoid.templates.<name>.autosnap¶
Whether to automatically take snapshots.
Type: boolean
Default:
trueDeclared by:
services.sanoid.templates.<name>.daily¶
Number of daily snapshots.
Type: unsigned integer, meaning >=0
Default:
90Declared by:
services.sanoid.templates.<name>.hourly¶
Number of hourly snapshots.
Type: unsigned integer, meaning >=0
Default:
48Declared by:
services.sanoid.templates.<name>.monthly¶
Number of monthly snapshots.
Type: unsigned integer, meaning >=0
Default:
6Declared by:
services.sanoid.templates.<name>.settings¶
Free-form settings for this template/dataset. See` <https://github.com/jimsalterjrs/sanoid/blob/master/sanoid.defaults.conf>`_ for allowed values.
Type: dataset/template options
Declared by:
services.sanoid.templates.<name>.yearly¶
Number of yearly snapshots.
Type: unsigned integer, meaning >=0
Default:
0Declared by:
services.saslauthd.enable¶
Whether to enable saslauthd, the Cyrus SASL authentication daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.saslauthd.package¶
Cyrus SASL package to use.
Type: package
Default:
"pkgs.cyrus_sasl.bin"Declared by:
services.saslauthd.config¶
Configuration to use for Cyrus SASL authentication daemon.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.saslauthd.mechanism¶
Auth mechanism to use
Type: string
Default:
"pam"Declared by:
services.scollector.enable¶
Whether to run scollector.
Type: boolean
Default:
falseDeclared by:
services.scollector.package¶
scollector binary to use.
Type: package
Default:
"pkgs.scollector"Example:
pkgs.scollectorDeclared by:
services.scollector.bosunHost¶
Host and port of the bosun server that will store the collected data.
Type: string
Default:
"localhost:8070"Declared by:
services.scollector.collectors¶
An attribute set mapping the frequency of collection to a list of binaries that should be executed at that frequency. You can use “0” to run a binary forever.
Type: attribute set of list of pathss
Default: ``{
}``
Example:
{ "0" = [ "${postgresStats}/bin/collect-stats" ]; }Declared by:
services.scollector.extraConfig¶
Extra scollector configuration added to the end of scollector.toml
Type: strings concatenated with “\n”
Default:
""Declared by:
services.scollector.extraOpts¶
Extra scollector command line options
Type: list of strings
Default: ``[
]``
Example:
[ "-d" ]Declared by:
services.scollector.group¶
Group account under which scollector runs.
Type: string
Default:
"scollector"Declared by:
services.scollector.user¶
User account under which scollector runs.
Type: string
Default:
"scollector"Declared by:
services.searx.enable¶
Whether to enable the searx server. See https://github.com/asciimoo/searx.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.searx.package¶
searx package to use.
Type: package
Default:
"pkgs.searx"Declared by:
services.searx.configFile¶
The path of the Searx server configuration file. If no file is specified, a default file is used (default config file has debug mode enabled).
Type: null or path
Default:
nullDeclared by:
services.seeks.enable¶
Whether to enable the Seeks server.
Type: boolean
Default:
falseDeclared by:
services.seeks.confDir¶
The Seeks server configuration. If it is not specified, a default configuration is used.
Type: string
Default:
""Declared by:
services.selfoss.enable¶
Whether to enable selfoss.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.selfoss.database.host¶
Host of the database (has no effect if type is “sqlite”).
Type: string
Default:
"localhost"Declared by:
services.selfoss.database.name¶
Name of the existing database (has no effect if type is “sqlite”).
Type: string
Default:
"tt_rss"Declared by:
services.selfoss.database.password¶
The database user’s password (has no effect if type is “sqlite”).
Type: null or string
Default:
nullDeclared by:
services.selfoss.database.port¶
The database’s port. If not set, the default ports will be provided (5432 and 3306 for pgsql and mysql respectively) (has no effect if type is “sqlite”).
Type: null or signed integer
Default:
nullDeclared by:
services.selfoss.database.type¶
Database to store feeds. Supported are sqlite, pgsql and mysql.
Type: one of “pgsql”, “mysql”, “sqlite”
Default:
"sqlite"Declared by:
services.selfoss.database.user¶
The database user. The user must exist and has access to the specified database (has no effect if type is “sqlite”).
Type: string
Default:
"tt_rss"Declared by:
services.selfoss.extraConfig¶
Extra configuration added to config.ini
Type: strings concatenated with “\n”
Default:
""Declared by:
services.selfoss.pool¶
Name of existing phpfpm pool that is used to run web-application. If not specified a pool will be created automatically with default values.
Type: string
Default:
"selfoss_pool"Declared by:
services.selfoss.user¶
User account under which both the service and the web-application run.
Type: string
Default:
"nginx"Example:
"nginx"Declared by:
services.serviio.enable¶
Whether to enable the Serviio Media Server.
Type: boolean
Default:
falseDeclared by:
services.serviio.dataDir¶
The directory where serviio stores its state, data, etc.
Type: path
Default:
"/var/lib/serviio"Declared by:
services.shadowsocks.enable¶
Whether to run shadowsocks-libev shadowsocks server.
Type: boolean
Default:
falseDeclared by:
services.shadowsocks.encryptionMethod¶
Encryption method. See ` <https://github.com/shadowsocks/shadowsocks-org/wiki/AEAD-Ciphers>`_.
Type: string
Default:
"chacha20-ietf-poly1305"Declared by:
services.shadowsocks.localAddress¶
Local addresses to which the server binds.
Type: list of strings or string convertible to it
Default:
[ "\[::0]" "0.0.0.0" ]Declared by:
services.shadowsocks.mode¶
Relay protocols.
Type: one of “tcp_only”, “tcp_and_udp”, “udp_only”
Default:
"tcp_and_udp"Declared by:
services.shadowsocks.password¶
Password for connecting clients.
Type: null or string
Default:
nullDeclared by:
services.shadowsocks.passwordFile¶
Password file with a password for connecting clients.
Type: null or path
Default:
nullDeclared by:
services.shadowsocks.port¶
Port which the server uses.
Type: signed integer
Default:
8388Declared by:
services.shairport-sync.enable¶
Enable the shairport-sync daemon.
Running with a local system-wide or remote pulseaudio server is recommended.
Type: unspecified
Default:
falseDeclared by:
services.shairport-sync.arguments¶
Arguments to pass to the daemon. Defaults to a local pulseaudio server.
Type: unspecified
Default:
"-v -o pa"Declared by:
services.shairport-sync.user¶
User account name under which to run shairport-sync. The account will be created.
Type: unspecified
Default:
"shairport"Declared by:
services.shellinabox.enable¶
Whether to enable shellinabox daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.shellinabox.enableSSL¶
Whether or not to enable SSL (https) support.
Type: boolean
Default:
falseDeclared by:
services.shellinabox.certDirectory¶
The daemon will look in this directory far any certificates. If the browser negotiated a Server Name Identification the daemon will look for a matching certificate-SERVERNAME.pem file. If no SNI handshake takes place, it will fall back on using the certificate in the certificate.pem file.
If no suitable certificate is installed, shellinaboxd will attempt to create a new self-signed certificate. This will only succeed if, after dropping privileges, shellinaboxd has write permissions for this directory.
Type: null or path
Default:
nullExample:
"/var/certs"Declared by:
services.shellinabox.certFile¶
Path to server SSL certificate.
Type: null or path
Default:
nullExample:
"/var/certificate.pem"Declared by:
services.shellinabox.extraOptions¶
A list of strings to be appended to the command line arguments for shellinaboxd. Please see the manual page` <https://code.google.com/p/shellinabox/wiki/shellinaboxd_man>`_ for a full list of available arguments.
Type: list of strings
Default: ``[
]``
Example:
[ "--port=443" "--service /:LOGIN" ]Declared by:
services.shellinabox.user¶
User to run shellinaboxd as. If started as root, the server drops privileges by changing to nobody, unless overridden by the``–user`` option.
Type: string
Default:
"root"Declared by:
services.shibboleth-sp.enable¶
Whether to enable the shibboleth service
Type: boolean
Default:
falseDeclared by:
services.shibboleth-sp.configFile¶
Path to shibboleth config file
Type: path
Example:
"\\${pkgs.shibboleth-sp}/etc/shibboleth/shibboleth2.xml"Declared by:
services.shibboleth-sp.fastcgi.enable¶
Whether to include the shibauthorizer and shibresponder FastCGI processes
Type: boolean
Default:
falseDeclared by:
services.shibboleth-sp.fastcgi.shibAuthorizerPort¶
Port for shibauthorizer FastCGI proccess to bind to
Type: signed integer
Default:
9100Declared by:
services.shibboleth-sp.fastcgi.shibResponderPort¶
Port for shibauthorizer FastCGI proccess to bind to
Type: signed integer
Default:
9101Declared by:
services.shiori.enable¶
Whether to enable Shiori simple bookmarks manager.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.shiori.package¶
The Shiori package to use.
Type: package
Default:
"pkgs.shiori"Declared by:
services.shiori.address¶
The IP address on which Shiori will listen. If empty, listens on all interfaces.
Type: string
Default:
""Declared by:
services.shiori.port¶
The port of the Shiori web application
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
8080Declared by:
services.shorewall.enable¶
Whether to enable Shorewall IPv4 Firewall.
Warning
Enabling this service WILL disable the existing NixOS firewall! Default firewall rules provided by packages are not considered at the moment.
Type: boolean
Default:
falseDeclared by:
services.shorewall.package¶
The shorewall package to use.
Type: package
Default:
"pkgs.shorewall"Declared by:
services.shorewall.configs¶
This option defines the Shorewall configs. The attribute name defines the name of the config, and the attribute value defines the content of the config.
Type: attribute set of strings
Default: ``{
}``
Declared by:
services.shorewall6.enable¶
Whether to enable Shorewall IPv6 Firewall.
Warning
Enabling this service WILL disable the existing NixOS firewall! Default firewall rules provided by packages are not considered at the moment.
Type: boolean
Default:
falseDeclared by:
services.shorewall6.package¶
The shorewall package to use.
Type: package
Default:
"pkgs.shorewall"Declared by:
services.shorewall6.configs¶
This option defines the Shorewall configs. The attribute name defines the name of the config, and the attribute value defines the content of the config.
Type: attribute set of strings
Default: ``{
}``
Declared by:
services.shout.enable¶
Whether to enable Shout web IRC client.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.shout.config¶
Shout
config.jscontents as attribute set (will be converted to JSON to generate the configuration file).The options defined here will be merged to the default configuration file.
Documentation: http://shout-irc.com/docs/server/configuration.html
Type: attribute set
Default: ``{
}``
Example:
{ defaults = { host = "localhost"; name = "Your Network"; port = 6697; } ; displayNetwork = false; }Declared by:
services.shout.configFile¶
Contents of Shout’s
config.jsfile.Used for backward compatibility, recommended way is now to use the
configoption.Documentation: http://shout-irc.com/docs/server/configuration.html
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.shout.listenAddress¶
IP interface to listen on for http connections.
Type: string
Default:
"0.0.0.0"Declared by:
services.shout.port¶
TCP port to listen on for http connections.
Type: signed integer
Default:
9000Declared by:
services.shout.private¶
Make your shout instance private. You will need to configure user accounts by adding entries in
/var/lib/shout/users.Type: boolean
Default:
falseDeclared by:
services.sickbeard.enable¶
Whether to enable the sickbeard server.
Type: boolean
Default:
falseDeclared by:
services.sickbeard.package¶
Enable
pkgs.sickrageorpkgs.sickgearas an alternative to SickBeardType: package
Default:
*(build of sickbeard-2016-03-21)*Example:
pkgs.sickrageDeclared by:
services.sickbeard.configFile¶
Path to config file.
Type: path
Default:
"/var/lib/sickbeard/config.ini"Declared by:
services.sickbeard.dataDir¶
Path where to store data files.
Type: path
Default:
"/var/lib/sickbeard"Declared by:
services.sickbeard.group¶
Group to run the service as
Type: string
Default:
"sickbeard"Declared by:
services.sickbeard.port¶
Port to bind to.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
8081Declared by:
services.sickbeard.user¶
User to run the service as
Type: string
Default:
"sickbeard"Declared by:
services.siproxd.enable¶
Whether to enable the Siproxd SIP proxy/masquerading daemon.
Type: boolean
Default:
falseDeclared by:
services.siproxd.extraConfig¶
Extra configuration to add to siproxd configuration.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.siproxd.hostsAllowReg¶
Acess control list for incoming SIP registrations.
Type: list of strings
Default: ``[
]``
Example:
[ "192.168.1.0/24" "192.168.2.0/24" ]Declared by:
services.siproxd.hostsAllowSip¶
Acess control list for incoming SIP traffic.
Type: list of strings
Default: ``[
]``
Example:
[ "123.45.0.0/16" "123.46.0.0/16" ]Declared by:
services.siproxd.hostsDenySip¶
Acess control list for denying incoming SIP registrations and traffic.
Type: list of strings
Default: ``[
]``
Example:
[ "10.0.0.0/8" "11.0.0.0/8" ]Declared by:
services.siproxd.ifInbound¶
Local network interface
Type: string
Example:
"eth0"Declared by:
services.siproxd.ifOutbound¶
Public network interface
Type: string
Example:
"ppp0"Declared by:
services.siproxd.passwordFile¶
Path to per-user password file.
Type: string
Default:
""Declared by:
services.siproxd.rtpDscp¶
DSCP (differentiated services) value to be assigned to RTP packets. Allows QOS aware routers to handle different types traffic with different priorities.
Type: signed integer
Default:
46Declared by:
services.siproxd.rtpPortHigh¶
Top of UDP port range for incoming and outgoing RTP traffic
Type: signed integer
Default:
7089Declared by:
services.siproxd.rtpPortLow¶
Bottom of UDP port range for incoming and outgoing RTP traffic
Type: signed integer
Default:
7070Declared by:
services.siproxd.rtpTimeout¶
Timeout for an RTP stream. If for the specified number of seconds no data is relayed on an active stream, it is considered dead and will be killed.
Type: signed integer
Default:
300Declared by:
services.siproxd.sipDscp¶
DSCP (differentiated services) value to be assigned to SIP packets. Allows QOS aware routers to handle different types traffic with different priorities.
Type: signed integer
Default:
0Declared by:
services.siproxd.sipListenPort¶
Port to listen for incoming SIP messages.
Type: signed integer
Default:
5060Declared by:
services.sks.enable¶
Whether to enable SKS (synchronizing key server for OpenPGP) and start the database server. You need to create “${dataDir}/dump/*.gpg” for the initial import.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.sks.package¶
Which SKS derivation to use.
Type: package
Default:
"pkgs.sks"Declared by:
services.sks.dataDir¶
Data directory (-basedir) for SKS, where the database and all configuration files are located (e.g. KDB, PTree, membership and sksconf).
Type: path
Default:
"/var/db/sks"Example:
"/var/lib/sks"Declared by:
services.sks.extraDbConfig¶
Set contents of the files “KDB/DB_CONFIG” and “PTree/DB_CONFIG” within the ${dataDir} directory. This is used to configure options for the database for the sks key server.
Documentation of available options are available in the file named “sampleConfig/DB_CONFIG” in the following repository: https://bitbucket.org/skskeyserver/sks-keyserver/src
Type: string
Default:
""Declared by:
services.sks.hkpAddress¶
Domain names, IPv4 and/or IPv6 addresses to listen on for HKP requests.
Type: list of strings
Default:
[ "127.0.0.1" "::1" ]Declared by:
services.sks.hkpPort¶
HKP port to listen on.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
11371Declared by:
services.sks.webroot¶
Source directory (will be symlinked, if not null) for the files the built-in webserver should serve. SKS (${pkgs.sks.webSamples}) provides the following examples: “HTML5”, “OpenPKG”, and “XHTML+ES”. The index file can be named index.html, index.htm, index.xhtm, or index.xhtml. Files with the extensions .css, .es, .js, .jpg, .jpeg, .png, or .gif are supported. Subdirectories and filenames with anything other than alphanumeric characters and the ‘.’ character will be ignored.
Type: null or path
Default:
"\\${pkgs.sks.webSamples}/OpenPKG"Declared by:
services.skydns.enable¶
Whether to enable skydns service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.skydns.package¶
Skydns package to use.
Type: package
Default:
"pkgs.skydns"Declared by:
services.skydns.address¶
Skydns address to bind to.
Type: string
Default:
"0.0.0.0:53"Declared by:
services.skydns.domain¶
Skydns default domain if not specified by etcd config.
Type: string
Default:
"skydns.local."Declared by:
services.skydns.etcd.caCert¶
Skydns path of TLS certificate authority public key.
Type: null or path
Default:
nullDeclared by:
services.skydns.etcd.machines¶
Skydns list of etcd endpoints to connect to.
Type: list of strings
Default:
[ "http://127.0.0.1:2379" ]Declared by:
services.skydns.etcd.tlsKey¶
Skydns path of TLS client certificate - private key.
Type: null or path
Default:
nullDeclared by:
services.skydns.etcd.tlsPem¶
Skydns path of TLS client certificate - public key.
Type: null or path
Default:
nullDeclared by:
services.skydns.extraConfig¶
Skydns attribute set of extra config options passed as environemnt variables.
Type: attribute set of strings
Default: ``{
}``
Declared by:
services.skydns.nameservers¶
Skydns list of nameservers to forward DNS requests to when not authoritative for a domain.
Type: list of strings
Default: ``[
]``
Example:
[ "8.8.8.8:53" "8.8.4.4:53" ]Declared by:
services.slimserver.enable¶
Whether to enable slimserver.
Type: boolean
Default:
falseDeclared by:
services.slimserver.package¶
Slimserver package to use.
Type: package
Default:
"pkgs.slimserver"Declared by:
services.slimserver.dataDir¶
The directory where slimserver stores its state, tag cache, playlists etc.
Type: path
Default:
"/var/lib/slimserver"Declared by:
services.slurm.enableSrunX11¶
If enabled srun will accept the option “–x11” to allow for X11 forwarding from within an interactive session or a batch job. This activates the slurm-spank-x11 module. Note that this option also enables on the client.
This option requires slurm to be compiled without native X11 support. The default behavior is to re-compile the slurm package with native X11 support disabled if this option is set to true.
To use the native X11 support add
PrologFlags=X11in . Note that this method will only work RSA SSH host keys.Type: boolean
Default:
falseDeclared by:
services.slurm.enableStools¶
Wether to provide a slurm.conf file. Enable this option if you do not run a slurm daemon on this host (i.e.
server.enableandclient.enablearefalse) but you still want to run slurm commands from this host.Type: boolean
Default:
falseDeclared by:
services.slurm.package¶
The package to use for slurm binaries.
Type: package
Default:
"pkgs.slurm"Example:
pkgs.slurm-fullDeclared by:
services.slurm.client.enable¶
Whether to enable slurm client daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.slurm.clusterName¶
Necessary to distinguish accounting records in a multi-cluster environment.
Type: string
Default:
"default"Example:
"myCluster"Declared by:
services.slurm.controlAddr¶
Name that ControlMachine should be referred to in establishing a communications path.
Type: null or string
Default:
nullExample:
nullDeclared by:
services.slurm.controlMachine¶
The short hostname of the machine where SLURM control functions are executed (i.e. the name returned by the command “hostname -s”, use “tux001” rather than “tux001.my.com”).
Type: null or string
Default:
nullExample:
nullDeclared by:
services.slurm.dbdserver.enable¶
Whether to enable SlurmDBD service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.slurm.dbdserver.configFile¶
Path to
slurmdbd.conf. The password for the database connection is stored in the config file. Use this option to specfify a path outside the nix store. If this option is unset a configuration file will be generated. See also:slurmdbd.conf8.Type: null or string
Default:
nullDeclared by:
services.slurm.dbdserver.dbdHost¶
Hostname of the machine where
slurmdbdis running (i.e. name returned byhostname -s).Type: string
Default:
"nixos"Declared by:
services.slurm.dbdserver.extraConfig¶
Extra configuration for
slurmdbd.confType: strings concatenated with “\n”
Default:
""Declared by:
services.slurm.dbdserver.storagePass¶
Database password. Note that this password will be publicable readable in the nix store. Use to store the and config file and password outside the nix store.
Type: null or string
Default:
nullDeclared by:
services.slurm.dbdserver.storageUser¶
Database user name.
Type: string
Default:
"slurm"Declared by:
services.slurm.extraCgroupConfig¶
Extra configuration for
cgroup.conf. This file is used whenprocTrackType=proctrack/cgroup.Type: strings concatenated with “\n”
Default:
""Declared by:
services.slurm.extraConfig¶
Extra configuration options that will be added verbatim at the end of the slurm configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.slurm.extraConfigPaths¶
Slurm expects config files for plugins in the same path as
slurm.conf. Add extra nix store paths that should be merged into same directory as``slurm.conf``.Type: list of paths
Default: ``[
]``
Declared by:
services.slurm.extraPlugstackConfig¶
Extra configuration that will be added to the end of
plugstack.conf.Type: strings concatenated with “\n”
Default:
""Declared by:
services.slurm.nodeName¶
Name that SLURM uses to refer to a node (or base partition for BlueGene systems). Typically this would be the string that “/bin/hostname -s” returns. Note that now you have to write node’s parameters after the name.
Type: list of strings
Default: ``[
]``
Example:
[ "linux[1-32] CPUs=1 State=UNKNOWN" ];Declared by:
services.slurm.partitionName¶
Name by which the partition may be referenced. Note that now you have to write the partition’s parameters after the name.
Type: list of strings
Default: ``[
]``
Example:
[ "debug Nodes=linux[1-32] Default=YES MaxTime=INFINITE State=UP" ];Declared by:
services.slurm.procTrackType¶
Plugin to be used for process tracking on a job step basis. The slurmd daemon uses this mechanism to identify all processes which are children of processes it spawns for a user job step.
Type: string
Default:
"proctrack/linuxproc"Declared by:
services.slurm.server.enable¶
Wether to enable the slurm control daemon. Note that the standard authentication method is “munge”. The “munge” service needs to be provided with a password file in order for slurm to work properly (see
services.munge.password).Type: boolean
Default:
falseDeclared by:
services.slurm.stateSaveLocation¶
Directory into which the Slurm controller, slurmctld, saves its state.
Type: string
Default:
"/var/spool/slurmctld"Declared by:
services.slurm.user¶
Set this option when you want to run the slurmctld daemon as something else than the default slurm user “slurm”. Note that the UID of this user needs to be the same on all nodes.
Type: string
Default:
"slurm"Declared by:
services.smartd.enable¶
Whether to enable smartd daemon from
smartmontoolspackage.Type: boolean
Default:
falseExample:
trueDeclared by:
services.smartd.autodetect¶
Whenever smartd should monitor all devices connected to the machine at the time it’s being started (the default).
Set to false to monitor the devices listed in only.
Type: boolean
Default:
trueDeclared by:
services.smartd.defaults.autodetected¶
Like , but for the autodetected devices.
Type: strings concatenated with ” “
Default:
"-a"Declared by:
services.smartd.defaults.monitored¶
Common default options for explicitly monitored (listed in) devices.
The default value turns on monitoring of all the things (see``man 5 smartd.conf``).
The example also turns on SMART Automatic Offline Testing on startup, and schedules short self-tests daily, and long self-tests weekly.
Type: strings concatenated with ” “
Default:
"-a"Example:
"-a -o on -s (S/../.././02|L/../../7/04)"Declared by:
services.smartd.devices¶
services.smartd.devices.*.device¶
Location of the device.
Type: string
Example:
"/dev/sda"Declared by:
services.smartd.devices.*.options¶
Options that determine how smartd monitors the device.
Type: strings concatenated with ” “
Default:
""Example:
"-d sat"Declared by:
services.smartd.extraOptions¶
Extra command-line options passed to the
smartddaemon on startup.(See
man 8 smartd.)Type: list of strings
Default: ``[
]``
Example:
[ "-A /var/log/smartd/" "--interval=3600" ]Declared by:
services.smartd.notifications.mail.enable¶
Whenever to send e-mail notifications.
Type: boolean
Default:
falseDeclared by:
services.smartd.notifications.mail.mailer¶
Sendmail-compatible binary to be used to send the messages.
You should probably enable or some other MTA for this to work.
Type: path
Default:
"/run/wrappers/bin/sendmail"Declared by:
services.smartd.notifications.mail.recipient¶
Recipient of the notification messages.
Type: string
Default:
"root"Declared by:
services.smartd.notifications.test¶
Whenever to send a test notification on startup.
Type: boolean
Default:
falseDeclared by:
services.smartd.notifications.wall.enable¶
Whenever to send wall notifications to all users.
Type: boolean
Default:
trueDeclared by:
services.smartd.notifications.x11.enable¶
Whenever to send X11 xmessage notifications.
Type: boolean
Default:
falseDeclared by:
services.smartd.notifications.x11.display¶
DISPLAY to send X11 notifications to.
Type: string
Default:
":0"Declared by:
services.smokeping.enable¶
Enable the smokeping service
Type: boolean
Default:
falseDeclared by:
services.smokeping.package¶
Specify a custom smokeping package
Type: package
Default:
"pkgs.smokeping"Declared by:
services.smokeping.alertConfig¶
Configuration for alerts.
Type: strings concatenated with “\n”
Default:
'' to = root@localhost from = smokeping@localhost ''Example:
to = alertee@address.somewhere from = smokealert@company.xy +someloss type = loss # in percent pattern = >0%,*12*,>0%,*12*,>0% comment = loss 3 times in a row;Declared by:
services.smokeping.cgiUrl¶
URL to the smokeping cgi.
Type: string
Default:
"http://\\${hostName}:\\${toString port}/smokeping.cgi"Example:
"https://somewhere.example.com/smokeping.cgi"Declared by:
services.smokeping.config¶
Full smokeping config supplied by the user. Overrides and replaces any other configuration supplied.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.smokeping.databaseConfig¶
Configure the ping frequency and retention of the rrd files. Once set, changing the interval will require deletion or migration of all the collected data.
Type: strings concatenated with “\n”
Default:
'' step = 300 pings = 20 # consfn mrhb steps total AVERAGE 0.5 1 1008 AVERAGE 0.5 12 4320 MIN 0.5 12 4320 MAX 0.5 12 4320 AVERAGE 0.5 144 720 MAX 0.5 144 720 MIN 0.5 144 720 ''Example:
# near constant pings. step = 30 pings = 20 # consfn mrhb steps total AVERAGE 0.5 1 10080 AVERAGE 0.5 12 43200 MIN 0.5 12 43200 MAX 0.5 12 43200 AVERAGE 0.5 144 7200 MAX 0.5 144 7200 MIN 0.5 144 7200Declared by:
services.smokeping.extraConfig¶
Any additional customization not already included.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.smokeping.hostName¶
DNS name for the urls generated in the cgi.
Type: string
Default:
"nixos"Example:
"somewhere.example.com"Declared by:
services.smokeping.imgUrl¶
Base url for images generated in the cgi.
Type: string
Default:
"http://\\${hostName}:\\${toString port}/cache"Example:
"https://somewhere.example.com/cache"Declared by:
services.smokeping.linkStyle¶
DNS name for the urls generated in the cgi.
Type: one of “original”, “absolute”, “relative”
Default:
"relative"Example:
"absolute"Declared by:
services.smokeping.mailHost¶
Use this SMTP server to send alerts
Type: string
Default:
""Example:
"localhost"Declared by:
services.smokeping.owner¶
Real name of the owner of the instance
Type: string
Default:
"nobody"Example:
"Joe Admin"Declared by:
services.smokeping.ownerEmail¶
Email contact for owner
Type: string
Default:
"no-reply@nixos"Example:
"no-reply@yourdomain.com"Declared by:
services.smokeping.port¶
TCP port to use for the web server.
Type: signed integer
Default:
8081Example:
8081Declared by:
services.smokeping.presentationConfig¶
presentation graph style
Type: strings concatenated with “\n”
Default:
'' + charts menu = Charts title = The most interesting destinations ++ stddev sorter = StdDev(entries=>4) title = Top Standard Deviation menu = Std Deviation format = Standard Deviation %f ++ max sorter = Max(entries=>5) title = Top Max Roundtrip Time menu = by Max format = Max Roundtrip Time %f seconds ++ loss sorter = Loss(entries=>5) title = Top Packet Loss menu = Loss format = Packets Lost %f ++ median sorter = Median(entries=>5) title = Top Median Roundtrip Time menu = by Median format = Median RTT %f seconds + overview width = 600 height = 50 range = 10h + detail width = 600 height = 200 unison_tolerance = 2 "Last 3 Hours" 3h "Last 30 Hours" 30h "Last 10 Days" 10d "Last 360 Days" 360d ''Declared by:
services.smokeping.presentationTemplate¶
Default page layout for the web UI.
Type: string
Default:
"\\${pkgs.smokeping}/etc/basepage.html.dist"Declared by:
services.smokeping.probeConfig¶
Probe configuration
Type: strings concatenated with “\n”
Default:
'' + FPing binary = /run/wrappers/bin/fping ''Declared by:
services.smokeping.sendmail¶
Use this sendmail compatible script to deliver alerts
Type: null or path
Default:
nullExample:
"/run/wrappers/bin/sendmail"Declared by:
services.smokeping.smokeMailTemplate¶
Specify the smokemail template for alerts.
Type: string
Default:
"\\${pkgs.smokeping}/etc/smokemail.dist"Declared by:
services.smokeping.targetConfig¶
Target configuration
Type: strings concatenated with “\n”
Default:
'' probe = FPing menu = Top title = Network Latency Grapher remark = Welcome to the SmokePing website of xxx Company. \ Here you will learn all about the latency of our network. + Local menu = Local title = Local Network ++ LocalMachine menu = Local Machine title = This host host = localhost ''Declared by:
services.smokeping.user¶
User that runs smokeping and (optionally) thttpd
Type: string
Default:
"smokeping"Declared by:
services.smokeping.webService¶
Enable a smokeping web interface
Type: boolean
Default:
trueDeclared by:
services.snapper.cleanupInterval¶
Cleanup interval.
The format is described insystemd.time7.
Type: string
Default:
"1d"Declared by:
services.snapper.configs¶
services.snapper.configs.<name>.extraConfig¶
Additional configuration next to SUBVOLUME and FSTYPE. See man:snapper-configs(5).
Type: strings concatenated with “\n”
Default:
""Declared by:
services.snapper.configs.<name>.fstype¶
Filesystem type. Only btrfs is stable and tested.
Type: one of “btrfs”
Default:
"btrfs"Declared by:
services.snapper.configs.<name>.subvolume¶
Path of the subvolume or mount point. This path is a subvolume and has to contain a subvolume named .snapshots. See also man:snapper(8) section PERMISSIONS.
Type: path
Declared by:
services.snapper.filters¶
Global display difference filter. See man:snapper(8) for more details.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.snapper.snapshotInterval¶
Snapshot interval.
The format is described insystemd.time7.
Type: string
Default:
"hourly"Declared by:
services.snapserver.enable¶
Whether to enable snapserver.
Type: boolean
Default:
falseDeclared by:
services.snapserver.buffer¶
Network buffer in ms.
Type: null or signed integer
Default:
nullExample:
1000Declared by:
services.snapserver.codec¶
Default audio compression method.
Type: null or string
Default:
nullExample:
"flac"Declared by:
services.snapserver.controlPort¶
The port for control connections (JSON-RPC).
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
1705Declared by:
services.snapserver.openFirewall¶
Whether to automatically open the specified ports in the firewall.
Type: boolean
Default:
trueDeclared by:
services.snapserver.port¶
The port that snapclients can connect to.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
1704Declared by:
services.snapserver.sampleFormat¶
Default sample format.
Type: null or string
Default:
nullExample:
"48000:16:2"Declared by:
services.snapserver.sendToMuted¶
Send audio to muted clients.
Type: boolean
Default:
falseDeclared by:
services.snapserver.streamBuffer¶
Stream read (input) buffer in ms.
Type: null or signed integer
Default:
nullExample:
20Declared by:
services.snapserver.streams¶
The definition for an input source.
Type: attribute set of submodules
Default: ``{ default = {
}``
Example:
{ mpd = { type = "pipe"; location = "/run/snapserver/mpd"; sampleFormat = "48000:16:2"; codec = "pcm"; }; };Declared by:
services.snapserver.streams.<name>.codec¶
Default audio compression method.
Type: null or string
Default:
nullExample:
"flac"Declared by:
services.snapserver.streams.<name>.location¶
The location of the pipe.
Type: path
Declared by:
services.snapserver.streams.<name>.query¶
Key-value pairs that convey additional parameters about a stream.
Type: attribute set of strings
Default: ``{
}``
Example:
# for type == "pipe": { mode = "listen"; }; # for type == "process": { params = "--param1 --param2"; logStderr = "true"; };Declared by:
services.snapserver.streams.<name>.sampleFormat¶
Default sample format.
Type: null or string
Default:
nullExample:
"48000:16:2"Declared by:
services.snapserver.streams.<name>.type¶
The type of input stream.
Type: one of “pipe”, “file”, “process”, “spotify”, “airplay”
Default:
"pipe"Declared by:
services.sniproxy.enable¶
Whether to enable sniproxy server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.sniproxy.config¶
sniproxy.conf configuration excluding the daemon username and pid file.
Type: strings concatenated with “\n”
Default:
""Example:
error_log { filename /var/log/sniproxy/error.log } access_log { filename /var/log/sniproxy/access.log } listen 443 { proto tls } table { example.com 192.0.2.10 example.net 192.0.2.20 }Declared by:
services.sniproxy.group¶
Group under which sniproxy runs.
Type: string
Default:
"sniproxy"Declared by:
services.sniproxy.logDir¶
Location of the log directory for sniproxy.
Type: string
Default:
"/var/log/sniproxy/"Declared by:
services.sniproxy.user¶
User account under which sniproxy runs.
Type: string
Default:
"sniproxy"Declared by:
services.softether.enable¶
Whether to enable SoftEther VPN services.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.softether.package¶
softether derivation to use.
Type: package
Default:
"pkgs.softether"Declared by:
services.softether.dataDir¶
Data directory for SoftEther VPN.
Type: path
Default:
"/var/lib/softether"Declared by:
services.softether.vpnbridge.enable¶
Whether to enable SoftEther VPN Bridge.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.softether.vpnclient.enable¶
Whether to enable SoftEther VPN Client.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.softether.vpnclient.down¶
Shell commands executed when the Virtual Network Adapter(s) is/are shutting down.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.softether.vpnclient.up¶
Shell commands executed when the Virtual Network Adapter(s) is/are starting.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.softether.vpnserver.enable¶
Whether to enable SoftEther VPN Server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.solr.enable¶
Whether to enable Solr.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.solr.package¶
Which Solr package to use.
Type: package
Default:
"pkgs.solr"Declared by:
services.solr.extraJavaOptions¶
Extra command line options given to the java process running Solr.
Type: list of strings
Default: ``[
]``
Declared by:
services.solr.group¶
Group under which Solr is ran.
Type: string
Default:
"solr"Declared by:
services.solr.port¶
Port on which Solr is ran.
Type: signed integer
Default:
8983Declared by:
services.solr.stateDir¶
The solr home directory containing config, data, and logging files.
Type: path
Default:
"/var/lib/solr"Declared by:
services.solr.user¶
User under which Solr is ran.
Type: string
Default:
"solr"Declared by:
services.sonarr.enable¶
Whether to enable Sonarr.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.sonarr.dataDir¶
The directory where Sonarr stores its data files.
Type: string
Default:
"/var/lib/sonarr/.config/NzbDrone"Declared by:
services.sonarr.group¶
Group under which Sonaar runs.
Type: string
Default:
"sonarr"Declared by:
services.sonarr.openFirewall¶
Open ports in the firewall for the Sonarr web interface
Type: boolean
Default:
falseDeclared by:
services.sonarr.user¶
User account under which Sonaar runs.
Type: string
Default:
"sonarr"Declared by:
services.spacecookie.enable¶
Whether to enable spacecookie.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.spacecookie.hostname¶
The hostname the service is reachable via. Clients will use this hostname for further requests after loading the initial gopher menu.
Type: string
Default:
"localhost"Declared by:
services.spacecookie.port¶
Port the gopher service should be exposed on.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
70Declared by:
services.spacecookie.root¶
The root directory spacecookie serves via gopher.
Type: path
Default:
"/srv/gopher"Declared by:
services.spamassassin.enable¶
Whether to run the SpamAssassin daemon
Type: unspecified
Default:
falseDeclared by:
services.spamassassin.config¶
The SpamAssassin local.cf config
If you are using this configuration: add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
Then you can Use this sieve filter: require [“fileinto”, “reject”, “envelope”];
if header :contains “X-Spam-Flag” “YES” { fileinto “spam”; }
Or this procmail filter: :0: * ^X-Spam-Flag: YES /var/vpopmail/domains/lastlog.de/js/.maildir/.spam/new
To filter your messages based on the additional mail headers added by spamassassin.
Type: strings concatenated with “\n”
Default:
""Example:
'' #rewrite_header Subject [***** SPAM _SCORE_ *****] required_score 5.0 use_bayes 1 bayes_auto_learn 1 add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_ ''Declared by:
services.spamassassin.debug¶
Whether to run the SpamAssassin daemon in debug mode
Type: unspecified
Default:
falseDeclared by:
services.spamassassin.initPreConf¶
The SpamAssassin init.pre config.
Type: string or path
Default:
'' # # to update this list, run this command in the rules directory: # grep 'loadplugin.*Mail::SpamAssassin::Plugin::.*' -o -h * | sort | uniq # #loadplugin Mail::SpamAssassin::Plugin::AccessDB #loadplugin Mail::SpamAssassin::Plugin::AntiVirus loadplugin Mail::SpamAssassin::Plugin::AskDNS # loadplugin Mail::SpamAssassin::Plugin::ASN loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold #loadplugin Mail::SpamAssassin::Plugin::AWL loadplugin Mail::SpamAssassin::Plugin::Bayes loadplugin Mail::SpamAssassin::Plugin::BodyEval loadplugin Mail::SpamAssassin::Plugin::Check #loadplugin Mail::SpamAssassin::Plugin::DCC loadplugin Mail::SpamAssassin::Plugin::DKIM loadplugin Mail::SpamAssassin::Plugin::DNSEval loadplugin Mail::SpamAssassin::Plugin::FreeMail loadplugin Mail::SpamAssassin::Plugin::Hashcash loadplugin Mail::SpamAssassin::Plugin::HeaderEval loadplugin Mail::SpamAssassin::Plugin::HTMLEval loadplugin Mail::SpamAssassin::Plugin::HTTPSMismatch loadplugin Mail::SpamAssassin::Plugin::ImageInfo loadplugin Mail::SpamAssassin::Plugin::MIMEEval loadplugin Mail::SpamAssassin::Plugin::MIMEHeader # loadplugin Mail::SpamAssassin::Plugin::PDFInfo #loadplugin Mail::SpamAssassin::Plugin::PhishTag loadplugin Mail::SpamAssassin::Plugin::Pyzor loadplugin Mail::SpamAssassin::Plugin::Razor2 # loadplugin Mail::SpamAssassin::Plugin::RelayCountry loadplugin Mail::SpamAssassin::Plugin::RelayEval loadplugin Mail::SpamAssassin::Plugin::ReplaceTags # loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody # loadplugin Mail::SpamAssassin::Plugin::Shortcircuit loadplugin Mail::SpamAssassin::Plugin::SpamCop loadplugin Mail::SpamAssassin::Plugin::SPF #loadplugin Mail::SpamAssassin::Plugin::TextCat # loadplugin Mail::SpamAssassin::Plugin::TxRep loadplugin Mail::SpamAssassin::Plugin::URIDetail loadplugin Mail::SpamAssassin::Plugin::URIDNSBL loadplugin Mail::SpamAssassin::Plugin::URIEval # loadplugin Mail::SpamAssassin::Plugin::URILocalBL loadplugin Mail::SpamAssassin::Plugin::VBounce loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject loadplugin Mail::SpamAssassin::Plugin::WLBLEval ''Declared by:
services.spice-vdagentd.enable¶
Whether to enable Spice guest vdagent daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.spiped.enable¶
Enable the spiped service module.
Type: boolean
Default:
falseDeclared by:
services.spiped.config¶
Configuration for a secure pipe daemon. The daemon can be started, stopped, or examined using``systemctl``, under the name``spiped@foo``.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ pipe1 = { keyfile = "/var/lib/spiped/pipe1.key"; encrypt = true; source = "localhost:6000"; target = "endpoint.example.com:7000"; }; pipe2 = { keyfile = "/var/lib/spiped/pipe2.key"; decrypt = true; source = "0.0.0.0:7000"; target = "localhost:3000"; }; }Declared by:
services.spiped.config.<name>.decrypt¶
Take encrypted connections from the``source`` socket and send unencrypted connections to the
targetsocket.Type: boolean
Default:
falseDeclared by:
services.spiped.config.<name>.disableKeepalives¶
Disable transport layer keep-alives.
Type: boolean
Default:
falseDeclared by:
services.spiped.config.<name>.disableReresolution¶
Disable target address re-resolution.
Type: boolean
Default:
falseDeclared by:
services.spiped.config.<name>.encrypt¶
Take unencrypted connections from the``source`` socket and send encrypted connections to the
targetsocket.Type: boolean
Default:
falseDeclared by:
services.spiped.config.<name>.keyfile¶
Name of a file containing the spiped key. As the daemon runs as the
spipeduser, the key file must be somewhere owned by that user. By default, we recommend putting the keys for any spipe services in/var/lib/spiped.Type: path
Declared by:
services.spiped.config.<name>.maxConns¶
Limit on the number of simultaneous connections allowed.
Type: signed integer
Default:
100Declared by:
services.spiped.config.<name>.resolveRefresh¶
Resolution refresh time for the target socket, in seconds.
Type: signed integer
Default:
60Declared by:
services.spiped.config.<name>.source¶
Address on which spiped should listen for incoming connections. Must be in one of the following formats:
/absolute/path/to/unix/socket,``host.name:port``,``[ip.v4.ad.dr]:port`` or``[ipv6::addr]:port`` - note that hostnames are resolved when spiped is launched and are not re-resolved later; thus if DNS entries change spiped will continue to connect to the expired address.Type: string
Declared by:
services.spiped.config.<name>.target¶
Address to which spiped should connect.
Type: string
Declared by:
services.spiped.config.<name>.timeout¶
Timeout, in seconds, after which an attempt to connect to the target or a protocol handshake will be aborted (and the connection dropped) if not completed
Type: signed integer
Default:
5Declared by:
services.spiped.config.<name>.waitForDNS¶
Wait for DNS. Normally when
spipedis launched it resolves addresses and binds to its source socket before the parent process returns; with this option it will daemonize first and retry failed DNS lookups until they succeed. This allowsspipedto launch even if DNS isn’t set up yet, but at the expense of losing the guarantee that oncespipedhas finished launching it will be ready to create pipes.Type: boolean
Default:
falseDeclared by:
services.spiped.config.<name>.weakHandshake¶
Use fast/weak handshaking: This reduces the CPU time spent in the initial connection setup, at the expense of losing perfect forward secrecy.
Type: boolean
Default:
falseDeclared by:
services.spotifyd.enable¶
Whether to enable spotifyd, a Spotify playing daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.spotifyd.config¶
Configuration for Spotifyd. For syntax and directives, see https://github.com/Spotifyd/spotifyd#Configuration.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.squeezelite.enable¶
Whether to enable Squeezelite, a software Squeezebox emulator.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.squeezelite.extraArguments¶
Additional command line arguments to pass to Squeezelite.
Type: string
Default:
""Declared by:
services.squid.enable¶
Whether to run squid web proxy.
Type: boolean
Default:
falseDeclared by:
services.squid.configText¶
Verbatim contents of squid.conf. If null (default), use the autogenerated file from NixOS instead.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.squid.extraConfig¶
Squid configuration. Contents will be added verbatim to the configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.squid.proxyPort¶
TCP port on which squid will listen.
Type: signed integer
Default:
3128Declared by:
services.sshd.enable¶
services.sshguard.enable¶
Whether to enable the sshguard service.
Type: boolean
Default:
falseDeclared by:
services.sshguard.attack_threshold¶
Block attackers when their cumulative attack score exceeds threshold. Most attacks have a score of 10.
Type: signed integer
Default:
30Declared by:
services.sshguard.blacklist_file¶
Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.
Type: path
Default:
"/var/lib/sshguard/blacklist.db"Declared by:
services.sshguard.blacklist_threshold¶
Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.
Type: null or signed integer
Default:
nullExample:
120Declared by:
services.sshguard.blocktime¶
Block attackers for initially blocktime seconds after exceeding threshold. Subsequent blocks increase by a factor of 1.5.
sshguard unblocks attacks at random intervals, so actual block times will be longer.
Type: signed integer
Default:
120Declared by:
services.sshguard.detection_time¶
Remember potential attackers for up to detection_time seconds before resetting their score.
Type: signed integer
Default:
1800Declared by:
services.sshguard.services¶
Systemd services sshguard should receive logs of.
Type: list of strings
Default:
[ "sshd" ]Example:
[ "sshd" "exim" ]Declared by:
services.sshguard.whitelist¶
Whitelist a list of addresses, hostnames, or address blocks.
Type: list of strings
Default: ``[
]``
Example:
[ "198.51.100.56" "198.51.100.2" ]Declared by:
services.sslh.enable¶
Whether to enable sslh.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.sslh.appendConfig¶
Verbatim configuration file.
Type: string
Default:
'' protocols: ( { name: "ssh"; service: "ssh"; host: "localhost"; port: "22"; probe: "builtin"; }, { name: "openvpn"; host: "localhost"; port: "1194"; probe: "builtin"; }, { name: "xmpp"; host: "localhost"; port: "5222"; probe: "builtin"; }, { name: "http"; host: "localhost"; port: "80"; probe: "builtin"; }, { name: "ssl"; host: "localhost"; port: "443"; probe: "builtin"; }, { name: "anyprot"; host: "localhost"; port: "443"; probe: "builtin"; } ); ''Declared by:
services.sslh.listenAddress¶
Listening address or hostname.
Type: string
Default:
"0.0.0.0"Declared by:
services.sslh.port¶
Listening port.
Type: signed integer
Default:
443Declared by:
services.sslh.timeout¶
Timeout in seconds.
Type: signed integer
Default:
2Declared by:
services.sslh.transparent¶
Will the services behind sslh (Apache, sshd and so on) see the external IP and ports as if the external world connected directly to them
Type: boolean
Default:
falseDeclared by:
services.sslh.verbose¶
Verbose logs.
Type: boolean
Default:
falseDeclared by:
services.ssm-agent.enable¶
Whether to enable AWS SSM agent.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.ssm-agent.package¶
The SSM agent package to use
Type: path
Default:
"pkgs.ssm-agent"Declared by:
services.ssmtp.enable¶
Use the trivial Mail Transfer Agent (MTA):command:ssmtp package to allow programs to send e-mail. If you don’t want to run a “real” MTA like:command:sendmail or postfix on your machine, set this option to
true, and set the option to the host name of your preferred mail server.Type: boolean
Default:
falseDeclared by:
services.ssmtp.authPass¶
Password used for SMTP auth. (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)
It’s recommended to use which takes precedence over .
Type: string
Default:
""Example:
"correctHorseBatteryStaple"Declared by:
services.ssmtp.authPassFile¶
Path to a file that contains the password used for SMTP auth. The file should not contain a trailing newline, if the password does not contain one. This file should be readable by the users that need to execute ssmtp.
takes precedence over .
Warning: when is non-empty defaults to a file in the WORLD-READABLE Nix store containing that password.
Type: null or string
Default:
nullExample:
"/run/keys/ssmtp-authpass"Declared by:
services.ssmtp.authUser¶
Username used for SMTP auth. Leave blank to disable.
Type: string
Default:
""Example:
"foo@example.org"Declared by:
services.ssmtp.domain¶
The domain from which mail will appear to be sent.
Type: string
Default:
""Example:
"example.org"Declared by:
services.ssmtp.hostName¶
The host name of the default mail server to use to deliver e-mail. Can also contain a port number (ex: mail.example.org:587), defaults to port 25 if no port is given.
Type: string
Example:
"mail.example.org"Declared by:
services.ssmtp.root¶
The e-mail to which mail for users with UID < 1000 is forwarded.
Type: string
Default:
""Example:
"root@example.org"Declared by:
services.ssmtp.setSendmail¶
Whether to set the system sendmail to ssmtp’s.
Type: boolean
Default:
trueDeclared by:
services.ssmtp.useSTARTTLS¶
Whether the STARTTLS should be used to connect to the default mail server. (This is needed for TLS-capable mail servers running on the default SMTP port 25.)
Type: boolean
Default:
falseDeclared by:
services.ssmtp.useTLS¶
Whether TLS should be used to connect to the default mail server.
Type: boolean
Default:
falseDeclared by:
services.sssd.enable¶
Whether to enable the System Security Services Daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.sssd.config¶
Contents of
sssd.conf.Type: strings concatenated with “\n”
Default:
'' [sssd] config_file_version = 2 services = nss, pam domains = shadowutils [nss] [pam] [domain/shadowutils] id_provider = proxy proxy_lib_name = files auth_provider = proxy proxy_pam_target = sssd-shadowutils proxy_fast_alias = True ''Declared by:
services.sssd.sshAuthorizedKeysIntegration¶
Whether to make sshd look up authorized keys from SSS. For this to work, the
sshSSS service must be enabled in the sssd configuration.Type: boolean
Default:
falseDeclared by:
services.stanchion.enable¶
Whether to enable stanchion.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.stanchion.package¶
Stanchion package to use.
Type: package
Default:
"pkgs.stanchion"Example:
pkgs.stanchionDeclared by:
services.stanchion.adminKey¶
Name of admin user.
Type: string
Default:
""Declared by:
services.stanchion.adminSecret¶
Name of admin secret
Type: string
Default:
""Declared by:
services.stanchion.dataDir¶
Data directory for Stanchion.
Type: path
Default:
"/var/db/stanchion"Declared by:
services.stanchion.distributedCookie¶
Cookie for distributed node communication. All nodes in the same cluster should use the same cookie or they will not be able to communicate.
Type: string
Default:
"riak"Declared by:
services.stanchion.extraConfig¶
Additional text to be appended to
stanchion.conf.Type: strings concatenated with “\n”
Default:
""Declared by:
services.stanchion.listener¶
Name of Riak CS listening service.
Type: string
Default:
"127.0.0.1:8085"Declared by:
services.stanchion.logDir¶
Log directory for Stanchion.
Type: path
Default:
"/var/log/stanchion"Declared by:
services.stanchion.nodeName¶
Name of the Erlang node.
Type: string
Default:
"stanchion@127.0.0.1"Declared by:
services.stanchion.riakHost¶
Name of riak hosting service.
Type: string
Default:
"127.0.0.1:8087"Declared by:
services.stanchion.stanchionHost¶
Name of stanchion hosting service.
Type: string
Default:
"127.0.0.1:8085"Declared by:
services.strongswan.enable¶
Whether to enable strongSwan.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.strongswan.enabledPlugins¶
A list of additional plugins to enable if is true.
Type: list of strings
Default: ``[
]``
Declared by:
services.strongswan.ca¶
A set of CAs (certification authorities) and their options for the ‘ca xxx’ sections of the
ipsec.conffile.Type: attribute set of attribute set of stringss
Default: ``{
}``
Example:
{ strongswan = { auto = "add"; cacert = "/run/keys/strongswanCert.pem"; crluri = "http://crl2.strongswan.org/strongswan.crl"; } ; }Declared by:
services.strongswan.connections¶
A set of connections and their options for the ‘conn xxx’ sections of the
ipsec.conffile.Type: attribute set of attribute set of stringss
Default: ``{
}``
Example:
{ %default = { keyexchange = "ikev2"; keyingtries = "1"; } ; roadwarrior = { auto = "add"; leftcert = "/run/keys/moonCert.pem"; leftid = "@moon.strongswan.org"; leftsubnet = "10.1.0.0/16"; right = "%any"; } ; }Declared by:
services.strongswan.managePlugins¶
If set to true, this option will disable automatic plugin loading and then tell strongSwan to enable the plugins specified in the option.
Type: boolean
Default:
falseDeclared by:
services.strongswan.secrets¶
A list of paths to IPSec secret files. These files will be included into the main ipsec.secrets file with the
includedirective. It is safer if these paths are absolute.Type: list of strings
Default: ``[
]``
Example:
[ "/run/keys/ipsec-foo.secret" ]Declared by:
services.strongswan.setup¶
A set of options for the ‘config setup’ section of the:file:ipsec.conf file. Defines general configuration parameters.
Type: attribute set of strings
Default: ``{
}``
Example:
{ cachecrls = "yes"; strictcrlpolicy = "yes"; }Declared by:
services.strongswan-swanctl.enable¶
Whether to enable strongswan-swanctl service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.strongswan-swanctl.package¶
The strongswan derivation to use.
Type: package
Default:
"pkgs.strongswan"Declared by:
services.strongswan-swanctl.strongswan.extraConfig¶
Contents of the
strongswan.conffile.Type: string
Default:
""Declared by:
services.strongswan-swanctl.swanctl.authorities¶
Section defining complementary attributes of certification authorities, each in its own subsection with an arbitrary yet unique name
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.authorities.<name>.cacert¶
The certificates may use a relative path from the swanctl``x509ca`` directory or an absolute path.
Configure one of ,, or per section.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.authorities.<name>.cert_uri_base¶
Defines the base URI for the Hash and URL feature supported by IKEv2. Instead of exchanging complete certificates, IKEv2 allows one to send an URI that resolves to the DER encoded certificate. The certificate URIs are built by appending the SHA1 hash of the DER encoded certificates to this base URI.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.authorities.<name>.crl_uris¶
List of CRL distribution points (ldap, http, or file URI).
StrongSwan default:
[]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.authorities.<name>.file¶
Absolute path to the certificate to load. Passed as-is to the daemon, so it must be readable by it.
Configure either this or , but not both, in one section.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.authorities.<name>.handle¶
Hex-encoded CKA_ID or handle of the certificate on a token or TPM, respectively.
Configure either this or , but not both, in one section.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.authorities.<name>.module¶
Optional PKCS#11 module name.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.authorities.<name>.ocsp_uris¶
List of OCSP URIs.
StrongSwan default:
[]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.authorities.<name>.slot¶
Optional slot number of the token that stores the certificate.
Type: null or signed integer
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections¶
Section defining IKE connection configurations, each in its own subsection with an arbitrary yet unique name
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.connections.<name>.aggressive¶
Enables Aggressive Mode instead of Main Mode with Identity Protection. Aggressive Mode is considered less secure, because the ID and HASH payloads are exchanged unprotected. This allows a passive attacker to snoop peer identities, and even worse, start dictionary attacks on the Preshared Key.
StrongSwan default:
falseType: null or boolean
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.childless¶
Use childless IKE_SA initiation (RFC 6023) for IKEv2. Acceptable values are
allow(the default),forceand``never``. If set toallow, responders will accept childless IKE_SAs (as indicated via notify in the IKE_SA_INIT response) while initiators continue to create regular IKE_SAs with the first CHILD_SA created during IKE_AUTH, unless the IKE_SA is initiated explicitly without any children (which will fail if the responder does not support or has disabled this extension). If set to``force``, only childless initiation is accepted and the first CHILD_SA is created with a separate CREATE_CHILD_SA exchange (e.g. to use an independent DH exchange for all CHILD_SAs). Finally, setting the option toneverdisables support for childless IKE_SAs as responder.StrongSwan default:
"allow"Type: null or one of “allow”, “force”, “never”
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children¶
CHILD_SA configuration sub-section. Each connection definition may have one or more sections in its subsection. The section name defines the name of the CHILD_SA configuration, which must be unique within the connection (denoted <child> below).
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.ah_proposals¶
AH proposals to offer for the CHILD_SA. A proposal is a set of algorithms. For AH, this includes an integrity algorithm and an optional Diffie-Hellman group. If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial negotiation uses a separate Diffie-Hellman exchange using the specified group (refer to esp_proposals for details).
In IKEv2, multiple algorithms of the same kind can be specified in a single proposal, from which one gets selected. In IKEv1, only one algorithm per kind is allowed per proposal, more algorithms get implicitly stripped. Use multiple proposals to offer different algorithms combinations in IKEv1.
Algorithm keywords get separated using dashes. Multiple proposals may be specified in a list. The special value
defaultforms a default proposal of supported algorithms considered safe, and is usually a good choice for interoperability. By default no AH proposals are included, instead ESP is proposed.StrongSwan default:
[]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.close_action¶
Action to perform after a CHILD_SA gets closed by the peer.
- The default of
nonedoes not take any action,trapinstalls a trap policy for the CHILD_SA.starttries to re-create the CHILD_SA.does not provide any guarantee that the CHILD_SA is kept alive. It acts on explicit close messages only, but not on negotiation failures. Use trap policies to reliably re-create failed CHILD_SAs.
StrongSwan default:
"none"Type: null or one of “none”, “trap”, “start”
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.copy_df¶
Whether to copy the DF bit to the outer IPv4 header in tunnel mode. This effectively disables Path MTU discovery (PMTUD). Controlling this behavior is not supported by all kernel interfaces.
StrongSwan default:
trueType: null or boolean
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.copy_dscp¶
Whether to copy the DSCP (Differentiated Services Field Codepoint) header field to/from the outer IP header in tunnel mode. The value``out`` only copies the field from the inner to the outer header, the value
indoes the opposite and only copies the field from the outer to the inner header when decapsulating, the valueyescopies the field in both directions, and the valuenodisables copying the field altogether. Setting this toyesor``in`` could allow an attacker to adversely affect other traffic at the receiver, which is why the default is``out``. Controlling this behavior is not supported by all kernel interfaces.StrongSwan default:
"out"Type: null or one of “out”, “in”, “yes”, “no”
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.copy_ecn¶
Whether to copy the ECN (Explicit Congestion Notification) header field to/from the outer IP header in tunnel mode. Controlling this behavior is not supported by all kernel interfaces.
StrongSwan default:
trueType: null or boolean
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.dpd_action¶
Action to perform for this CHILD_SA on DPD timeout. The default clear closes the CHILD_SA and does not take further action. trap installs a trap policy, which will catch matching traffic and tries to re-negotiate the tunnel on-demand. restart immediately tries to re-negotiate the CHILD_SA under a fresh IKE_SA.
StrongSwan default:
"clear"Type: null or one of “clear”, “trap”, “restart”
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.esp_proposals¶
ESP proposals to offer for the CHILD_SA. A proposal is a set of algorithms. For ESP non-AEAD proposals, this includes an integrity algorithm, an encryption algorithm, an optional Diffie-Hellman group and an optional Extended Sequence Number Mode indicator. For AEAD proposals, a combined mode algorithm is used instead of the separate encryption/integrity algorithms.
If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial negotiation use a separate Diffie-Hellman exchange using the specified group. However, for IKEv2, the keys of the CHILD_SA created implicitly with the IKE_SA will always be derived from the IKE_SA’s key material. So any DH group specified here will only apply when the CHILD_SA is later rekeyed or is created with a separate CREATE_CHILD_SA exchange. A proposal mismatch might, therefore, not immediately be noticed when the SA is established, but may later cause rekeying to fail.
Extended Sequence Number support may be indicated with the``esn`` and
noesnvalues, both may be included to indicate support for both modes. If omitted,``noesn`` is assumed.In IKEv2, multiple algorithms of the same kind can be specified in a single proposal, from which one gets selected. In IKEv1, only one algorithm per kind is allowed per proposal, more algorithms get implicitly stripped. Use multiple proposals to offer different algorithms combinations in IKEv1.
Algorithm keywords get separated using dashes. Multiple proposals may be specified as a list. The special value
defaultforms a default proposal of supported algorithms considered safe, and is usually a good choice for interoperability. If no algorithms are specified for AH nor ESP, the default set of algorithms for ESP is included.StrongSwan default:
["default"]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.hostaccess¶
Hostaccess variable to pass to
updownscript.StrongSwan default:
falseType: null or boolean
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.hw_offload¶
Enable hardware offload for this CHILD_SA, if supported by the IPsec implementation. The value
yesenforces offloading and the installation will fail if it’s not supported by either kernel or device. The valueautoenables offloading, if it’s supported, but the installation does not fail otherwise.StrongSwan default:
"no"Type: null or one of “yes”, “no”, “auto”
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.if_id_in¶
XFRM interface ID set on inbound policies/SA. This allows installing duplicate policies/SAs and associates them with an interface with the same ID. The special value
%uniquesets a unique interface ID on each CHILD_SA instance, beyond that the value``%unique-dir`` assigns a different unique interface ID for each CHILD_SA direction (in/out).StrongSwan default:
"0"Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.if_id_out¶
XFRM interface ID set on outbound policies/SA. This allows installing duplicate policies/SAs and associates them with an interface with the same ID. The special value
%uniquesets a unique interface ID on each CHILD_SA instance, beyond that the value``%unique-dir`` assigns a different unique interface ID for each CHILD_SA direction (in/out).The daemon will not install routes for CHILD_SAs that have this option set.
StrongSwan default:
"0"Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.inactivity¶
Timeout before closing CHILD_SA after inactivity. If no traffic has been processed in either direction for the configured timeout, the CHILD_SA gets closed due to inactivity. The default value of 0 disables inactivity checks.
StrongSwan default:
"0s"Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.interface¶
Optional interface name to restrict outbound IPsec policies.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.ipcomp¶
Enable IPComp compression before encryption. If enabled, IKE tries to negotiate IPComp compression to compress ESP payload data prior to encryption.
StrongSwan default:
falseType: null or boolean
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.life_bytes¶
Maximum bytes processed before CHILD_SA gets closed. Usually this hard volume limit is never reached, because the CHILD_SA gets rekeyed before. If that fails for whatever reason, this limit closes the CHILD_SA. The default is 10% more than .
Type: null or signed integer
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.life_packets¶
Maximum number of packets processed before CHILD_SA gets closed. Usually this hard packets limit is never reached, because the CHILD_SA gets rekeyed before. If that fails for whatever reason, this limit closes the CHILD_SA.
The default is 10% more than .
Type: null or signed integer
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.life_time¶
Maximum lifetime before CHILD_SA gets closed. Usually this hard lifetime is never reached, because the CHILD_SA gets rekeyed before. If that fails for whatever reason, this limit closes the CHILD_SA. The default is 10% more than the .
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.local_ts¶
List of local traffic selectors to include in CHILD_SA. Each selector is a CIDR subnet definition, followed by an optional proto/port selector. The special value
dynamicmay be used instead of a subnet definition, which gets replaced by the tunnel outer address or the virtual IP, if negotiated. This is the default.A protocol/port selector is surrounded by opening and closing square brackets. Between these brackets, a numeric or getservent(3) protocol name may be specified. After the optional protocol restriction, an optional port restriction may be specified, separated by a slash. The port restriction may be numeric, a getservent(3) service name, or the special value
opaquefor RFC 4301 OPAQUE selectors. Port ranges may be specified as well, none of the kernel backends currently support port ranges, though.When IKEv1 is used only the first selector is interpreted, except if the Cisco Unity extension plugin is used. This is due to a limitation of the IKEv1 protocol, which only allows a single pair of selectors per CHILD_SA. So to tunnel traffic matched by several pairs of selectors when using IKEv1 several children (CHILD_SAs) have to be defined that cover the selectors. The IKE daemon uses traffic selector narrowing for IKEv1, the same way it is standardized and implemented for IKEv2. However, this may lead to problems with other implementations. To avoid that, configure identical selectors in such scenarios.
StrongSwan default:
["dynamic"]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.mark_in¶
Netfilter mark and mask for input traffic. On Linux, Netfilter may require marks on each packet to match an SA/policy having that option set. This allows installing duplicate policies and enables Netfilter rules to select specific SAs/policies for incoming traffic. Note that inbound marks are only set on policies, by default, unless is enabled. The special value``%unique`` sets a unique mark on each CHILD_SA instance, beyond that the value
%unique-dirassigns a different unique mark for eachAn additional mask may be appended to the mark, separated by``/
. The default mask if omitted is``0xffffffff.StrongSwan default:
"0/0x00000000"Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.mark_in_sa¶
Whether to set on the inbound SA. By default, the inbound mark is only set on the inbound policy. The tuple destination address, protocol and SPI is unique and the mark is not required to find the correct SA, allowing to mark traffic after decryption instead (where more specific selectors may be used) to match different policies. Marking packets before decryption is still possible, even if no mark is set on the SA.
StrongSwan default:
falseType: null or boolean
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.mark_out¶
Netfilter mark and mask for output traffic. On Linux, Netfilter may require marks on each packet to match a policy/SA having that option set. This allows installing duplicate policies and enables Netfilter rules to select specific policies/SAs for outgoing traffic. The special value
%uniquesets a unique mark on each CHILD_SA instance, beyond that the value%unique-dirassigns a different unique mark for each CHILD_SA direction (in/out).An additional mask may be appended to the mark, separated by``/
. The default mask if omitted is``0xffffffff.StrongSwan default:
"0/0x00000000"Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.mode¶
IPsec Mode to establish CHILD_SA with.
tunnelnegotiates the CHILD_SA in IPsec Tunnel Mode,- whereas
transportuses IPsec Transport Mode.transport_proxysignifying the special Mobile IPv6 Transport Proxy Mode.beetis the Bound End to End Tunnel mixture mode, working with fixed inner addresses without the need to include them in each packet.- Both
transportandbeetmodes are subject to mode negotiation;tunnelmode is negotiated if the preferred mode is not available.passanddropare used to install shunt policies which explicitly bypass the defined traffic from IPsec processing or drop it, respectively.StrongSwan default:
"tunnel"Type: null or one of “tunnel”, “transport”, “transport_proxy”, “beet”, “pass”, “drop”
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.policies¶
Whether to install IPsec policies or not. Disabling this can be useful in some scenarios e.g. MIPv6, where policies are not managed by the IKE daemon. Since 5.3.3.
StrongSwan default:
trueType: null or boolean
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.policies_fwd_out¶
Whether to install outbound FWD IPsec policies or not. Enabling this is required in case there is a drop policy that would match and block forwarded traffic for this CHILD_SA. Since 5.5.1.
StrongSwan default:
falseType: null or boolean
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.priority¶
Optional fixed priority for IPsec policies. This could be useful to install high-priority drop policies. The default of 0 uses dynamically calculated priorities based on the size of the traffic selectors.
StrongSwan default:
0Type: null or signed integer
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.rand_bytes¶
Byte range from which to choose a random value to subtract from. The default is the difference between and .
Type: null or signed integer
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.rand_packets¶
Packet range from which to choose a random value to subtract from. The default is the difference between and .
Type: null or signed integer
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.rand_time¶
Time range from which to choose a random value to subtract from. The default is the difference between and .
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.rekey_bytes¶
Number of bytes processed before initiating CHILD_SA rekeying. CHILD_SA rekeying refreshes key material, optionally using a Diffie-Hellman exchange if a group is specified in the proposal.
To avoid rekey collisions initiated by both ends simultaneously, a value in the range of gets subtracted to form the effective soft volume limit.
Volume based CHILD_SA rekeying is disabled by default.
StrongSwan default:
0Type: null or signed integer
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.rekey_packets¶
Number of packets processed before initiating CHILD_SA rekeying. CHILD_SA rekeying refreshes key material, optionally using a Diffie-Hellman exchange if a group is specified in the proposal.
To avoid rekey collisions initiated by both ends simultaneously, a value in the range of gets subtracted to form the effective soft packet count limit.
Packet count based CHILD_SA rekeying is disabled by default.
StrongSwan default:
0Type: null or signed integer
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.rekey_time¶
Time to schedule CHILD_SA rekeying. CHILD_SA rekeying refreshes key material, optionally using a Diffie-Hellman exchange if a group is specified in the proposal. To avoid rekey collisions initiated by both ends simultaneously, a value in the range of gets subtracted to form the effective soft lifetime.
By default CHILD_SA rekeying is scheduled every hour, minus.
StrongSwan default:
"1h"Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.remote_ts¶
List of remote selectors to include in CHILD_SA. See for a description of the selector syntax.
StrongSwan default:
["dynamic"]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.replay_window¶
IPsec replay window to configure for this CHILD_SA. Larger values than the default of
32are supported using the Netlink backend only, a value of0disables IPsec replay protection.StrongSwan default:
32Type: null or signed integer
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.reqid¶
Fixed reqid to use for this CHILD_SA. This might be helpful in some scenarios, but works only if each CHILD_SA configuration is instantiated not more than once. The default of 0 uses dynamic reqids, allocated incrementally.
StrongSwan default:
0Type: null or signed integer
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.set_mark_in¶
Netfilter mark applied to packets after the inbound IPsec SA processed them. This way it’s not necessary to mark packets via Netfilter before decryption or right afterwards to match policies or process them differently (e.g. via policy routing).
An additional mask may be appended to the mark, separated by``/
. The default mask if omitted is 0xffffffff. The special value ``%sameuses the value (but not the mask) from as mark value, which can be fixed,``%unique`` or%unique-dir.Setting marks in XFRM input requires Linux 4.19 or higher.
StrongSwan default:
"0/0x00000000"Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.set_mark_out¶
Netfilter mark applied to packets after the outbound IPsec SA processed them. This allows processing ESP packets differently than the original traffic (e.g. via policy routing).
An additional mask may be appended to the mark, separated by``/
. The default mask if omitted is 0xffffffff. The special value ``%sameuses the value (but not the mask) from as mark value, which can be fixed,``%unique_`` or%unique-dir.Setting marks in XFRM output is supported since Linux 4.14. Setting a mask requires at least Linux 4.19.
StrongSwan default:
"0/0x00000000"Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.sha256_96¶
HMAC-SHA-256 is used with 128-bit truncation with IPsec. For compatibility with implementations that incorrectly use 96-bit truncation this option may be enabled to configure the shorter truncation length in the kernel. This is not negotiated, so this only works with peers that use the incorrect truncation length (or have this option enabled).
StrongSwan default:
falseType: null or boolean
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.start_action¶
Action to perform after loading the configuration.
- The default of
noneloads the connection only, which then can be manually initiated or used as a responder configuration.- The value
trapinstalls a trap policy, which triggers the tunnel as soon as matching traffic has been detected.- The value
startinitiates the connection actively.When unloading or replacing a CHILD_SA configuration having a different from
none, the inverse action is performed. Configurations with``start`` get closed, while such with``trap`` get uninstalled.StrongSwan default:
"none"Type: null or one of “none”, “trap”, “start”
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.tfc_padding¶
Pads ESP packets with additional data to have a consistent ESP packet size for improved Traffic Flow Confidentiality. The padding defines the minimum size of all ESP packets sent. The default value of``0`` disables TFC padding, the special value``mtu`` adds TFC padding to create a packet size equal to the Path Maximum Transfer Unit.
StrongSwan default:
0Type: null or signed integer or one of “mtu”
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.updown¶
Updown script to invoke on CHILD_SA up and down events.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.dpd_delay¶
Interval to check the liveness of a peer actively using IKEv2 INFORMATIONAL exchanges or IKEv1 R_U_THERE messages. Active DPD checking is only enforced if no IKE or ESP/AH packet has been received for the configured DPD delay.
StrongSwan default:
"0s"Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.dpd_timeout¶
Charon by default uses the normal retransmission mechanism and timeouts to check the liveness of a peer, as all messages are used for liveness checking. For compatibility reasons, with IKEv1 a custom interval may be specified; this option has no effect on connections using IKEv2.
StrongSwan default:
"0s"Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.dscp¶
Differentiated Services Field Codepoint to set on outgoing IKE packets for this connection. The value is a six digit binary encoded string specifying the Codepoint to set, as defined in RFC 2474.
StrongSwan default:
"000000"Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.encap¶
To enforce UDP encapsulation of ESP packets, the IKE daemon can fake the NAT detection payloads. This makes the peer believe that NAT takes place on the path, forcing it to encapsulate ESP packets in UDP.
Usually this is not required, but it can help to work around connectivity issues with too restrictive intermediary firewalls.
StrongSwan default:
falseType: null or boolean
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.fragmentation¶
Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2 fragmentation). Acceptable values are
yes(the default since 5.5.1),accept(since versions:5.5.3),``force`` andno.
- If set to
yes, and the peer supports it, oversized IKE messages will be sent in fragments.- If set to``accept``, support for fragmentation is announced to the peer but the daemon does not send its own messages in fragments.
- If set to
force(only supported for IKEv1) the initial IKE message will already be fragmented if required.- Finally, setting the option to
nowill disable announcing support for this feature.Note that fragmented IKE messages sent by a peer are always processed irrespective of the value of this option (even when set to no).
StrongSwan default:
"yes"Type: null or one of “yes”, “accept”, “force”, “no”
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.if_id_in¶
XFRM interface ID set on inbound policies/SA, can be overridden by child config, see there for details.
StrongSwan default:
"0"Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.if_id_out¶
XFRM interface ID set on outbound policies/SA, can be overridden by child config, see there for details.
StrongSwan default:
"0"Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.keyingtries¶
Number of retransmission sequences to perform during initial connect. Instead of giving up initiation after the first retransmission sequence with the default value of
1, additional sequences may be started according to the configured value. A value of``0`` initiates a new sequence until the connection establishes or fails with a permanent error.StrongSwan default:
1Type: null or signed integer
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.local¶
Section for a local authentication round. A local authentication round defines the rules how authentication is performed for the local peer. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple Authentication or IKEv1 XAuth.
Each round is defined in a section having
localas prefix, and an optional unique suffix. To define a single authentication round, the suffix may be omitted.Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.aaa_id¶
Server side EAP-Identity to expect in the EAP method. Some EAP methods, such as EAP-TLS, use an identity for the server to perform mutual authentication. This identity may differ from the IKE identity, especially when EAP authentication is delegated from the IKE responder to an AAA backend.
For EAP-(T)TLS, this defines the identity for which the server must provide a certificate in the TLS exchange.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.auth¶
Authentication to perform locally.
- The default
pubkeyuses public key authentication using a private key associated to a usable certificate.pskuses pre-shared key authentication.- The IKEv1 specific
xauthis used for XAuth or Hybrid authentication,- while the IKEv2 specific
eapkeyword defines EAP authentication.- For
xauth, a specific backend name may be appended, separated by a dash. The appropriatexauthbackend is selected to perform the XAuth exchange. For traditional XAuth, the``xauth`` method is usually defined in the second authentication round following an initialpubkey(or``psk``) round. Usingxauthin the first round performs Hybrid Mode client authentication.- For
eap, a specific EAP method name may be appended, separated by a dash. An EAP module implementing the appropriate method is selected to perform the EAP conversation.- Since 5.4.0, if both peers support RFC 7427 (“Signature Authentication in IKEv2”) specific hash algorithms to be used during IKEv2 authentication may be configured. To do so use
ike:followed by a trust chain signature scheme constraint (see description of the section’s keyword). For example, withike:pubkey-sha384-sha256a public key signature scheme with either SHA-384 or SHA-256 would get used for authentication, in that order and depending on the hash algorithms supported by the peer. If no specific hash algorithms are configured, the default is to prefer an algorithm that matches or exceeds the strength of the signature key. If no constraints with``ike:`` prefix are configured any signature scheme constraint (withoutike:prefix) will also apply to IKEv2 authentication, unless this is disabled in``strongswan.conf``. To use RSASSA-PSS signatures use``rsa/pss`` instead ofpubkeyor``rsa`` as in e.g.``ike:rsa/pss-sha256``. Ifpubkeyor``rsa`` constraints are configured RSASSA-PSS signatures will only be used if enabled in ``strongswan.conf``(5).StrongSwan default:
"pubkey"Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.cert¶
Section for a certificate candidate to use for authentication. Certificates in certs are transmitted as binary blobs, these sections offer more flexibility.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.cert.<name>.file¶
Absolute path to the certificate to load. Passed as-is to the daemon, so it must be readable by it.
Configure either this or , but not both, in one section.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.cert.<name>.handle¶
Hex-encoded CKA_ID or handle of the certificate on a token or TPM, respectively.
Configure either this or , but not both, in one section.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.cert.<name>.module¶
Optional PKCS#11 module name.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.cert.<name>.slot¶
Optional slot number of the token that stores the certificate.
Type: null or signed integer
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.certs¶
List of certificate candidates to use for authentication. The certificates may use a relative path from the swanctl
x509directory or an absolute path.The certificate used for authentication is selected based on the received certificate request payloads. If no appropriate CA can be located, the first certificate is used.
StrongSwan default:
[]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.eap_id¶
Client EAP-Identity to use in EAP-Identity exchange and the EAP method.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.id¶
IKE identity to use for authentication round. When using certificate authentication, the IKE identity must be contained in the certificate, either as subject or as subjectAltName.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.pubkeys¶
List of raw public key candidates to use for authentication. The public keys may use a relative path from the swanctl``pubkey`` directory or an absolute path.
Even though multiple local public keys could be defined in principle, only the first public key in the list is used for authentication.
StrongSwan default:
[]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.round¶
Optional numeric identifier by which authentication rounds are sorted. If not specified rounds are ordered by their position in the config file/vici message.
StrongSwan default:
0Type: null or signed integer
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.xauth_id¶
Client XAuth username used in the XAuth exchange.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.local_addrs¶
Local address(es) to use for IKE communication. Takes single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges.
As initiator, the first non-range/non-subnet is used to initiate the connection from. As responder, the local destination address must match at least to one of the specified addresses, subnets or ranges.
If FQDNs are assigned they are resolved every time a configuration lookup is done. If DNS resolution times out, the lookup is delayed for that time.
StrongSwan default:
[]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.local_port¶
Local UDP port for IKE communication. By default the port of the socket backend is used, which is usually
500. If port``500`` is used, automatic IKE port floating to port``4500`` is used to work around NAT issues.Using a non-default local IKE port requires support from the socket backend in use (socket-dynamic).
StrongSwan default:
500Type: null or signed integer
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.mediated_by¶
The name of the connection to mediate this connection through. If given, the connection will be mediated through the named mediation connection. The mediation connection must have mediation enabled.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.mediation¶
Whether this connection is a mediation connection, that is, whether this connection is used to mediate other connections using the IKEv2 Mediation Extension. Mediation connections create no CHILD_SA.
StrongSwan default:
falseType: null or boolean
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.mediation_peer¶
Identity under which the peer is registered at the mediation server, that is, the IKE identity the other end of this connection uses as its local identity on its connection to the mediation server. This is the identity we request the mediation server to mediate us with. Only relevant on connections that set mediated_by. If it is not given, the remote IKE identity of the first authentication round of this connection will be used.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.mobike¶
Enables MOBIKE on IKEv2 connections. MOBIKE is enabled by default on IKEv2 connections, and allows mobility of clients and multi-homing on servers by migrating active IPsec tunnels.
Usually keeping MOBIKE enabled is unproblematic, as it is not used if the peer does not indicate support for it. However, due to the design of MOBIKE, IKEv2 always floats to port 4500 starting from the second exchange. Some implementations don’t like this behavior, hence it can be disabled.
StrongSwan default:
trueType: null or boolean
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.over_time¶
Hard IKE_SA lifetime if rekey/reauth does not complete, as time. To avoid having an IKE/ISAKMP kept alive if IKE reauthentication or rekeying fails perpetually, a maximum hard lifetime may be specified. If the IKE_SA fails to rekey or reauthenticate within the specified time, the IKE_SA gets closed.
In contrast to CHILD_SA rekeying, over_time is relative in time to the rekey_time and reauth_time values, as it applies to both.
The default is 10% of the longer of and.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.pools¶
List of named IP pools to allocate virtual IP addresses and other configuration attributes from. Each name references a pool by name from either the pools section or an external pool.
StrongSwan default:
[]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.ppk_id¶
String identifying the Postquantum Preshared Key (PPK) to be used.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.ppk_required¶
Whether a Postquantum Preshared Key (PPK) is required for this connection.
StrongSwan default:
falseType: null or boolean
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.proposals¶
A proposal is a set of algorithms. For non-AEAD algorithms, this includes for IKE an encryption algorithm, an integrity algorithm, a pseudo random function and a Diffie-Hellman group. For AEAD algorithms, instead of encryption and integrity algorithms, a combined algorithm is used.
In IKEv2, multiple algorithms of the same kind can be specified in a single proposal, from which one gets selected. In IKEv1, only one algorithm per kind is allowed per proposal, more algorithms get implicitly stripped. Use multiple proposals to offer different algorithms combinations in IKEv1.
Algorithm keywords get separated using dashes. Multiple proposals may be specified in a list. The special value
defaultforms a default proposal of supported algorithms considered safe, and is usually a good choice for interoperability.StrongSwan default:
["default"]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.pull¶
If the default of yes is used, Mode Config works in pull mode, where the initiator actively requests a virtual IP. With no, push mode is used, where the responder pushes down a virtual IP to the initiating peer.
Push mode is currently supported for IKEv1, but not in IKEv2. It is used by a few implementations only, pull mode is recommended.
StrongSwan default:
trueType: null or boolean
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.rand_time¶
Time range from which to choose a random value to subtract from rekey/reauth times. To avoid having both peers initiating the rekey/reauth procedure simultaneously, a random time gets subtracted from the rekey/reauth times.
The default is equal to the configured .
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.reauth_time¶
Time to schedule IKE reauthentication. IKE reauthentication recreates the IKE/ISAKMP SA from scratch and re-evaluates the credentials. In asymmetric configurations (with EAP or configuration payloads) it might not be possible to actively reauthenticate as responder. The IKEv2 reauthentication lifetime negotiation can instruct the client to perform reauthentication.
Reauthentication is disabled by default. Enabling it usually may lead to small connection interruptions, as strongSwan uses a break-before-make policy with IKEv2 to avoid any conflicts with associated tunnel resources.
StrongSwan default:
"0s"Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.rekey_time¶
IKE rekeying refreshes key material using a Diffie-Hellman exchange, but does not re-check associated credentials. It is supported in IKEv2 only, IKEv1 performs a reauthentication procedure instead.
With the default value IKE rekeying is scheduled every 4 hours, minus the configured rand_time. If a reauth_time is configured, rekey_time defaults to zero, disabling rekeying; explicitly set both to enforce rekeying and reauthentication.
StrongSwan default:
"4h"Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.remote¶
Section for a remote authentication round. A remote authentication round defines the constraints how the peers must authenticate to use this connection. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple Authentication or IKEv1 XAuth.
Each round is defined in a section having
remoteas prefix, and an optional unique suffix. To define a single authentication round, the suffix may be omitted.Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.auth¶
Authentication to expect from remote. See the section’s keyword description about the details of supported mechanisms.
Since 5.4.0, to require a trustchain public key strength for the remote side, specify the key type followed by the minimum strength in bits (for example
ecdsa-384or``rsa-2048-ecdsa-256``). To limit the acceptable set of hashing algorithms for trustchain validation, append hash algorithms to pubkey or a key strength definition (for example``pubkey-sha256-sha512``,``rsa-2048-sha256-sha384-sha512`` or``rsa-2048-sha256-ecdsa-256-sha256-sha384``). Unless disabled instrongswan.conf, or explicit IKEv2 signature constraints are configured (refer to the description of the section’s keyword for details), such key types and hash algorithms are also applied as constraints against IKEv2 signature authentication schemes used by the remote side. To require RSASSA-PSS signatures use``rsa/pss`` instead ofpubkeyor``rsa`` as in e.g.rsa/pss-sha256. If``pubkey`` orrsaconstraints are configured RSASSA-PSS signatures will only be accepted if enabled in``strongswan.conf``(5).To specify trust chain constraints for EAP-(T)TLS, append a colon to the EAP method, followed by the key type/size and hash algorithm as discussed above (e.g.
eap-tls:ecdsa-384-sha384).StrongSwan default:
"pubkey"Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert¶
Section for a CA certificate to accept for authentication. Certificates in cacerts are transmitted as binary blobs, these sections offer more flexibility.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert.<name>.file¶
Absolute path to the certificate to load. Passed as-is to the daemon, so it must be readable by it.
Configure either this or , but not both, in one section.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert.<name>.handle¶
Hex-encoded CKA_ID or handle of the certificate on a token or TPM, respectively.
Configure either this or , but not both, in one section.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert.<name>.module¶
Optional PKCS#11 module name.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert.<name>.slot¶
Optional slot number of the token that stores the certificate.
Type: null or signed integer
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacerts¶
List of CA certificates to accept for authentication. The certificates may use a relative path from the swanctl
x509cadirectory or an absolute path.StrongSwan default:
[]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert¶
Section for a certificate candidate to use for authentication. Certificates in certs are transmitted as binary blobs, these sections offer more flexibility.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert.<name>.file¶
Absolute path to the certificate to load. Passed as-is to the daemon, so it must be readable by it.
Configure either this or , but not both, in one section.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert.<name>.handle¶
Hex-encoded CKA_ID or handle of the certificate on a token or TPM, respectively.
Configure either this or , but not both, in one section.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert.<name>.module¶
Optional PKCS#11 module name.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert.<name>.slot¶
Optional slot number of the token that stores the certificate.
Type: null or signed integer
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert_policy¶
List of certificate policy OIDs the peer’s certificate must have. OIDs are specified using the numerical dotted representation.
StrongSwan default:
[]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.certs¶
List of certificates to accept for authentication. The certificates may use a relative path from the swanctl
x509directory or an absolute path.StrongSwan default:
[]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.eap_id¶
Identity to use as peer identity during EAP authentication. If set to``%any`` the EAP-Identity method will be used to ask the client for an EAP identity.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.groups¶
Authorization group memberships to require. The peer must prove membership to at least one of the specified groups. Group membership can be certified by different means, for example by appropriate Attribute Certificates or by an AAA backend involved in the authentication.
StrongSwan default:
[]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.id¶
IKE identity to expect for authentication round. When using certificate authentication, the IKE identity must be contained in the certificate, either as subject or as subjectAltName.
StrongSwan default:
"%any"Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.pubkeys¶
List of raw public keys to accept for authentication. The public keys may use a relative path from the swanctl``pubkey`` directory or an absolute path.
StrongSwan default:
[]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.revocation¶
Certificate revocation policy for CRL or OCSP revocation.
- A
strictrevocation policy fails if no revocation information is available, i.e. the certificate is not known to be unrevoked.ifurifails only if a CRL/OCSP URI is available, but certificate revocation checking fails, i.e. there should be revocation information available, but it could not be obtained.- The default revocation policy
relaxedfails only if a certificate is revoked, i.e. it is explicitly known that it is bad.StrongSwan default:
"relaxed"Type: null or one of “strict”, “ifuri”, “relaxed”
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.round¶
Optional numeric identifier by which authentication rounds are sorted. If not specified rounds are ordered by their position in the config file/vici message.
StrongSwan default:
0Type: null or signed integer
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.remote_addrs¶
Remote address(es) to use for IKE communication. Takes single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges.
As initiator, the first non-range/non-subnet is used to initiate the connection to. As responder, the initiator source address must match at least to one of the specified addresses, subnets or ranges.
If FQDNs are assigned they are resolved every time a configuration lookup is done. If DNS resolution times out, the lookup is delayed for that time. To initiate a connection, at least one specific address or DNS name must be specified.
StrongSwan default:
[]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.remote_port¶
Remote UDP port for IKE communication. If the default of port``500`` is used, automatic IKE port floating to port``4500`` is used to work around NAT issues.
StrongSwan default:
500Type: null or signed integer
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.send_cert¶
Send certificate payloads when using certificate authentication.
- With the default of
ifaskedthe daemon sends certificate payloads only if certificate requests have been received.neverdisables sending of certificate payloads altogether,alwayscauses certificate payloads to be sent unconditionally whenever certificate authentication is used.StrongSwan default:
"ifasked"Type: null or one of “always”, “never”, “ifasked”
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.send_certreq¶
Send certificate request payloads to offer trusted root CA certificates to the peer. Certificate requests help the peer to choose an appropriate certificate/private key for authentication and are enabled by default. Disabling certificate requests can be useful if too many trusted root CA certificates are installed, as each certificate request increases the size of the initial IKE packets.
StrongSwan default:
trueType: null or boolean
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.unique¶
Connection uniqueness policy to enforce. To avoid multiple connections from the same user, a uniqueness policy can be enforced.
- The value
neverdoes never enforce such a policy, even if a peer included INITIAL_CONTACT notification messages,- whereas
noreplaces existing connections for the same identity if a new one has the INITIAL_CONTACT notify.keeprejects new connection attempts if the same user already has an active connection,replacedeletes any existing connection if a new one for the same user gets established.To compare connections for uniqueness, the remote IKE identity is used. If EAP or XAuth authentication is involved, the EAP-Identity or XAuth username is used to enforce the uniqueness policy instead.
On initiators this setting specifies whether an INITIAL_CONTACT notify is sent during IKE_AUTH if no existing connection is found with the remote peer (determined by the identities of the first authentication round). Unless set to
neverthe client will send a notify.StrongSwan default:
"no"Type: null or one of “no”, “never”, “keep”, “replace”
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.version¶
IKE major version to use for connection.
- 1 uses IKEv1 aka ISAKMP,
- 2 uses IKEv2.
- A connection using the default of 0 accepts both IKEv1 and IKEv2 as responder, and initiates the connection actively with IKEv2.
StrongSwan default:
0Type: null or signed integer
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.connections.<name>.vips¶
List of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses
0.0.0.0and``::`` request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all.StrongSwan default:
[]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.pools¶
Section defining named pools. Named pools may be referenced by connections with the pools option to assign virtual IPs and other configuration attributes. Each pool must have a unique name (denoted <name> below).
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.pools.<name>.addrs¶
Subnet or range defining addresses allocated in pool. Accepts a single CIDR subnet defining the pool to allocate addresses from or an address range (<from>-<to>). Pools must be unique and non-overlapping.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.pools.<name>.dhcp¶
Address or CIDR subnets
StrongSwan default:
[]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.pools.<name>.dns¶
Address or CIDR subnets
StrongSwan default:
[]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.pools.<name>.nbns¶
Address or CIDR subnets
StrongSwan default:
[]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.pools.<name>.netmask¶
Address or CIDR subnets
StrongSwan default:
[]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.pools.<name>.server¶
Address or CIDR subnets
StrongSwan default:
[]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.pools.<name>.split_exclude¶
Address or CIDR subnets
StrongSwan default:
[]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.pools.<name>.split_include¶
Address or CIDR subnets
StrongSwan default:
[]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.pools.<name>.subnet¶
Address or CIDR subnets
StrongSwan default:
[]Type: null or list of strings
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.secrets.eap¶
EAP secret section for a specific secret. Each EAP secret is defined in a unique section having the
eapprefix. EAP secrets are used for XAuth authentication as well.Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.secrets.eap.<name>.id¶
Identity the EAP/XAuth secret belongs to. Multiple unique identities may be specified, each having an
idprefix, if a secret is shared between multiple users.Type: attribute set of null or strings
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.secrets.eap.<name>.secret¶
Value of the EAP/XAuth secret. It may either be an ASCII string, a hex encoded string if it has a 0x prefix or a Base64 encoded string if it has a 0s prefix in its value.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.secrets.ecdsa¶
Private key decryption passphrase for a key in the``ecdsa`` folder.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.secrets.ecdsa.<name>.file¶
File name in the
ecdsafolder for which this passphrase should be used.Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.secrets.ecdsa.<name>.secret¶
Value of decryption passphrase for ECDSA key.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.secrets.ike¶
IKE preshared secret section for a specific secret. Each IKE PSK is defined in a unique section having the
ikeprefix.Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.secrets.ike.<name>.id¶
IKE identity the IKE preshared secret belongs to. Multiple unique identities may be specified, each having an
idprefix, if a secret is shared between multiple peers.Type: attribute set of null or strings
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.secrets.ike.<name>.secret¶
Value of the IKE preshared secret. It may either be an ASCII string, a hex encoded string if it has a 0x prefix or a Base64 encoded string if it has a 0s prefix in its value.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.secrets.ntlm¶
NTLM secret section for a specific secret. Each NTLM secret is defined in a unique section having the
ntlmprefix. NTLM secrets may only be used for EAP-MSCHAPv2 authentication.Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.secrets.ntlm.<name>.id¶
Identity the NTLM secret belongs to. Multiple unique identities may be specified, each having an id prefix, if a secret is shared between multiple users.
Type: attribute set of null or strings
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.secrets.ntlm.<name>.secret¶
Value of the NTLM secret, which is the NT Hash of the actual secret, that is, MD4(UTF-16LE(secret)). The resulting 16-byte value may either be given as a hex encoded string with a 0x prefix or as a Base64 encoded string with a 0s prefix.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.secrets.pkcs12¶
PKCS#12 decryption passphrase for a container in the``pkcs12`` folder.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.secrets.pkcs12.<name>.file¶
File name in the
pkcs12folder for which this passphrase should be used.Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.secrets.pkcs12.<name>.secret¶
Value of decryption passphrase for PKCS#12 container.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.secrets.pkcs8¶
Private key decryption passphrase for a key in the``pkcs8`` folder.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.secrets.pkcs8.<name>.file¶
File name in the
pkcs8folder for which this passphrase should be used.Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.secrets.pkcs8.<name>.secret¶
Value of decryption passphrase for PKCS#8 key.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.secrets.ppk¶
Postquantum Preshared Key (PPK) section for a specific secret. Each PPK is defined in a unique section having the
ppkprefix.Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.secrets.ppk.<name>.id¶
PPK identity the PPK belongs to. Multiple unique identities may be specified, each having an
idprefix, if a secret is shared between multiple peers.Type: attribute set of null or strings
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.secrets.ppk.<name>.secret¶
Value of the PPK. It may either be an ASCII string, a hex encoded string if it has a
0xprefix or a Base64 encoded string if it has a0sprefix in its value. Should have at least 256 bits of entropy for 128-bit security.Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.secrets.private¶
Private key decryption passphrase for a key in the``private`` folder.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.secrets.private.<name>.file¶
File name in the private folder for which this passphrase should be used.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.secrets.private.<name>.secret¶
Value of decryption passphrase for private key.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.secrets.rsa¶
Private key decryption passphrase for a key in the
rsafolder.Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.secrets.rsa.<name>.file¶
File name in the
rsafolder for which this passphrase should be used.Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.secrets.rsa.<name>.secret¶
Value of decryption passphrase for RSA key.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.secrets.token¶
Definition for a private key that’s stored on a token/smartcard/TPM.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.secrets.token.<name>.handle¶
Hex-encoded CKA_ID or handle of the private key on the token or TPM, respectively.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.secrets.token.<name>.module¶
Optional PKCS#11 module name to access the token.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.secrets.token.<name>.pin¶
Optional PIN required to access the key on the token. If none is provided the user is prompted during an interactive``–load-creds`` call.
Type: null or string
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.secrets.token.<name>.slot¶
Optional slot number to access the token.
Type: null or signed integer
Default:
nullDeclared by:
services.strongswan-swanctl.swanctl.secrets.xauth¶
EAP secret section for a specific secret. Each EAP secret is defined in a unique section having the
eapprefix. EAP secrets are used for XAuth authentication as well.Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.secrets.xauth.<name>.id¶
Identity the EAP/XAuth secret belongs to. Multiple unique identities may be specified, each having an
idprefix, if a secret is shared between multiple users.Type: attribute set of null or strings
Default: ``{
}``
Declared by:
services.strongswan-swanctl.swanctl.secrets.xauth.<name>.secret¶
Value of the EAP/XAuth secret. It may either be an ASCII string, a hex encoded string if it has a 0x prefix or a Base64 encoded string if it has a 0s prefix in its value.
Type: null or string
Default:
nullDeclared by:
services.stubby.enable¶
Whether to enable Stubby DNS resolver.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.stubby.authenticationMode¶
Selects the Strict or Opportunistic usage profile. For strict, set to
GETDNS_AUTHENTICATION_REQUIRED. for opportunistic, useGETDNS_AUTHENTICATION_NONE.Type: one of “GETDNS_AUTHENTICATION_REQUIRED”, “GETDNS_AUTHENTICATION_NONE”
Default:
"GETDNS_AUTHENTICATION_REQUIRED"Declared by:
services.stubby.debugLogging¶
Enable or disable debug level logging.
Type: boolean
Default:
falseDeclared by:
services.stubby.extraConfig¶
Add additional configuration options. see stubby1for more options.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.stubby.fallbackProtocols¶
Ordered list composed of one or more transport protocols. Strict mode should only use
GETDNS_TRANSPORT_TLS. Other options areGETDNS_TRANSPORT_UDPand``GETDNS_TRANSPORT_TCP``.Type: list of one of “GETDNS_TRANSPORT_TLS”, “GETDNS_TRANSPORT_TCP”, “GETDNS_TRANSPORT_UDP”s
Default:
[ "GETDNS_TRANSPORT_TLS" ]Declared by:
services.stubby.idleTimeout¶
EDNS0 option for keepalive idle timeout expressed in milliseconds.
Type: signed integer
Default:
10000Declared by:
services.stubby.listenAddresses¶
Sets the listen address for the stubby daemon. Uses port 53 by default. Ise IP@port to specify a different port.
Type: list of strings
Default:
[ "127.0.0.1" "0::1" ]Declared by:
services.stubby.queryPaddingBlocksize¶
EDNS0 option to pad the size of the DNS query to the given blocksize.
Type: signed integer
Default:
128Declared by:
services.stubby.roundRobinUpstreams¶
Instructs stubby to distribute queries across all available name servers. Default is
true. Set to``false`` in order to use the first available.Type: boolean
Default:
trueDeclared by:
services.stubby.subnetPrivate¶
EDNS0 option for ECS client privacy. Default is``true``. If set, this option prevents the client subnet from being sent to authoritative nameservers.
Type: boolean
Default:
trueDeclared by:
services.stubby.upstreamServers¶
Replace default upstreams. See stubby1 for an example of the entry formatting. In Strict mode, at least one of the following settings must be supplied for each nameserver:
tls_auth_nameor``tls_pubkey_pinset``.Type: strings concatenated with “\n”
Default:
'' - address_data: 145.100.185.15 tls_auth_name: "dnsovertls.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= - address_data: 145.100.185.16 tls_auth_name: "dnsovertls1.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= - address_data: 185.49.141.37 tls_auth_name: "getdnsapi.net" tls_pubkey_pinset: - digest: "sha256" value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= - address_data: 2001:610:1:40ba:145:100:185:15 tls_auth_name: "dnsovertls.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= - address_data: 2001:610:1:40ba:145:100:185:16 tls_auth_name: "dnsovertls1.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= - address_data: 2a04:b900:0:100::38 tls_auth_name: "getdnsapi.net" tls_pubkey_pinset: - digest: "sha256" value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= ''Declared by:
services.stunnel.enable¶
Whether to enable the stunnel TLS tunneling service.
Type: boolean
Default:
falseDeclared by:
services.stunnel.enableInsecureSSLv3¶
Enable support for the insecure SSLv3 protocol.
Type: boolean
Default:
falseDeclared by:
services.stunnel.clients¶
Define the client configurations.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ foobar = { accept = "0.0.0.0:8080"; connect = "nixos.org:443"; verifyChain = false; } ; }Declared by:
services.stunnel.clients.<name>.CAFile¶
Path to a file containing certificates to validate against.
Type: null or path
Default:
"\\${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"Declared by:
services.stunnel.clients.<name>.CAPath¶
Path to a directory containing certificates to validate against.
Type: null or path
Default:
nullDeclared by:
services.stunnel.clients.<name>.accept¶
IP:Port on which connections should be accepted.
Type: string
Declared by:
services.stunnel.clients.<name>.connect¶
IP:Port destination to connect to.
Type: string
Declared by:
services.stunnel.clients.<name>.verifyChain¶
Check if the provided certificate has a valid certificate chain (against CAPath).
Type: boolean
Default:
trueDeclared by:
services.stunnel.clients.<name>.verifyHostname¶
If set, stunnel checks if the provided certificate is valid for the given hostname.
Type: null or string
Default:
nullDeclared by:
services.stunnel.clients.<name>.verifyPeer¶
Check if the provided certificate is contained in CAPath.
Type: boolean
Default:
falseDeclared by:
services.stunnel.fipsMode¶
Enable FIPS 140-2 mode required for compliance.
Type: boolean
Default:
falseDeclared by:
services.stunnel.group¶
The group under which stunnel runs.
Type: null or string
Default:
"nogroup"Declared by:
services.stunnel.logLevel¶
Verbosity of stunnel output.
Type: one of “emerg”, “alert”, “crit”, “err”, “warning”, “notice”, “info”, “debug”
Default:
"info"Declared by:
services.stunnel.servers¶
Define the server configuations.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ fancyWebserver = { accept = 443; cert = "/path/to/pem/file"; connect = 8080; enable = true; } ; }Declared by:
services.stunnel.servers.<name>.accept¶
On which port stunnel should listen for incoming TLS connections.
Type: signed integer
Declared by:
services.stunnel.servers.<name>.cert¶
File containing both the private and public keys.
Type: path
Declared by:
services.stunnel.servers.<name>.connect¶
To which port the decrypted connection should be forwarded.
Type: signed integer
Declared by:
services.stunnel.user¶
The user under which stunnel runs.
Type: null or string
Default:
"nobody"Declared by:
services.subsonic.enable¶
Whether to enable Subsonic daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.subsonic.contextPath¶
The context path, i.e., the last part of the Subsonic URL. Typically ‘/’ or ‘/subsonic’. Default ‘/’
Type: path
Default:
"/"Declared by:
services.subsonic.defaultMusicFolder¶
Configure Subsonic to use this folder for music. This option only has effect the first time Subsonic is started.
Type: path
Default:
"/var/music"Declared by:
services.subsonic.defaultPlaylistFolder¶
Configure Subsonic to use this folder for playlists. This option only has effect the first time Subsonic is started.
Type: path
Default:
"/var/playlists"Declared by:
services.subsonic.defaultPodcastFolder¶
Configure Subsonic to use this folder for Podcasts. This option only has effect the first time Subsonic is started.
Type: path
Default:
"/var/music/Podcast"Declared by:
services.subsonic.home¶
The directory where Subsonic will create files. Make sure it is writable.
Type: path
Default:
"/var/lib/subsonic"Declared by:
services.subsonic.httpsPort¶
The port on which Subsonic will listen for incoming HTTPS traffic. Set to 0 to disable.
Type: signed integer
Default:
0Declared by:
services.subsonic.listenAddress¶
The host name or IP address on which to bind Subsonic. Only relevant if you have multiple network interfaces and want to make Subsonic available on only one of them. The default value will bind Subsonic to all available network interfaces.
Type: string
Default:
"0.0.0.0"Declared by:
services.subsonic.maxMemory¶
The memory limit (max Java heap size) in megabytes. Default: 100
Type: signed integer
Default:
100Declared by:
services.subsonic.port¶
The port on which Subsonic will listen for incoming HTTP traffic. Set to 0 to disable.
Type: signed integer
Default:
4040Declared by:
services.subsonic.transcoders¶
List of paths to transcoder executables that should be accessible from Subsonic. Symlinks will be created to each executable inside /var/lib/subsonic/transcoders.
Type: list of paths
Default:
[ "\\${pkgs.ffmpeg.bin}/bin/ffmpeg" ]Declared by:
services.sundtek.enable¶
Whether to enable Sundtek driver.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.supybot.enable¶
Enable Supybot, an IRC bot
Type: unspecified
Default:
falseDeclared by:
services.supybot.configFile¶
Path to a supybot config file. This can be generated by running supybot-wizard.
Note: all paths should include the full path to the stateDir directory (backup conf data logs logs/plugins plugins tmp web).
Type: path
Declared by:
services.supybot.stateDir¶
The root directory, logs and plugins are stored here
Type: unspecified
Default:
"/home/supybot"Declared by:
services.svnserve.enable¶
Whether to enable svnserve to serve Subversion repositories through the SVN protocol.
Type: unspecified
Default:
falseDeclared by:
services.svnserve.svnBaseDir¶
Base directory from which Subversion repositories are accessed.
Type: unspecified
Default:
"/repos"Declared by:
services.sympa.enable¶
Whether to enable Sympa mailing list manager.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.sympa.database.createLocally¶
Whether to create a local database automatically.
Type: boolean
Default:
trueDeclared by:
services.sympa.database.host¶
Database host address.
For MySQL, use
localhostto connect using Unix domain socket.For PostgreSQL, use path to directory (e.g.
/run/postgresql) to connect using Unix domain socket located in this directory.Use
nullto fall back on Sympa default, or when using.Type: null or string
Default:
nullDeclared by:
services.sympa.database.name¶
Database name. When using SQLite this must be an absolute path to the database file.
Type: string
Default:
''if database.type == "SQLite" then "/var/lib/sympa/sympa.sqlite" else "sympa"''Declared by:
services.sympa.database.passwordFile¶
A file containing the password for .
Type: null or path
Default:
nullExample:
"/run/keys/sympa-dbpassword"Declared by:
services.sympa.database.port¶
Database port. Use
nullfor default port.Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
nullDeclared by:
services.sympa.database.type¶
Database engine to use.
Type: one of “SQLite”, “PostgreSQL”, “MySQL”
Default:
"SQLite"Example:
"MySQL"Declared by:
services.sympa.database.user¶
Database user. The system user name is used as a default.
Type: null or string
Default:
"sympa"Declared by:
services.sympa.domains¶
Email domains handled by this instance. There have to be MX records for keys of this attribute set.
Type: attribute set of submodules
Example:
{ "lists.example.org" = { webHost = "lists.example.org"; webLocation = "/"; }; "sympa.example.com" = { webHost = "example.com"; webLocation = "/sympa"; }; }Declared by:
services.sympa.domains.<name>.settings¶
The
robot.confconfiguration file as key value set. See ` <https://sympa-community.github.io/gpldoc/man/sympa.conf.5.html>`_ for list of configuration parameters.Type: attribute set of string or signed integer or booleans
Default: ``{
}``
Example:
{ default_max_list_members = 3; }Declared by:
services.sympa.domains.<name>.webHost¶
Domain part of the web interface URL (no web interface for this domain if
null). DNS record of type A (or AAAA or CNAME) has to exist with this value.Type: null or string
Default:
nullExample:
"archive.example.org"Declared by:
services.sympa.domains.<name>.webLocation¶
URL path part of the web interface.
Type: string
Default:
"/"Example:
"/sympa"Declared by:
services.sympa.lang¶
Default Sympa language. See ` <https://github.com/sympa-community/sympa/tree/sympa-6.2/po/sympa>`_ for available options.
Type: string
Default:
"en_US"Example:
"cs"Declared by:
services.sympa.listMasters¶
The list of the email addresses of the listmasters (users authorized to perform global server commands).
Type: list of strings
Example:
[ "postmaster@sympa.example.org" ]Declared by:
services.sympa.mainDomain¶
Main domain to be used in
sympa.conf. Ifnull, one of the is chosen for you.Type: null or string
Default:
nullExample:
"lists.example.org"Declared by:
services.sympa.mta.type¶
Mail transfer agent (MTA) integration. Use
noneif you want to configure it yourself.The
postfixintegration sets up local Postfix instance that will pass incoming messages from configured domains to Sympa. You still need to configure at least outgoing message handling using e.g. .Type: one of “postfix”, “none”
Default:
"postfix"Declared by:
services.sympa.settings¶
The
sympa.confconfiguration file as key value set. See ` <https://sympa-community.github.io/gpldoc/man/sympa.conf.5.html>`_ for list of configuration parameters.Type: attribute set of string or signed integer or booleans
Default: ``{
}``
Example:
{ default_home = "lists"; viewlogs_page_size = 50; }Declared by:
services.sympa.settingsFile¶
Set of files to be linked in
/var/lib/sympa.Type: attribute set of submodules
Default: ``{
}``
Example:
{ "list_data/lists.example.org/help" = { text = "subject This list provides help to users"; }; }Declared by:
services.sympa.settingsFile.<name>.enable¶
Whether this file should be generated. This option allows specific files to be disabled.
Type: boolean
Default:
trueDeclared by:
services.sympa.settingsFile.<name>.source¶
services.sympa.settingsFile.<name>.text¶
Text of the file.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.sympa.web.enable¶
Whether to enable Sympa web interface.
Type: boolean
Default:
trueDeclared by:
services.sympa.web.fcgiProcs¶
Number of FastCGI processes to fork.
Type: positive integer, meaning >0
Default:
2Declared by:
services.sympa.web.https¶
Whether to use HTTPS. When nginx integration is enabled, this option forces SSL and enables ACME. Please note that Sympa web interface always uses https links even when this option is disabled.
Type: boolean
Default:
trueDeclared by:
services.sympa.web.server¶
The webserver used for the Sympa web interface. Set it to `none` if you want to configure it yourself. Further nginx configuration can be done by adapting.
Type: one of “nginx”, “none”
Default:
"nginx"Declared by:
services.syncoid.enable¶
Whether to enable Syncoid ZFS synchronization service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.syncoid.commands¶
Syncoid commands to run.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ pool/test = { target = "root@target:pool/test"; } ; }Declared by:
services.syncoid.commands.<name>.extraArgs¶
Extra syncoid arguments for this command.
Type: list of strings
Default: ``[
]``
Example:
[ "--sshport 2222" ]Declared by:
services.syncoid.commands.<name>.recursive¶
Whether to also transfer child datasets.
Type: boolean
Default:
falseDeclared by:
services.syncoid.commands.<name>.recvOptions¶
Advanced options to pass to zfs recv. Options are specified without their leading dashes and separated by spaces.
Type: strings concatenated with ” “
Default:
""Example:
"ux recordsize o compression=lz4"Declared by:
services.syncoid.commands.<name>.sendOptions¶
Advanced options to pass to zfs send. Options are specified without their leading dashes and separated by spaces.
Type: strings concatenated with ” “
Default:
""Example:
"Lc e"Declared by:
services.syncoid.commands.<name>.source¶
Source ZFS dataset. Can be either local or remote. Defaults to the attribute name.
Type: string
Example:
"pool/dataset"Declared by:
services.syncoid.commands.<name>.sshKey¶
SSH private key file to use to login to the remote system. Defaults to option.
Type: null or path
Declared by:
services.syncoid.commands.<name>.target¶
Target ZFS dataset. Can be either local (pool/dataset) or remote (user@server:pool/dataset).
Type: string
Example:
"user@server:pool/dataset"Declared by:
services.syncoid.commands.<name>.useCommonArgs¶
Whether to add the configured common arguments to this command.
Type: boolean
Default:
trueDeclared by:
services.syncoid.commonArgs¶
Arguments to add to every syncoid command, unless disabled for that command. See` <https://github.com/jimsalterjrs/sanoid/#syncoid-command-line-options>`_ for available options.
Type: list of strings
Default: ``[
]``
Example:
[ "--no-sync-snap" ]Declared by:
services.syncoid.interval¶
Run syncoid at this interval. The default is to run hourly.
The format is described insystemd.time7.
Type: string
Default:
"hourly"Example:
"\*-*-* \*:15:00"Declared by:
services.syncoid.sshKey¶
SSH private key file to use to login to the remote system. Can be overridden in individual commands.
Type: null or path
Default:
nullDeclared by:
services.syncoid.user¶
The user for the service. Sudo or ZFS privilege delegation must be configured to use a user other than root.
Type: string
Default:
"root"Example:
"backup"Declared by:
services.syncplay.enable¶
If enabled, start the Syncplay server.
Type: boolean
Default:
falseDeclared by:
services.syncplay.certDir¶
TLS certificates directory to use for encryption. See` <https://github.com/Syncplay/syncplay/wiki/TLS-support>`_.
Type: null or path
Default:
nullDeclared by:
services.syncplay.group¶
Group to use when running Syncplay.
Type: string
Default:
"nogroup"Declared by:
services.syncplay.port¶
TCP port to bind to.
Type: signed integer
Default:
8999Declared by:
services.syncplay.salt¶
Salt to allow room operator passwords generated by this server instance to still work when the server is restarted.
Type: null or string
Default:
nullDeclared by:
services.syncplay.user¶
User to use when running Syncplay.
Type: string
Default:
"nobody"Declared by:
services.syncthing.enable¶
Whether to enable Syncthing - the self-hosted open-source alternative to Dropbox and Bittorrent Sync. Initial interface will be available on http://127.0.0.1:8384/. .
Type: boolean
Default:
falseExample:
trueDeclared by:
services.syncthing.package¶
Syncthing package to use.
Type: package
Default:
"pkgs.syncthing"Example:
pkgs.syncthingDeclared by:
services.syncthing.all_proxy¶
Overwrites all_proxy environment variable for the syncthing process to the given value. This is normaly used to let relay client connect through SOCKS5 proxy server.
Type: null or string
Default:
nullExample:
"socks5://address.com:1234"Declared by:
services.syncthing.configDir¶
Path where the settings and keys will exist.
Type: path
Default:
"/var/lib/syncthing/.config/syncthing"Declared by:
services.syncthing.dataDir¶
Path where synced directories will exist.
Type: path
Default:
"/var/lib/syncthing"Declared by:
services.syncthing.declarative.cert¶
Path to users cert.pem file, will be copied into the syncthing’s``configDir``
Type: null or string
Default:
nullDeclared by:
services.syncthing.declarative.devices¶
Peers/devices which syncthing should communicate with.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ bigbox = { addresses = [ "tcp://192.168.0.10:51820" ] ; id = "7CFNTQM-IMTJBHJ-3UWRDIU-ZGQJFR6-VCXZ3NB-XUH3KZO-N52ITXR-LAIYUAU"; } ; }Declared by:
services.syncthing.declarative.devices.<name>.addresses¶
The addresses used to connect to the device. If this is let empty, dynamic configuration is attempted
Type: list of strings
Default: ``[
]``
Declared by:
services.syncthing.declarative.devices.<name>.id¶
The id of the other peer, this is mandatory. It’s documented at https://docs.syncthing.net/dev/device-ids.html
Type: string
Declared by:
services.syncthing.declarative.devices.<name>.introducer¶
If the device should act as an introducer and be allowed to add folders on this computer.
Type: boolean
Default:
falseDeclared by:
services.syncthing.declarative.devices.<name>.name¶
Name of the device
Type: string
Default:
"‹name›"Declared by:
services.syncthing.declarative.folders¶
folders which should be shared by syncthing.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ /home/user/sync = { devices = [ "bigbox" ] ; id = "syncme"; } ; }Declared by:
services.syncthing.declarative.folders.<name>.enable¶
share this folder. This option is useful when you want to define all folders in one place, but not every machine should share all folders.
Type: boolean
Default:
trueDeclared by:
services.syncthing.declarative.folders.<name>.devices¶
The devices this folder should be shared with. Must be defined in the
declarative.devicesattribute.Type: list of strings
Default: ``[
]``
Declared by:
services.syncthing.declarative.folders.<name>.id¶
The id of the folder. Must be the same on all devices.
Type: string
Default:
"‹name›"Declared by:
services.syncthing.declarative.folders.<name>.ignorePerms¶
Whether to propagate permission changes.
Type: boolean
Default:
trueDeclared by:
services.syncthing.declarative.folders.<name>.label¶
The label of the folder.
Type: string
Default:
"‹name›"Declared by:
services.syncthing.declarative.folders.<name>.path¶
The path to the folder which should be shared.
Type: string
Default:
"‹name›"Declared by:
services.syncthing.declarative.folders.<name>.rescanInterval¶
How often the folders should be rescaned for changes.
Type: signed integer
Default:
3600Declared by:
services.syncthing.declarative.folders.<name>.type¶
Whether to send only changes from this folder, only receive them or propagate both.
Type: one of “sendreceive”, “sendonly”, “receiveonly”
Default:
"sendreceive"Declared by:
services.syncthing.declarative.folders.<name>.versioning¶
How to keep changed/deleted files with syncthing. There are 4 different types of versioning with different parameters. See https://docs.syncthing.net/users/versioning.html
Type: null or submodule
Default:
nullExample: ``[
{ versioning = { params = { keep = “10”; } ; type = “simple”; } ; }
{ versioning = { params = { cleanoutDays = “1000”; } ; type = “trashcan”; } ; }
{ versioning = { params = { cleanInterval = “3600”; maxAge = “31536000”; versionsPath = “/syncthing/backup”; } ; type = “staggered”; } ; }
{ versioning = { params = { versionsPath = (build of backup); } ; type = “external”; } ; }
]``
Declared by:
services.syncthing.declarative.folders.<name>.versioning.params¶
Parameters for versioning. Structure depends on versioning.type. See https://docs.syncthing.net/users/versioning.html
Type: attribute set of string or paths
Declared by:
services.syncthing.declarative.folders.<name>.versioning.type¶
Type of versioning. See https://docs.syncthing.net/users/versioning.html
Type: one of “external”, “simple”, “staggered”, “trashcan”
Declared by:
services.syncthing.declarative.folders.<name>.watch¶
Whether the folder should be watched for changes by inotify.
Type: boolean
Default:
trueDeclared by:
services.syncthing.declarative.folders.<name>.watchDelay¶
The delay after an inotify event is triggered.
Type: signed integer
Default:
10Declared by:
services.syncthing.declarative.key¶
Path to users key.pem file, will be copied into the syncthing’s``configDir``
Type: null or string
Default:
nullDeclared by:
services.syncthing.declarative.overrideDevices¶
Whether to delete the devices which are not configured via the``declarative.devices`` option. If set to false, devices added via the webinterface will persist but will have to be deleted manually.
Type: boolean
Default:
trueDeclared by:
services.syncthing.declarative.overrideFolders¶
Whether to delete the folders which are not configured via the``declarative.folders`` option. If set to false, folders added via the webinterface will persist but will have to be deleted manually.
Type: boolean
Default:
trueDeclared by:
services.syncthing.group¶
Syncthing will be run under this group (group will not be created if it doesn’t exist. This can be your user name).
Type: string
Default:
"syncthing"Declared by:
services.syncthing.guiAddress¶
Address to serve the GUI.
Type: string
Default:
"127.0.0.1:8384"Declared by:
services.syncthing.openDefaultPorts¶
Open the default ports in the firewall: - TCP 22000 for transfers - UDP 21027 for discovery If multiple users are running syncthing on this machine, you will need to manually open a set of ports for each instance and leave this disabled. Alternatively, if are running only a single instance on this machine using the default ports, enable this.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.syncthing.relay.enable¶
Whether to enable Syncthing relay service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.syncthing.relay.extraOptions¶
Extra command line arguments to pass to strelaysrv.
Type: list of strings
Default: ``[
]``
Declared by:
services.syncthing.relay.globalRateBps¶
Global bandwidth rate limit in bytes per second.
Type: null or positive integer, meaning >0
Default:
nullDeclared by:
services.syncthing.relay.listenAddress¶
Address to listen on for relay traffic.
Type: string
Default:
""Example:
"1.2.3.4"Declared by:
services.syncthing.relay.perSessionRateBps¶
Per session bandwidth rate limit in bytes per second.
Type: null or positive integer, meaning >0
Default:
nullDeclared by:
services.syncthing.relay.pools¶
Relay pools to join. If null, uses the default global pool.
Type: null or list of strings
Default:
nullDeclared by:
services.syncthing.relay.port¶
Port to listen on for relay traffic. This port should be added to``networking.firewall.allowedTCPPorts``.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
22067Declared by:
services.syncthing.relay.providedBy¶
Human-readable description of the provider of the relay (you).
Type: string
Default:
""Declared by:
services.syncthing.relay.statusListenAddress¶
Address to listen on for serving the relay status API.
Type: string
Default:
""Example:
"1.2.3.4"Declared by:
services.syncthing.relay.statusPort¶
Port to listen on for serving the relay status API. This port should be added to
networking.firewall.allowedTCPPorts.Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
22070Declared by:
services.syncthing.systemService¶
Auto launch Syncthing as a system service.
Type: boolean
Default:
trueDeclared by:
services.syncthing.user¶
Syncthing will be run under this user (user will be created if it doesn’t exist. This can be your user name).
Type: string
Default:
"syncthing"Declared by:
services.synergy.client.enable¶
Whether to enable the Synergy client (receive keyboard and mouse events from a Synergy server).
Type: unspecified
Default:
falseDeclared by:
services.synergy.client.autoStart¶
Whether the Synergy client should be started automatically.
Type: boolean
Default:
trueDeclared by:
services.synergy.client.screenName¶
Use the given name instead of the hostname to identify ourselves to the server.
Type: unspecified
Default:
""Declared by:
services.synergy.client.serverAddress¶
The server address is of the form: [hostname][:port]. The hostname must be the address or hostname of the server. The port overrides the default port, 24800.
Type: unspecified
Declared by:
services.synergy.server.enable¶
Whether to enable the Synergy server (send keyboard and mouse events).
Type: unspecified
Default:
falseDeclared by:
services.synergy.server.address¶
Address on which to listen for clients.
Type: unspecified
Default:
""Declared by:
services.synergy.server.autoStart¶
Whether the Synergy server should be started automatically.
Type: boolean
Default:
trueDeclared by:
services.synergy.server.configFile¶
The Synergy server configuration file.
Type: unspecified
Default:
"/etc/synergy-server.conf"Declared by:
services.synergy.server.screenName¶
Use the given name instead of the hostname to identify this screen in the configuration.
Type: unspecified
Default:
""Declared by:
services.syslog-ng.enable¶
Whether to enable the syslog-ng daemon.
Type: boolean
Default:
falseDeclared by:
services.syslog-ng.package¶
The package providing syslog-ng binaries.
Type: package
Default:
"pkgs.syslogng"Declared by:
services.syslog-ng.configHeader¶
The very first lines of the configuration file. Should usually contain the syslog-ng version header.
Type: strings concatenated with “\n”
Default:
'' @version: 3.6 @include "scl.conf" ''Declared by:
services.syslog-ng.extraConfig¶
Configuration added to the end of
syslog-ng.conf.Type: strings concatenated with “\n”
Default:
""Declared by:
services.syslog-ng.extraModulePaths¶
A list of paths that should be included in syslog-ng’s``–module-path`` option. They should usually end in
/lib/syslog-ngType: list of strings
Default: ``[
]``
Example:
[ "${pkgs.syslogng_incubator}/lib/syslog-ng" ]Declared by:
services.syslogd.enable¶
Whether to enable syslogd. Note that systemd also logs syslog messages, so you normally don’t need to run syslogd.
Type: boolean
Default:
falseDeclared by:
services.syslogd.enableNetworkInput¶
Accept logging through UDP. Option -r of syslogd(8).
Type: boolean
Default:
falseDeclared by:
services.syslogd.defaultConfig¶
The default
syslog.conffile configures a fairly standard setup of log files, which can be extended by means ofextraConfig.Type: strings concatenated with “\n”
Default:
'' # Send emergency messages to all users. *.emerg * # "local1" is used for dhcpd messages. local1.* -/var/log/dhcpd mail.* -/var/log/mail *.=warning;*.=err -/var/log/warn *.crit /var/log/warn *.*;mail.none;local1.none -/var/log/messages ''Declared by:
services.syslogd.extraConfig¶
Additional text appended to
syslog.conf, i.e. the contents ofdefaultConfig.Type: strings concatenated with “\n”
Default:
""Example:
"news.* -/var/log/news"Declared by:
services.syslogd.extraParams¶
Additional parameters passed to syslogd.
Type: list of strings
Default: ``[
]``
Example:
[ "-m 0" ]Declared by:
services.syslogd.tty¶
The tty device on which syslogd will print important log messages. Leave this option blank to disable tty logging.
Type: string
Default:
"tty10"Declared by:
services.sysprof.enable¶
Whether to enable sysprof profiling daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.sysstat.enable¶
Whether to enable sar system activity collection.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.sysstat.collect-args¶
Arguments to pass sa1 when collecting statistics
Type: string
Default:
"1 1"Declared by:
services.sysstat.collect-frequency¶
OnCalendar specification for sysstat-collect
Type: string
Default:
"\*:00/10"Declared by:
services.system-config-printer.enable¶
Whether to enable system-config-printer, a service for CUPS administration used by printing interfaces.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.tahoe.introducers¶
services.tahoe.introducers.<name>.package¶
The package to use for the Tahoe LAFS daemon.
Type: package
Default:
"pkgs.tahoelafs"Example:
pkgs.tahoelafsDeclared by:
services.tahoe.introducers.<name>.nickname¶
The nickname of this Tahoe introducer.
Type: string
Declared by:
services.tahoe.introducers.<name>.tub.location¶
The external location that the introducer should listen on.
If specified, the port should be included.
Type: null or string
Default:
nullDeclared by:
services.tahoe.introducers.<name>.tub.port¶
The port on which the introducer will listen.
Type: signed integer
Default:
3458Declared by:
services.tahoe.nodes¶
services.tahoe.nodes.<name>.package¶
The package to use for the Tahoe LAFS daemon.
Type: package
Default:
"pkgs.tahoelafs"Example:
pkgs.tahoelafsDeclared by:
services.tahoe.nodes.<name>.client.helper¶
The furl for a Tahoe helper node.
Like all furls, keep this safe and don’t share it.
Type: null or string
Default:
nullDeclared by:
services.tahoe.nodes.<name>.client.introducer¶
The furl for a Tahoe introducer node.
Like all furls, keep this safe and don’t share it.
Type: null or string
Default:
nullDeclared by:
services.tahoe.nodes.<name>.helper.enable¶
Whether to enable helper service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.tahoe.nodes.<name>.nickname¶
The nickname of this Tahoe node.
Type: string
Declared by:
services.tahoe.nodes.<name>.sftpd.enable¶
Whether to enable SFTP service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.tahoe.nodes.<name>.sftpd.accounts.file¶
Path to the accounts file.
Type: null or path
Default:
nullDeclared by:
services.tahoe.nodes.<name>.sftpd.accounts.url¶
URL of the accounts server.
Type: null or string
Default:
nullDeclared by:
services.tahoe.nodes.<name>.sftpd.hostPrivateKeyFile¶
Path to the SSH host private key.
Type: null or path
Default:
nullDeclared by:
services.tahoe.nodes.<name>.sftpd.hostPublicKeyFile¶
Path to the SSH host public key.
Type: null or path
Default:
nullDeclared by:
services.tahoe.nodes.<name>.sftpd.port¶
The port on which the SFTP server will listen.
This is the correct setting to tweak if you want Tahoe’s SFTP daemon to listen on a different port.
Type: null or signed integer
Default:
nullDeclared by:
services.tahoe.nodes.<name>.storage.enable¶
Whether to enable storage service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.tahoe.nodes.<name>.storage.reservedSpace¶
The amount of filesystem space to not use for storage.
Type: string
Default:
"1G"Declared by:
services.tahoe.nodes.<name>.tub.location¶
The external location that the node should listen on.
This is the setting to tweak if there are multiple interfaces and you want to alter which interface Tahoe is advertising.
If specified, the port should be included.
Type: null or string
Default:
nullDeclared by:
services.tahoe.nodes.<name>.tub.port¶
The port on which the tub will listen.
This is the correct setting to tweak if you want Tahoe’s storage system to listen on a different port.
Type: signed integer
Default:
3457Declared by:
services.tahoe.nodes.<name>.web.port¶
The port on which the Web server will listen.
This is the correct setting to tweak if you want Tahoe’s WUI to listen on a different port.
Type: signed integer
Default:
3456Declared by:
services.tarsnap.enable¶
Enable periodic tarsnap backups.
Type: boolean
Default:
falseDeclared by:
services.tarsnap.archives¶
Tarsnap archive configurations. Each attribute names an archive to be created at a given time interval, according to the options associated with it. When uploading to the tarsnap server, archive names are suffixed by a 1 second resolution timestamp.
For each member of the set is created a timer which triggers the instanced
tarsnap-archive-nameservice unit. You may use:command:systemctl start tarsnap-archive-name to manually trigger creation ofarchive-nameat any time.Type: attribute set of submodules
Default: ``{
}``
Example:
{ nixos = { directories = [ "/home" "/root/ssl" ]; }; gamedata = { directories = [ "/var/lib/minecraft" ]; period = "*:30"; }; }Declared by:
services.tarsnap.archives.<name>.aggressiveNetworking¶
Upload data over multiple TCP connections, potentially increasing tarsnap’s bandwidth utilisation at the cost of slowing down all other network traffic. Not recommended unless TCP congestion is the dominant limiting factor.
Type: boolean
Default:
falseDeclared by:
services.tarsnap.archives.<name>.cachedir¶
The cache allows tarsnap to identify previously stored data blocks, reducing archival time and bandwidth usage.
Should the cache become desynchronized or corrupted, tarsnap will refuse to run until you manually rebuild the cache with:command:tarsnap –fsck.
Set to
nullto disable caching.Type: null or path
Default:
"/var/cache/tarsnap/root-tarsnap.key"Declared by:
services.tarsnap.archives.<name>.checkpointBytes¶
Create a checkpoint every
checkpointBytesof uploaded data (optionally specified using an SI prefix).1GB is the minimum value. A higher value is recommended, as checkpointing is expensive.
Set to
nullto disable checkpointing.Type: null or string
Default:
"1GB"Declared by:
services.tarsnap.archives.<name>.directories¶
services.tarsnap.archives.<name>.excludes¶
Exclude files and directories matching these patterns.
Type: list of strings
Default: ``[
]``
Declared by:
services.tarsnap.archives.<name>.explicitSymlinks¶
Whether to follow symlinks specified as archives.
Type: boolean
Default:
falseDeclared by:
services.tarsnap.archives.<name>.followSymlinks¶
Whether to follow all symlinks in archive trees.
Type: boolean
Default:
falseDeclared by:
services.tarsnap.archives.<name>.includes¶
Include only files and directories matching these patterns (the empty list includes everything).
Exclusions have precedence over inclusions.
Type: list of strings
Default: ``[
]``
Declared by:
services.tarsnap.archives.<name>.keyfile¶
Set a specific keyfile for this archive. This defaults to``”/root/tarsnap.key”`` if left unspecified.
Use this option if you want to run multiple backups concurrently - each archive must have a unique key. You can generate a write-only key derived from your master key (which is recommended) using
tarsnap-keymgmt(1).Note: every archive must have an individual master key. You must generate multiple keys with``tarsnap-keygen(1)``, and then generate write only keys from those.
The keyfile name should be given as a string and not a path, to avoid the key being copied into the Nix store.
Type: string
Default:
"/root/tarsnap.key"Declared by:
services.tarsnap.archives.<name>.lowmem¶
Reduce memory consumption by not caching small files. Possibly beneficial if the average file size is smaller than 1 MB and the number of files is lower than the total amount of RAM in KB.
Type: boolean
Default:
falseDeclared by:
services.tarsnap.archives.<name>.maxbw¶
Abort archival if upstream bandwidth usage in bytes exceeds this threshold.
Type: null or signed integer
Default:
nullDeclared by:
services.tarsnap.archives.<name>.maxbwRateDown¶
Download bandwidth rate limit in bytes.
Type: null or signed integer
Default:
nullExample:
50 * 1000Declared by:
services.tarsnap.archives.<name>.maxbwRateUp¶
Upload bandwidth rate limit in bytes.
Type: null or signed integer
Default:
nullExample:
25 * 1000Declared by:
services.tarsnap.archives.<name>.nodump¶
Exclude files with the
nodumpflag.Type: boolean
Default:
trueDeclared by:
services.tarsnap.archives.<name>.period¶
Create archive at this interval.
The format is described insystemd.time7.
Type: string
Default:
"01:15"Example:
"hourly"Declared by:
services.tarsnap.archives.<name>.printStats¶
Print global archive statistics upon completion. The output is available via:command:systemctl status tarsnap-archive-name.
Type: boolean
Default:
trueDeclared by:
services.tarsnap.archives.<name>.verbose¶
Whether to produce verbose logging output.
Type: boolean
Default:
falseDeclared by:
services.tarsnap.archives.<name>.verylowmem¶
Reduce memory consumption by a factor of 2 beyond what``lowmem`` does, at the cost of significantly slowing down the archiving process.
Type: boolean
Default:
falseDeclared by:
services.tarsnap.keyfile¶
The keyfile which associates this machine with your tarsnap account. Create the keyfile with tarsnap-keygen.
Note that each individual archive (specified below) may also have its own individual keyfile specified. Tarsnap does not allow multiple concurrent backups with the same cache directory and key (starting a new backup will cause another one to fail). If you have multiple archives specified, you should either spread out your backups to be far apart, or specify a separate key for each archive. By default every archive defaults to using``”/root/tarsnap.key”``.
It’s recommended for backups that you generate a key for every archive using
tarsnap-keygen(1), and then generate a write-only tarsnap key usingtarsnap-keymgmt(1), and keep your master key(s) for a particular machine off-site.The keyfile name should be given as a string and not a path, to avoid the key being copied into the Nix store.
Type: string
Default:
"/root/tarsnap.key"Declared by:
services.taskserver.enable¶
Whether to enable the Taskwarrior server.
More instructions about NixOS in conjuction with Taskserver can be found in the NixOS manual at.
Type: boolean
Default:
falseDeclared by:
services.taskserver.allowedClientIDs¶
A list of regular expressions that are matched against the reported client id (such as
task 2.3.0).The values
allornonehave special meaning. Overidden by any entry in the option.Type: string or list of strings
Default: ``[
]``
Example:
[ "\[Tt]ask \[2-9]+" ]Declared by:
services.taskserver.ciphers¶
List of GnuTLS ciphers to use. See the GnuTLS documentation about priority strings at ` <https://gnutls.org/manual/html_node/Priority-Strings.html>`_ for full details.
Type: null or strings concatenated with “:”
Default:
nullExample:
"NORMAL:-VERS-SSL3.0"Declared by:
services.taskserver.config¶
Configuration options to pass to Taskserver.
The options here are the same as described in taskdrc5, but with one difference:
The
serveroption is``server.listen`` here, because the``server`` option would collide with other options likeserver.certand we would run in a type error (attribute set versus string).Nix types like integers or booleans are automatically converted to the right values Taskserver would expect.
Type: attribute set
Example:
{ client = { cert = "/tmp/debugging.cert"; } ; }Declared by:
services.taskserver.confirmation¶
Determines whether certain commands are confirmed.
Type: boolean
Default:
trueDeclared by:
services.taskserver.dataDir¶
Data directory for Taskserver.
Type: path
Default:
"/var/lib/taskserver"Declared by:
services.taskserver.debug¶
Logs debugging information.
Type: boolean
Default:
falseDeclared by:
services.taskserver.disallowedClientIDs¶
A list of regular expressions that are matched against the reported client id (such as
task 2.3.0).The values
allornonehave special meaning. Any entry here overrides those in.Type: string or list of strings
Default: ``[
]``
Example:
[ "\[Tt]ask \[2-9]+" ]Declared by:
services.taskserver.extensions¶
Fully qualified path of the Taskserver extension scripts. Currently there are none.
Type: null or path
Default:
nullDeclared by:
services.taskserver.fqdn¶
The fully qualified domain name of this server, which is also used as the common name in the certificates.
Type: string
Default:
"localhost"Declared by:
services.taskserver.group¶
Group for Taskserver.
Type: string
Default:
"taskd"Declared by:
services.taskserver.ipLog¶
Logs the IP addresses of incoming requests.
Type: boolean
Default:
falseDeclared by:
services.taskserver.listenHost¶
The address (IPv4, IPv6 or DNS) to listen on.
If the value is something else than
localhostthe port defined by is automatically added to.Type: string
Default:
"localhost"Example:
"::"Declared by:
services.taskserver.listenPort¶
Port number of the Taskserver.
Type: signed integer
Default:
53589Declared by:
services.taskserver.organisations¶
An attribute set where the keys name the organisation and the values are a set of lists of and.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ myShinyOrganisation = { groups = [ "staff" "outsiders" ] ; users = [ "alice" "bob" ] ; } ; yetAnotherOrganisation = { users = [ "foo" "bar" ] ; } ; }Declared by:
services.taskserver.organisations.<name>.groups¶
A list of group names that belong to the organization.
Type: list of strings
Default: ``[
]``
Example:
[ "workers" "slackers" ]Declared by:
services.taskserver.organisations.<name>.users¶
A list of user names that belong to the organization.
Type: list of strings
Default: ``[
]``
Example:
[ "alice" "bob" ]Declared by:
services.taskserver.pki.auto.bits¶
The bit size for generated keys.
Note
This option is for the automatically handled CA and will be ignored if any of the options are set.
Type: signed integer
Default:
4096Example:
2048Declared by:
services.taskserver.pki.auto.expiration.ca¶
The expiration time of the CA certificate in days or
nullfor no expiration time.Note
This option is for the automatically handled CA and will be ignored if any of the options are set.
Type: null or signed integer
Default:
nullExample:
365Declared by:
services.taskserver.pki.auto.expiration.client¶
The expiration time of client certificates in days or
nullfor no expiration time.Note
This option is for the automatically handled CA and will be ignored if any of the options are set.
Type: null or signed integer
Default:
nullExample:
365Declared by:
services.taskserver.pki.auto.expiration.crl¶
The expiration time of the certificate revocation list (CRL) in days or
nullfor no expiration time.Note
This option is for the automatically handled CA and will be ignored if any of the options are set.
Type: null or signed integer
Default:
nullExample:
365Declared by:
services.taskserver.pki.auto.expiration.server¶
The expiration time of the server certificate in days or
nullfor no expiration time.Note
This option is for the automatically handled CA and will be ignored if any of the options are set.
Type: null or signed integer
Default:
nullExample:
365Declared by:
services.taskserver.pki.manual.ca.cert¶
Fully qualified path to the CA certificate.
Note
Setting this option will prevent automatic CA creation and handling.
Type: null or path
Default:
nullDeclared by:
services.taskserver.pki.manual.server.cert¶
Fully qualified path to the server certificate.
Note
Setting this option will prevent automatic CA creation and handling.
Type: null or path
Default:
nullDeclared by:
services.taskserver.pki.manual.server.crl¶
Fully qualified path to the server certificate revocation list.
Note
Setting this option will prevent automatic CA creation and handling.
Type: null or path
Default:
nullDeclared by:
services.taskserver.pki.manual.server.key¶
Fully qualified path to the server key.
Note
Setting this option will prevent automatic CA creation and handling.
Type: null or path
Default:
nullDeclared by:
services.taskserver.queueSize¶
Size of the connection backlog, see listen2.
Type: signed integer
Default:
10Declared by:
services.taskserver.requestLimit¶
Size limit of incoming requests, in bytes.
Type: signed integer
Default:
1048576Declared by:
services.taskserver.trust¶
Determines how client certificates are validated.
The value
allow allperforms no client certificate validation. This is not recommended. The value``strict`` causes the client certificate to be validated against a CA.Type: one of “allow all”, “strict”
Default:
"strict"Declared by:
services.taskserver.user¶
User for Taskserver.
Type: string
Default:
"taskd"Declared by:
services.tautulli.enable¶
Whether to enable Tautulli Plex Monitor.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.tautulli.package¶
The Tautulli package to use.
Type: package
Default:
"pkgs.tautulli"Declared by:
services.tautulli.configFile¶
The location of Tautulli’s config file.
Type: string
Default:
"/var/lib/plexpy/config.ini"Declared by:
services.tautulli.dataDir¶
The directory where Tautulli stores its data files.
Type: string
Default:
"/var/lib/plexpy"Declared by:
services.tautulli.group¶
Group under which Tautulli runs.
Type: string
Default:
"nogroup"Declared by:
services.tautulli.port¶
TCP port where Tautulli listens.
Type: signed integer
Default:
8181Declared by:
services.tautulli.user¶
User account under which Tautulli runs.
Type: string
Default:
"plexpy"Declared by:
services.tcsd.enable¶
Whether to enable tcsd, a Trusted Computing management service that provides TCG Software Stack (TSS). The tcsd daemon is the only portal to the Trusted Platform Module (TPM), a hardware chip on the motherboard.
Type: boolean
Default:
falseDeclared by:
services.tcsd.conformanceCred¶
Path to the conformance credential for your TPM. See also the platformCred option
Type: path
Default:
"/var/lib/tpm/conformance.cert"Declared by:
services.tcsd.endorsementCred¶
Path to the endorsement credential for your TPM. See also the platformCred option
Type: path
Default:
"/var/lib/tpm/endorsement.cert"Declared by:
services.tcsd.firmwarePCRs¶
PCR indices used in the TPM for firmware measurements.
Type: string
Default:
"0,1,2,3,4,5,6,7"Declared by:
services.tcsd.group¶
Group account under which tcsd runs.
Type: string
Default:
"tss"Declared by:
services.tcsd.kernelPCRs¶
PCR indices used in the TPM for kernel measurements.
Type: string
Default:
"8,9,10,11,12"Declared by:
services.tcsd.platformCred¶
Path to the platform credential for your TPM. Your TPM manufacturer may have provided you with a set of credentials (certificates) that should be used when creating identities using your TPM. When a user of your TPM makes an identity, this credential will be encrypted as part of that process. See the 1.1b TPM Main specification section 9.3 for information on this process.
Type: path
Default:
"/var/lib/tpm/platform.cert"Declared by:
services.tcsd.stateDir¶
The location of the system persistent storage file. The system persistent storage file holds keys and data across restarts of the TCSD and system reboots.
Type: path
Default:
"/var/lib/tpm"Declared by:
services.tcsd.user¶
User account under which tcsd runs.
Type: string
Default:
"tss"Declared by:
services.teamspeak3.enable¶
Whether to run the Teamspeak3 voice communication server daemon.
Type: boolean
Default:
falseDeclared by:
services.teamspeak3.dataDir¶
Directory to store TS3 database and other state/data files.
Type: path
Default:
"/var/lib/teamspeak3-server"Declared by:
services.teamspeak3.defaultVoicePort¶
Default UDP port for clients to connect to virtual servers - used for first virtual server, subsequent ones will open on incrementing port numbers by default.
Type: signed integer
Default:
9987Declared by:
services.teamspeak3.fileTransferIP¶
IP on which the server instance will listen for incoming file transfer connections. Defaults to any IP.
Type: null or string
Default:
nullExample:
"0.0.0.0"Declared by:
services.teamspeak3.fileTransferPort¶
TCP port opened for file transfers.
Type: signed integer
Default:
30033Declared by:
services.teamspeak3.logPath¶
Directory to store log files in.
Type: path
Default:
"/var/log/teamspeak3-server/"Declared by:
services.teamspeak3.queryIP¶
IP on which the server instance will listen for incoming ServerQuery connections. Defaults to any IP.
Type: null or string
Default:
nullExample:
"0.0.0.0"Declared by:
services.teamspeak3.queryPort¶
TCP port opened for ServerQuery connections.
Type: signed integer
Default:
10011Declared by:
services.teamspeak3.voiceIP¶
IP on which the server instance will listen for incoming voice connections. Defaults to any IP.
Type: null or string
Default:
nullExample:
"0.0.0.0"Declared by:
services.teamviewer.enable¶
Whether to enable TeamViewer daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.tedicross.enable¶
Whether to enable the TediCross Telegram-Discord bridge service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.tedicross.config¶
settings.yamlconfiguration as a Nix attribute set. Secret tokens should be specified using instead of this world-readable file.Type: attribute set
Example:
{ telegram = { useFirstNameInsteadOfUsername = false; colonAfterSenderName = false; skipOldMessages = true; sendEmojiWithStickers = true; }; discord = { useNickname = false; skipOldMessages = true; displayTelegramReplies = "embed"; replyLength = 100; }; bridges = [ { name = "Default bridge"; direction = "both"; telegram = { chatId = -123456789; relayJoinMessages = true; relayLeaveMessages = true; sendUsernames = true; ignoreCommands = true; }; discord = { serverId = "DISCORD_SERVER_ID"; channelId = "DISCORD_CHANNEL_ID"; relayJoinMessages = true; relayLeaveMessages = true; sendUsernames = true; crossDeleteOnTelegram = true; }; } ]; debug = false; }Declared by:
services.tedicross.environmentFile¶
File containing environment variables to be passed to the TediCross service, in which secret tokens can be specified securely using the``TELEGRAM_BOT_TOKEN`` and
DISCORD_BOT_TOKENkeys.Type: null or path
Default:
nullDeclared by:
services.telegraf.enable¶
Whether to enable telegraf server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.telegraf.package¶
Which telegraf derivation to use
Type: package
Default:
"pkgs.telegraf"Declared by:
services.telegraf.extraConfig¶
Extra configuration options for telegraf
Type: attribute set
Default: ``{
}``
Example:
{ inputs = { statsd = { delete_timings = true; service_address = ":8125"; } ; } ; outputs = { influxdb = { database = "telegraf"; urls = [ "http://localhost:8086" ] ; } ; } ; }Declared by:
services.telepathy.enable¶
Whether to enable Telepathy service, a communications framework that enables real-time communication via pluggable protocol backends.
Type: boolean
Default:
falseDeclared by:
services.terraria.enable¶
If enabled, starts a Terraria server. The server can be connected to via
tmux -S /var/lib/terraria/terraria.sock attachfor administration by users who are a part of theterrariagroup (useC-b dshortcut to detach again).Type: boolean
Default:
falseDeclared by:
services.terraria.autoCreatedWorldSize¶
Specifies the size of the auto-created world if
worldPathdoes not point to an existing world.Type: one of “small”, “medium”, “large”
Default:
"medium"Declared by:
services.terraria.banListPath¶
The path to the ban list.
Type: null or path
Default:
nullDeclared by:
services.terraria.maxPlayers¶
Sets the max number of players (between 1 and 255).
Type: signed integer
Default:
255Declared by:
services.terraria.messageOfTheDay¶
Set the server message of the day text.
Type: null or string
Default:
nullDeclared by:
services.terraria.noUPnP¶
Disables automatic Universal Plug and Play.
Type: boolean
Default:
falseDeclared by:
services.terraria.password¶
Sets the server password. Leave
nullfor no password.Type: null or string
Default:
nullDeclared by:
services.terraria.port¶
Specifies the port to listen on.
Type: signed integer
Default:
7777Declared by:
services.terraria.secure¶
Adds additional cheat protection to the server.
Type: boolean
Default:
falseDeclared by:
services.terraria.worldPath¶
The path to the world file (
.wld) which should be loaded. If no world exists at this path, one will be created with the size specified byautoCreatedWorldSize.Type: null or path
Default:
nullDeclared by:
services.tftpd.enable¶
Whether to enable tftpd, a Trivial File Transfer Protocol server. The server will be run as an xinetd service.
Type: boolean
Default:
falseDeclared by:
services.tftpd.path¶
Where the tftp server files are stored.
Type: path
Default:
"/srv/tftp"Declared by:
services.thanos.package¶
The thanos package that should be used.
Type: package
Default:
"pkgs.thanos"Declared by:
services.thanos.compact.enable¶
Whether to enable the Thanos compactor which continuously compacts blocks in an object store bucket.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.thanos.compact.arguments¶
Arguments to the
thanos compactcommand.Defaults to a list of arguments formed by converting the structured options of to a list of arguments.
Overriding this option will cause none of the structured options to have any effect. So only set this if you know what you’re doing!
Type: list of strings
Default:
[ "--wait" ''--data-dir="/var/lib/thanos-compact"'' ]Declared by:
services.thanos.compact.block-sync-concurrency¶
Number of goroutines to use when syncing block metadata from object storage.
Defaults to
20in Thanos when set tonull.Type: null or signed integer
Default:
nullDeclared by:
services.thanos.compact.compact.concurrency¶
Number of goroutines to use when compacting groups.
Defaults to
1in Thanos when set tonull.Type: null or signed integer
Default:
nullDeclared by:
services.thanos.compact.consistency-delay¶
Minimum age of fresh (non-compacted) blocks before they are being processed. Malformed blocks older than the maximum of consistency-delay and 30m0s will be removed.
Defaults to
30min Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.compact.downsampling.disable¶
Disables downsampling.
This is not recommended as querying long time ranges without non-downsampled data is not efficient and useful e.g it is not possible to render all samples for a human eye anyway
Type: boolean
Default:
falseDeclared by:
services.thanos.compact.http-address¶
Listen
host:portfor HTTP endpoints.Defaults to
0.0.0.0:10902in Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.compact.log.format¶
Log format to use.
Type: null or string
Default:
nullDeclared by:
services.thanos.compact.log.level¶
Log filtering level.
Defaults to
infoin Thanos when set tonull.Type: null or one of “debug”, “info”, “warn”, “error”, “fatal”
Default:
nullDeclared by:
services.thanos.compact.objstore.config¶
Object store configuration.
When not
nullthe attribute set gets converted to a YAML file and stored in the Nix store. The option will default to its path.If is set this option has no effect.
See format details: ` <https://thanos.io/storage.md/#configuration>`_
Type: null or attribute set
Default:
nullDeclared by:
services.thanos.compact.objstore.config-file¶
Path to YAML file that contains object store configuration.
See format details: ` <https://thanos.io/storage.md/#configuration>`_
Type: null or string
Default:
'' if config.services.thanos.<cmd>.objstore.config == null then null else toString (toYAML "objstore.yaml" config.services.thanos.<cmd>.objstore.config); ''Declared by:
services.thanos.compact.retention.resolution-1h¶
How long to retain samples of resolution 2 (1 hour) in bucket.
0d- disables this retentionDefaults to
0din Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.compact.retention.resolution-5m¶
How long to retain samples of resolution 1 (5 minutes) in bucket.
0d- disables this retentionDefaults to
0din Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.compact.retention.resolution-raw¶
How long to retain raw samples in bucket.
0d- disables this retentionDefaults to
0din Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.compact.startAt¶
When this option is set to a
systemd.timespecification the Thanos compactor will run at the specified period.When this option is
nullthe Thanos compactor service will run continuously. So it will not exit after all compactions have been processed but wait for new work.Type: null or string
Default:
nullDeclared by:
services.thanos.compact.stateDir¶
Data directory relative to
/var/libin which to cache blocks and process compactions.Type: string
Default:
"thanos-compact"Declared by:
services.thanos.compact.tracing.config¶
Tracing configuration.
When not
nullthe attribute set gets converted to a YAML file and stored in the Nix store. The option will default to its path.If is set this option has no effect.
See format details: ` <https://thanos.io/tracing.md/#configuration>`_
Type: null or attribute set
Default:
nullDeclared by:
services.thanos.compact.tracing.config-file¶
Path to YAML file that contains tracing configuration.
See format details: ` <https://thanos.io/tracing.md/#configuration>`_
Type: null or string
Default:
'' if config.services.thanos.<cmd>.tracing.config == null then null else toString (toYAML "tracing.yaml" config.services.thanos.<cmd>.tracing.config); ''Declared by:
services.thanos.downsample.enable¶
Whether to enable the Thanos downsampler which continuously downsamples blocks in an object store bucket.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.thanos.downsample.arguments¶
Arguments to the
thanos downsamplecommand.Defaults to a list of arguments formed by converting the structured options of to a list of arguments.
Overriding this option will cause none of the structured options to have any effect. So only set this if you know what you’re doing!
Type: list of strings
Default:
[ ''--data-dir="/var/lib/thanos-downsample"'' ]Declared by:
services.thanos.downsample.log.format¶
Log format to use.
Type: null or string
Default:
nullDeclared by:
services.thanos.downsample.log.level¶
Log filtering level.
Defaults to
infoin Thanos when set tonull.Type: null or one of “debug”, “info”, “warn”, “error”, “fatal”
Default:
nullDeclared by:
services.thanos.downsample.objstore.config¶
Object store configuration.
When not
nullthe attribute set gets converted to a YAML file and stored in the Nix store. The option will default to its path.If is set this option has no effect.
See format details: ` <https://thanos.io/storage.md/#configuration>`_
Type: null or attribute set
Default:
nullDeclared by:
services.thanos.downsample.objstore.config-file¶
Path to YAML file that contains object store configuration.
See format details: ` <https://thanos.io/storage.md/#configuration>`_
Type: null or string
Default:
'' if config.services.thanos.<cmd>.objstore.config == null then null else toString (toYAML "objstore.yaml" config.services.thanos.<cmd>.objstore.config); ''Declared by:
services.thanos.downsample.stateDir¶
Data directory relative to
/var/libin which to cache blocks and process downsamplings.Type: string
Default:
"thanos-downsample"Declared by:
services.thanos.downsample.tracing.config¶
Tracing configuration.
When not
nullthe attribute set gets converted to a YAML file and stored in the Nix store. The option will default to its path.If is set this option has no effect.
See format details: ` <https://thanos.io/tracing.md/#configuration>`_
Type: null or attribute set
Default:
nullDeclared by:
services.thanos.downsample.tracing.config-file¶
Path to YAML file that contains tracing configuration.
See format details: ` <https://thanos.io/tracing.md/#configuration>`_
Type: null or string
Default:
'' if config.services.thanos.<cmd>.tracing.config == null then null else toString (toYAML "tracing.yaml" config.services.thanos.<cmd>.tracing.config); ''Declared by:
services.thanos.query.enable¶
Whether to enable the Thanos query node exposing PromQL enabled Query API with data retrieved from multiple store nodes.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.thanos.query.arguments¶
Arguments to the
thanos querycommand.Defaults to a list of arguments formed by converting the structured options of to a list of arguments.
Overriding this option will cause none of the structured options to have any effect. So only set this if you know what you’re doing!
Type: list of strings
Default: ``[
]``
Declared by:
services.thanos.query.grpc-address¶
Listen
ip:portaddress for gRPC endpoints (StoreAPI).Make sure this address is routable from other components.
Defaults to
0.0.0.0:10901in Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.query.grpc-client-server-name¶
Server name to verify the hostname on the returned gRPC certificates. See ` <https://tools.ietf.org/html/rfc4366#section-3.1>`_
Type: null or string
Default:
nullDeclared by:
services.thanos.query.grpc-client-tls-ca¶
TLS CA Certificates to use to verify gRPC servers
Type: null or string
Default:
nullDeclared by:
services.thanos.query.grpc-client-tls-cert¶
TLS Certificates to use to identify this client to the server
Type: null or string
Default:
nullDeclared by:
services.thanos.query.grpc-client-tls-key¶
TLS Key for the client’s certificate
Type: null or string
Default:
nullDeclared by:
services.thanos.query.grpc-client-tls-secure¶
Use TLS when talking to the gRPC server
Type: boolean
Default:
falseDeclared by:
services.thanos.query.grpc-server-tls-cert¶
TLS Certificate for gRPC server, leave blank to disable TLS
Type: null or string
Default:
nullDeclared by:
services.thanos.query.grpc-server-tls-client-ca¶
TLS CA to verify clients against.
If no client CA is specified, there is no client verification on server side. (tls.NoClientCert)
Type: null or string
Default:
nullDeclared by:
services.thanos.query.grpc-server-tls-key¶
TLS Key for the gRPC server, leave blank to disable TLS
Type: null or string
Default:
nullDeclared by:
services.thanos.query.http-address¶
Listen
host:portfor HTTP endpoints.Defaults to
0.0.0.0:10902in Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.query.log.format¶
Log format to use.
Type: null or string
Default:
nullDeclared by:
services.thanos.query.log.level¶
Log filtering level.
Defaults to
infoin Thanos when set tonull.Type: null or one of “debug”, “info”, “warn”, “error”, “fatal”
Default:
nullDeclared by:
services.thanos.query.query.auto-downsampling¶
Enable automatic adjustment (step / 5) to what source of data should be used in store gateways if no``max_source_resolution`` param is specified.
Type: boolean
Default:
falseDeclared by:
services.thanos.query.query.default-evaluation-interval¶
Set default evaluation interval for sub queries.
Defaults to
1min Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.query.query.max-concurrent¶
Maximum number of queries processed concurrently by query node.
Defaults to
20in Thanos when set tonull.Type: null or signed integer
Default:
nullDeclared by:
services.thanos.query.query.partial-response¶
Enable partial response for queries if no``partial_response`` param is specified.
Type: boolean
Default:
falseDeclared by:
services.thanos.query.query.replica-label¶
Label to treat as a replica indicator along which data is deduplicated.
Still you will be able to query without deduplication using``dedup=false`` parameter.
Type: null or string
Default:
nullDeclared by:
services.thanos.query.query.timeout¶
Maximum time to process query by query node.
Defaults to
2min Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.query.selector-labels¶
Query selector labels that will be exposed in info endpoint.
Type: attribute set of strings
Default: ``{
}``
Declared by:
services.thanos.query.store.addresses¶
Addresses of statically configured store API servers.
The scheme may be prefixed with
dns+or``dnssrv+`` to detect store API servers through respective DNS lookups.Type: list of strings
Default: ``[
]``
Declared by:
services.thanos.query.store.response-timeout¶
If a Store doesn’t send any data in this specified duration then a Store will be ignored and partial data will be returned if it’s enabled.
0disables timeout.Defaults to
0msin Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.query.store.sd-dns-interval¶
Interval between DNS resolutions.
Defaults to
30sin Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.query.store.sd-files¶
Path to files that contain addresses of store API servers. The path can be a glob pattern.
Type: list of strings
Default: ``[
]``
Declared by:
services.thanos.query.store.sd-interval¶
Refresh interval to re-read file SD files. It is used as a resync fallback.
Defaults to
5min Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.query.store.unhealthy-timeout¶
Timeout before an unhealthy store is cleaned from the store UI page.
Defaults to
5min Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.query.tracing.config¶
Tracing configuration.
When not
nullthe attribute set gets converted to a YAML file and stored in the Nix store. The option will default to its path.If is set this option has no effect.
See format details: ` <https://thanos.io/tracing.md/#configuration>`_
Type: null or attribute set
Default:
nullDeclared by:
services.thanos.query.tracing.config-file¶
Path to YAML file that contains tracing configuration.
See format details: ` <https://thanos.io/tracing.md/#configuration>`_
Type: null or string
Default:
'' if config.services.thanos.<cmd>.tracing.config == null then null else toString (toYAML "tracing.yaml" config.services.thanos.<cmd>.tracing.config); ''Declared by:
services.thanos.query.web.external-prefix¶
Static prefix for all HTML links and redirect URLs in the UI query web interface.
Actual endpoints are still served on / or the. This allows thanos UI to be served behind a reverse proxy that strips a URL sub-path.
Type: null or string
Default:
nullDeclared by:
services.thanos.query.web.prefix-header¶
Name of HTTP request header used for dynamic prefixing of UI links and redirects.
This option is ignored if the option``web.external-prefix`` is set.
Security risk: enable this option only if a reverse proxy in front of thanos is resetting the header.
The setting
web.prefix-header="X-Forwarded-Prefix"can be useful, for example, if Thanos UI is served via Traefik reverse proxy withPathPrefixStripoption enabled, which sends the stripped prefix value inX-Forwarded-Prefixheader. This allows thanos UI to be served on a sub-path.Type: null or string
Default:
nullDeclared by:
services.thanos.query.web.route-prefix¶
Prefix for API and UI endpoints.
This allows thanos UI to be served on a sub-path. This option is analogous to of Promethus.
Type: null or string
Default:
nullDeclared by:
services.thanos.receive.enable¶
Whether to enable the Thanos receiver which accept Prometheus remote write API requests and write to local tsdb (EXPERIMENTAL, this may change drastically without notice).
Type: boolean
Default:
falseExample:
trueDeclared by:
services.thanos.receive.arguments¶
Arguments to the
thanos receivecommand.Defaults to a list of arguments formed by converting the structured options of to a list of arguments.
Overriding this option will cause none of the structured options to have any effect. So only set this if you know what you’re doing!
Type: list of strings
Default:
[ ''--tsdb.path="/var/lib/thanos-receive"'' ]Declared by:
services.thanos.receive.grpc-address¶
Listen
ip:portaddress for gRPC endpoints (StoreAPI).Make sure this address is routable from other components.
Defaults to
0.0.0.0:10901in Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.receive.grpc-server-tls-cert¶
TLS Certificate for gRPC server, leave blank to disable TLS
Type: null or string
Default:
nullDeclared by:
services.thanos.receive.grpc-server-tls-client-ca¶
TLS CA to verify clients against.
If no client CA is specified, there is no client verification on server side. (tls.NoClientCert)
Type: null or string
Default:
nullDeclared by:
services.thanos.receive.grpc-server-tls-key¶
TLS Key for the gRPC server, leave blank to disable TLS
Type: null or string
Default:
nullDeclared by:
services.thanos.receive.http-address¶
Listen
host:portfor HTTP endpoints.Defaults to
0.0.0.0:10902in Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.receive.labels¶
External labels to announce.
This flag will be removed in the future when handling multiple tsdb instances is added.
Type: attribute set of strings
Default: ``{
}``
Declared by:
services.thanos.receive.log.format¶
Log format to use.
Type: null or string
Default:
nullDeclared by:
services.thanos.receive.log.level¶
Log filtering level.
Defaults to
infoin Thanos when set tonull.Type: null or one of “debug”, “info”, “warn”, “error”, “fatal”
Default:
nullDeclared by:
services.thanos.receive.objstore.config¶
Object store configuration.
When not
nullthe attribute set gets converted to a YAML file and stored in the Nix store. The option will default to its path.If is set this option has no effect.
See format details: ` <https://thanos.io/storage.md/#configuration>`_
Type: null or attribute set
Default:
nullDeclared by:
services.thanos.receive.objstore.config-file¶
Path to YAML file that contains object store configuration.
See format details: ` <https://thanos.io/storage.md/#configuration>`_
Type: null or string
Default:
'' if config.services.thanos.<cmd>.objstore.config == null then null else toString (toYAML "objstore.yaml" config.services.thanos.<cmd>.objstore.config); ''Declared by:
services.thanos.receive.remote-write.address¶
Address to listen on for remote write requests.
Defaults to
0.0.0.0:19291in Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.receive.stateDir¶
Data directory relative to
/var/libof TSDB.Type: string
Default:
"thanos-receive"Declared by:
services.thanos.receive.tracing.config¶
Tracing configuration.
When not
nullthe attribute set gets converted to a YAML file and stored in the Nix store. The option will default to its path.If is set this option has no effect.
See format details: ` <https://thanos.io/tracing.md/#configuration>`_
Type: null or attribute set
Default:
nullDeclared by:
services.thanos.receive.tracing.config-file¶
Path to YAML file that contains tracing configuration.
See format details: ` <https://thanos.io/tracing.md/#configuration>`_
Type: null or string
Default:
'' if config.services.thanos.<cmd>.tracing.config == null then null else toString (toYAML "tracing.yaml" config.services.thanos.<cmd>.tracing.config); ''Declared by:
services.thanos.receive.tsdb.retention¶
How long to retain raw samples on local storage.
0d- disables this retentionDefaults to
15din Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.rule.enable¶
Whether to enable the Thanos ruler service which evaluates Prometheus rules against given Query nodes, exposing Store API and storing old blocks in bucket.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.thanos.rule.alert.label-drop¶
Labels by name to drop before sending to alertmanager.
This allows alert to be deduplicated on replica label.
Similar Prometheus alert relabelling
Type: list of strings
Default: ``[
]``
Declared by:
services.thanos.rule.alert.query-url¶
The external Thanos Query URL that would be set in all alerts ‘Source’ field.
Type: null or string
Default:
nullDeclared by:
services.thanos.rule.alertmanagers.send-timeout¶
Timeout for sending alerts to alertmanager.
Defaults to
10sin Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.rule.alertmanagers.urls¶
Alertmanager replica URLs to push firing alerts.
Ruler claims success if push to at least one alertmanager from discovered succeeds. The scheme may be prefixed with``dns+`` or
dnssrv+to detect Alertmanager IPs through respective DNS lookups. The port defaults to``9093`` or the SRV record’s value. The URL path is used as a prefix for the regular Alertmanager API path.Type: list of strings
Default: ``[
]``
Declared by:
services.thanos.rule.arguments¶
Arguments to the
thanos rulecommand.Defaults to a list of arguments formed by converting the structured options of to a list of arguments.
Overriding this option will cause none of the structured options to have any effect. So only set this if you know what you’re doing!
Type: list of strings
Default:
[ ''--data-dir="/var/lib/thanos-rule"'' ]Declared by:
services.thanos.rule.eval-interval¶
The default evaluation interval to use.
Defaults to
30sin Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.rule.grpc-address¶
Listen
ip:portaddress for gRPC endpoints (StoreAPI).Make sure this address is routable from other components.
Defaults to
0.0.0.0:10901in Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.rule.grpc-server-tls-cert¶
TLS Certificate for gRPC server, leave blank to disable TLS
Type: null or string
Default:
nullDeclared by:
services.thanos.rule.grpc-server-tls-client-ca¶
TLS CA to verify clients against.
If no client CA is specified, there is no client verification on server side. (tls.NoClientCert)
Type: null or string
Default:
nullDeclared by:
services.thanos.rule.grpc-server-tls-key¶
TLS Key for the gRPC server, leave blank to disable TLS
Type: null or string
Default:
nullDeclared by:
services.thanos.rule.http-address¶
Listen
host:portfor HTTP endpoints.Defaults to
0.0.0.0:10902in Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.rule.labels¶
Labels to be applied to all generated metrics.
Similar to external labels for Prometheus, used to identify ruler and its blocks as unique source.
Type: attribute set of strings
Default: ``{
}``
Declared by:
services.thanos.rule.log.format¶
Log format to use.
Type: null or string
Default:
nullDeclared by:
services.thanos.rule.log.level¶
Log filtering level.
Defaults to
infoin Thanos when set tonull.Type: null or one of “debug”, “info”, “warn”, “error”, “fatal”
Default:
nullDeclared by:
services.thanos.rule.objstore.config¶
Object store configuration.
When not
nullthe attribute set gets converted to a YAML file and stored in the Nix store. The option will default to its path.If is set this option has no effect.
See format details: ` <https://thanos.io/storage.md/#configuration>`_
Type: null or attribute set
Default:
nullDeclared by:
services.thanos.rule.objstore.config-file¶
Path to YAML file that contains object store configuration.
See format details: ` <https://thanos.io/storage.md/#configuration>`_
Type: null or string
Default:
'' if config.services.thanos.<cmd>.objstore.config == null then null else toString (toYAML "objstore.yaml" config.services.thanos.<cmd>.objstore.config); ''Declared by:
services.thanos.rule.query.addresses¶
Addresses of statically configured query API servers.
The scheme may be prefixed with
dns+or``dnssrv+`` to detect query API servers through respective DNS lookups.Type: list of strings
Default: ``[
]``
Declared by:
services.thanos.rule.query.sd-dns-interval¶
Interval between DNS resolutions.
Defaults to
30sin Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.rule.query.sd-files¶
Path to file that contain addresses of query peers. The path can be a glob pattern.
Type: list of strings
Default: ``[
]``
Declared by:
services.thanos.rule.query.sd-interval¶
Refresh interval to re-read file SD files. (used as a fallback)
Defaults to
5min Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.rule.rule-files¶
Rule files that should be used by rule manager. Can be in glob format.
Type: list of strings
Default: ``[
]``
Declared by:
services.thanos.rule.stateDir¶
Data directory relative to
/var/lib.Type: string
Default:
"thanos-rule"Declared by:
services.thanos.rule.tracing.config¶
Tracing configuration.
When not
nullthe attribute set gets converted to a YAML file and stored in the Nix store. The option will default to its path.If is set this option has no effect.
See format details: ` <https://thanos.io/tracing.md/#configuration>`_
Type: null or attribute set
Default:
nullDeclared by:
services.thanos.rule.tracing.config-file¶
Path to YAML file that contains tracing configuration.
See format details: ` <https://thanos.io/tracing.md/#configuration>`_
Type: null or string
Default:
'' if config.services.thanos.<cmd>.tracing.config == null then null else toString (toYAML "tracing.yaml" config.services.thanos.<cmd>.tracing.config); ''Declared by:
services.thanos.rule.tsdb.block-duration¶
Block duration for TSDB block.
Defaults to
2hin Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.rule.tsdb.retention¶
Block retention time on local disk.
Defaults to
48hin Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.rule.web.external-prefix¶
Static prefix for all HTML links and redirect URLs in the UI query web interface.
Actual endpoints are still served on / or the. This allows thanos UI to be served behind a reverse proxy that strips a URL sub-path.
Type: null or string
Default:
nullDeclared by:
services.thanos.rule.web.prefix-header¶
Name of HTTP request header used for dynamic prefixing of UI links and redirects.
This option is ignored if the option is set.
Security risk: enable this option only if a reverse proxy in front of thanos is resetting the header.
The header
X-Forwarded-Prefixcan be useful, for example, if Thanos UI is served via Traefik reverse proxy with``PathPrefixStrip`` option enabled, which sends the stripped prefix value inX-Forwarded-Prefixheader. This allows thanos UI to be served on a sub-path.Type: null or string
Default:
nullDeclared by:
services.thanos.rule.web.route-prefix¶
Prefix for API and UI endpoints.
This allows thanos UI to be served on a sub-path.
This option is analogous to
--web.route-prefixof Promethus.Type: null or string
Default:
nullDeclared by:
services.thanos.sidecar.enable¶
Whether to enable the Thanos sidecar for Prometheus server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.thanos.sidecar.arguments¶
Arguments to the
thanos sidecarcommand.Defaults to a list of arguments formed by converting the structured options of to a list of arguments.
Overriding this option will cause none of the structured options to have any effect. So only set this if you know what you’re doing!
Type: list of strings
Default:
[ ''--tsdb.path="/var/lib/prometheus2/data"'' ]Declared by:
services.thanos.sidecar.grpc-address¶
Listen
ip:portaddress for gRPC endpoints (StoreAPI).Make sure this address is routable from other components.
Defaults to
0.0.0.0:10901in Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.sidecar.grpc-server-tls-cert¶
TLS Certificate for gRPC server, leave blank to disable TLS
Type: null or string
Default:
nullDeclared by:
services.thanos.sidecar.grpc-server-tls-client-ca¶
TLS CA to verify clients against.
If no client CA is specified, there is no client verification on server side. (tls.NoClientCert)
Type: null or string
Default:
nullDeclared by:
services.thanos.sidecar.grpc-server-tls-key¶
TLS Key for the gRPC server, leave blank to disable TLS
Type: null or string
Default:
nullDeclared by:
services.thanos.sidecar.http-address¶
Listen
host:portfor HTTP endpoints.Defaults to
0.0.0.0:10902in Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.sidecar.log.format¶
Log format to use.
Type: null or string
Default:
nullDeclared by:
services.thanos.sidecar.log.level¶
Log filtering level.
Defaults to
infoin Thanos when set tonull.Type: null or one of “debug”, “info”, “warn”, “error”, “fatal”
Default:
nullDeclared by:
services.thanos.sidecar.objstore.config¶
Object store configuration.
When not
nullthe attribute set gets converted to a YAML file and stored in the Nix store. The option will default to its path.If is set this option has no effect.
See format details: ` <https://thanos.io/storage.md/#configuration>`_
Type: null or attribute set
Default:
nullDeclared by:
services.thanos.sidecar.objstore.config-file¶
Path to YAML file that contains object store configuration.
See format details: ` <https://thanos.io/storage.md/#configuration>`_
Type: null or string
Default:
'' if config.services.thanos.<cmd>.objstore.config == null then null else toString (toYAML "objstore.yaml" config.services.thanos.<cmd>.objstore.config); ''Declared by:
services.thanos.sidecar.prometheus.url¶
URL at which to reach Prometheus’s API.
For better performance use local network.
Defaults to
http://localhost:9090in Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.sidecar.reloader.config-envsubst-file¶
Output file for environment variable substituted config file.
Type: null or string
Default:
nullDeclared by:
services.thanos.sidecar.reloader.config-file¶
Config file watched by the reloader.
Type: null or string
Default:
nullDeclared by:
services.thanos.sidecar.reloader.rule-dirs¶
services.thanos.sidecar.tracing.config¶
Tracing configuration.
When not
nullthe attribute set gets converted to a YAML file and stored in the Nix store. The option will default to its path.If is set this option has no effect.
See format details: ` <https://thanos.io/tracing.md/#configuration>`_
Type: null or attribute set
Default:
nullDeclared by:
services.thanos.sidecar.tracing.config-file¶
Path to YAML file that contains tracing configuration.
See format details: ` <https://thanos.io/tracing.md/#configuration>`_
Type: null or string
Default:
'' if config.services.thanos.<cmd>.tracing.config == null then null else toString (toYAML "tracing.yaml" config.services.thanos.<cmd>.tracing.config); ''Declared by:
services.thanos.sidecar.tsdb.path¶
Data directory of TSDB.
Type: string
Default:
"/var/lib/\\${config.services.prometheus.stateDir}/data"Declared by:
services.thanos.store.enable¶
Whether to enable the Thanos store node giving access to blocks in a bucket provider..
Type: boolean
Default:
falseExample:
trueDeclared by:
services.thanos.store.arguments¶
Arguments to the
thanos storecommand.Defaults to a list of arguments formed by converting the structured options of to a list of arguments.
Overriding this option will cause none of the structured options to have any effect. So only set this if you know what you’re doing!
Type: list of strings
Default:
[ ''--data-dir="/var/lib/thanos-store"'' ]Declared by:
services.thanos.store.block-sync-concurrency¶
Number of goroutines to use when syncing blocks from object storage.
Defaults to
20in Thanos when set tonull.Type: null or signed integer
Default:
nullDeclared by:
services.thanos.store.chunk-pool-size¶
Maximum size of concurrently allocatable bytes for chunks.
Defaults to
2GBin Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.store.grpc-address¶
Listen
ip:portaddress for gRPC endpoints (StoreAPI).Make sure this address is routable from other components.
Defaults to
0.0.0.0:10901in Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.store.grpc-server-tls-cert¶
TLS Certificate for gRPC server, leave blank to disable TLS
Type: null or string
Default:
nullDeclared by:
services.thanos.store.grpc-server-tls-client-ca¶
TLS CA to verify clients against.
If no client CA is specified, there is no client verification on server side. (tls.NoClientCert)
Type: null or string
Default:
nullDeclared by:
services.thanos.store.grpc-server-tls-key¶
TLS Key for the gRPC server, leave blank to disable TLS
Type: null or string
Default:
nullDeclared by:
services.thanos.store.http-address¶
Listen
host:portfor HTTP endpoints.Defaults to
0.0.0.0:10902in Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.store.index-cache-size¶
Maximum size of items held in the index cache.
Defaults to
250MBin Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.store.log.format¶
Log format to use.
Type: null or string
Default:
nullDeclared by:
services.thanos.store.log.level¶
Log filtering level.
Defaults to
infoin Thanos when set tonull.Type: null or one of “debug”, “info”, “warn”, “error”, “fatal”
Default:
nullDeclared by:
services.thanos.store.max-time¶
End of time range limit to serve.
Thanos Store serves only blocks, which happened eariler than this value. Option can be a constant time in RFC3339 format or time duration relative to current time, such as -1d or 2h45m. Valid duration units are ms, s, m, h, d, w, y.
Defaults to
9999-12-31T23:59:59Zin Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.store.min-time¶
Start of time range limit to serve.
Thanos Store serves only metrics, which happened later than this value. Option can be a constant time in RFC3339 format or time duration relative to current time, such as -1d or 2h45m. Valid duration units are ms, s, m, h, d, w, y.
Defaults to
0000-01-01T00:00:00Zin Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.store.objstore.config¶
Object store configuration.
When not
nullthe attribute set gets converted to a YAML file and stored in the Nix store. The option will default to its path.If is set this option has no effect.
See format details: ` <https://thanos.io/storage.md/#configuration>`_
Type: null or attribute set
Default:
nullDeclared by:
services.thanos.store.objstore.config-file¶
Path to YAML file that contains object store configuration.
See format details: ` <https://thanos.io/storage.md/#configuration>`_
Type: null or string
Default:
'' if config.services.thanos.<cmd>.objstore.config == null then null else toString (toYAML "objstore.yaml" config.services.thanos.<cmd>.objstore.config); ''Declared by:
services.thanos.store.stateDir¶
Data directory relative to
/var/libin which to cache remote blocks.Type: string
Default:
"thanos-store"Declared by:
services.thanos.store.store.grpc.series-max-concurrency¶
Maximum number of concurrent Series calls.
Defaults to
20in Thanos when set tonull.Type: null or signed integer
Default:
nullDeclared by:
services.thanos.store.store.grpc.series-sample-limit¶
Maximum amount of samples returned via a single Series call.
0means no limit.NOTE: for efficiency we take 120 as the number of samples in chunk (it cannot be bigger than that), so the actual number of samples might be lower, even though the maximum could be hit.
Defaults to
0in Thanos when set tonull.Type: null or signed integer
Default:
nullDeclared by:
services.thanos.store.sync-block-duration¶
Repeat interval for syncing the blocks between local and remote view.
Defaults to
3min Thanos when set tonull.Type: null or string
Default:
nullDeclared by:
services.thanos.store.tracing.config¶
Tracing configuration.
When not
nullthe attribute set gets converted to a YAML file and stored in the Nix store. The option will default to its path.If is set this option has no effect.
See format details: ` <https://thanos.io/tracing.md/#configuration>`_
Type: null or attribute set
Default:
nullDeclared by:
services.thanos.store.tracing.config-file¶
Path to YAML file that contains tracing configuration.
See format details: ` <https://thanos.io/tracing.md/#configuration>`_
Type: null or string
Default:
'' if config.services.thanos.<cmd>.tracing.config == null then null else toString (toYAML "tracing.yaml" config.services.thanos.<cmd>.tracing.config); ''Declared by:
services.thelounge.enable¶
Whether to enable The Lounge web IRC client.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.thelounge.extraConfig¶
The Lounge’s
config.jscontents as attribute set (will be converted to JSON to generate the configuration file).The options defined here will be merged to the default configuration file. Note: In case of duplicate configuration, options from have priority.
Documentation: ` <https://thelounge.chat/docs/server/configuration>`_
Type: attribute set
Default: ``{
}``
Example:
{ reverseProxy = true; defaults = { name = "Your Network"; host = "localhost"; port = 6697; }; }Declared by:
services.thelounge.port¶
TCP port to listen on for http connections.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
9000Declared by:
services.thelounge.private¶
Make your The Lounge instance private. You will need to configure user accounts by using the (thelounge) command or by adding entries in
/var/lib/thelounge/users. You might need to restart The Lounge after making changes to the state directory.Type: boolean
Default:
falseDeclared by:
services.thermald.enable¶
Whether to enable thermald, the temperature management daemon.
Type: unspecified
Default:
falseDeclared by:
services.thermald.configFile¶
the thermald manual configuration file.
Type: null or path
Default:
nullDeclared by:
services.thermald.debug¶
Whether to enable debug logging.
Type: boolean
Default:
falseDeclared by:
services.thinkfan.enable¶
Whether to enable thinkfan, fan controller for IBM/Lenovo ThinkPads.
Type: boolean
Default:
falseDeclared by:
services.thinkfan.fan¶
Specifies the fan we want to use. On anything other than a Thinkpad you’ll probably use some PWM control file in /sys/class/hwmon. A sysfs fan would be specified like this: pwm_fan /sys/class/hwmon/hwmon2/device/pwm1
Type: string
Default:
"tp_fan /proc/acpi/ibm/fan"Declared by:
services.thinkfan.levels¶
(LEVEL, LOW, HIGH) LEVEL is the fan level to use (0-7 with thinkpad_acpi). LOW is the temperature at which to step down to the previous level. HIGH is the temperature at which to step up to the next level. All numbers are integers.
Type: strings concatenated with “\n”
Default:
'' (0, 0, 55) (1, 48, 60) (2, 50, 61) (3, 52, 63) (6, 56, 65) (7, 60, 85) (127, 80, 32767) ''Declared by:
services.thinkfan.sensors¶
thinkfan can read temperatures from three possible sources:
/proc/acpi/ibm/thermal Which is provided by the thinkpad_acpi kernel module (keyword tp_thermal)
/sys/class/hwmon/*/temp*_input Which may be provided by any hwmon drivers (keyword hwmon)
S.M.A.R.T. (requires smartSupport to be enabled) Which reads the temperature directly from the hard disk using libatasmart (keyword atasmart)
Multiple sensors may be added, in which case they will be numbered in their order of appearance.
Type: strings concatenated with “\n”
Default:
'' tp_thermal /proc/acpi/ibm/thermal (0,0,10) ''Declared by:
services.thinkfan.smartSupport¶
Whether to build thinkfan with SMART support to read temperatures directly from hard disks.
Type: boolean
Default:
falseDeclared by:
services.throttled.enable¶
Whether to enable fix for Intel CPU throttling.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.throttled.extraConfig¶
Alternative configuration
Type: string
Default:
""Declared by:
services.tiddlywiki.enable¶
Whether to enable TiddlyWiki nodejs server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.tiddlywiki.listenOptions¶
Parameters passed to
--listencommand. Refer to ` <https://tiddlywiki.com/#WebServer>`_ for details on supported values.Type: attribute set
Default: ``{
}``
Example:
{ credentials = "../credentials.csv"; port = 3456; readers = "(authenticated)"; }Declared by:
services.timesyncd.enable¶
Enables the systemd NTP client daemon.
Type: boolean
Default:
trueDeclared by:
services.timesyncd.extraConfig¶
Extra config options for systemd-timesyncd. See`timesyncd.conf(5) <https://www.freedesktop.org/software/systemd/man/timesyncd.conf.html>`_ for available options.
Type: strings concatenated with “\n”
Default:
""Example:
'' PollIntervalMaxSec=180 ''Declared by:
services.timesyncd.servers¶
The set of NTP servers from which to synchronise.
Type: unspecified
Default:
[ "0.nixos.pool.ntp.org" "1.nixos.pool.ntp.org" "2.nixos.pool.ntp.org" "3.nixos.pool.ntp.org" ]Declared by:
services.tinc.networks¶
Defines the tinc networks which will be started. Each network invokes a different daemon.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.tinc.networks.<name>.package¶
The package to use for the tinc daemon’s binary.
Type: package
Default:
"pkgs.tinc_pre"Declared by:
services.tinc.networks.<name>.bindToAddress¶
The ip address to bind to (both listen on and send packets from).
Type: null or string
Default:
nullDeclared by:
services.tinc.networks.<name>.chroot¶
Change process root directory to the directory where the config file is located (/etc/tinc/netname/), for added security. The chroot is performed after all the initialization is done, after writing pid files and opening network sockets.
Note that tinc can’t run scripts anymore (such as tinc-down or host-up), unless it is setup to be runnable inside chroot environment.
Type: boolean
Default:
trueDeclared by:
services.tinc.networks.<name>.debugLevel¶
The amount of debugging information to add to the log. 0 means little logging while 5 is the most logging. man tincd for more details.
Type: signed integer
Default:
0Declared by:
services.tinc.networks.<name>.ed25519PrivateKeyFile¶
Path of the private ed25519 keyfile.
Type: null or path
Default:
nullDeclared by:
services.tinc.networks.<name>.extraConfig¶
Extra lines to add to the tinc service configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.tinc.networks.<name>.hosts¶
The name of the host in the network as well as the configuration for that host. This name should only contain alphanumerics and underscores.
Type: attribute set of strings concatenated with “\n”s
Default: ``{
}``
Declared by:
services.tinc.networks.<name>.interfaceType¶
The type of virtual interface used for the network connection
Type: one of “tun”, “tap”
Default:
"tun"Declared by:
services.tinc.networks.<name>.listenAddress¶
The ip address to listen on for incoming connections.
Type: null or string
Default:
nullDeclared by:
services.tinc.networks.<name>.name¶
The name of the node which is used as an identifier when communicating with the remote nodes in the mesh. If null then the hostname of the system is used to derive a name (note that tinc may replace non-alphanumeric characters in hostnames by underscores).
Type: null or string
Default:
nullDeclared by:
services.tinydns.enable¶
Whether to run the tinydns dns server
Type: boolean
Default:
falseDeclared by:
services.tinydns.data¶
The DNS data to serve, in the format described by tinydns-data(8)
Type: strings concatenated with “\n”
Default:
""Declared by:
services.tinydns.ip¶
IP address on which to listen for connections
Type: string
Default:
"0.0.0.0"Declared by:
services.tlp.enable¶
Whether to enable the TLP power management daemon.
Type: boolean
Default:
falseDeclared by:
services.tlp.extraConfig¶
Additional configuration variables for TLP
Type: strings concatenated with “\n”
Default:
""Declared by:
services.tomcat.enable¶
Whether to enable Apache Tomcat.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.tomcat.package¶
Which tomcat package to use.
Type: package
Default:
"pkgs.tomcat85"Example:
pkgs.tomcat9Declared by:
services.tomcat.axis2.enable¶
Whether to enable an Apache Axis2 container
Type: boolean
Default:
falseDeclared by:
services.tomcat.axis2.services¶
List containing AAR files or directories with AAR files which are web services to be deployed on Axis2
Type: list of strings
Default: ``[
]``
Declared by:
services.tomcat.baseDir¶
Location where Tomcat stores configuration files, web applications and logfiles. Note that it is partially cleared on each service startup if `purifyOnStart` is enabled.
Type: path
Default:
"/var/tomcat"Declared by:
services.tomcat.catalinaOpts¶
Parameters to pass to the Java Virtual Machine which spawns the Catalina servlet container
Type: list of strings or string
Default:
""Declared by:
services.tomcat.commonLibs¶
List containing JAR files or directories with JAR files which are libraries shared by the web applications and the servlet container
Type: list of strings
Default: ``[
]``
Declared by:
services.tomcat.extraConfigFiles¶
Extra configuration files to pull into the tomcat conf directory
Type: list of paths
Default: ``[
]``
Declared by:
services.tomcat.extraEnvironment¶
Environment Variables to pass to the tomcat service
Type: list of strings
Default: ``[
]``
Example:
[ "ENVIRONMENT=production" ]Declared by:
services.tomcat.extraGroups¶
Defines extra groups to which the tomcat user belongs.
Type: unspecified
Default: ``[
]``
Example:
[ "users" ]Declared by:
services.tomcat.group¶
Group account under which Apache Tomcat runs.
Type: string
Default:
"tomcat"Declared by:
services.tomcat.javaOpts¶
Parameters to pass to the Java Virtual Machine which spawns Apache Tomcat
Type: list of strings or string
Default:
""Declared by:
services.tomcat.jdk¶
Which JDK to use.
Type: package
Default:
"pkgs.jdk"Declared by:
services.tomcat.logDirs¶
services.tomcat.logPerVirtualHost¶
Whether to enable logging per virtual host.
Type: boolean
Default:
falseDeclared by:
services.tomcat.purifyOnStart¶
On startup, the `baseDir` directory is populated with various files, subdirectories and symlinks. If this option is enabled, these items (except for the `logs` and `work` subdirectories) are first removed. This prevents interference from remainders of an old configuration (libraries, webapps, etc.), so it’s recommended to enable this option.
Type: boolean
Default:
falseDeclared by:
services.tomcat.serverXml¶
Verbatim server.xml configuration. This is mutually exclusive with the virtualHosts options.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.tomcat.user¶
User account under which Apache Tomcat runs.
Type: string
Default:
"tomcat"Declared by:
services.tomcat.virtualHosts¶
List consisting of a virtual host name and a list of web applications to deploy on each virtual host
Type: list of submodules
Default: ``[
]``
Declared by:
services.tomcat.virtualHosts.*.aliases¶
services.tomcat.virtualHosts.*.name¶
name of the virtualhost
Type: string
Declared by:
services.tomcat.virtualHosts.*.webapps¶
List containing web application WAR files and/or directories containing web applications and configuration files for the virtual host.
Type: list of paths
Default: ``[
]``
Declared by:
services.tomcat.webapps¶
List containing WAR files or directories with WAR files which are web applications to be deployed on Tomcat
Type: list of paths
Default:
"[ pkgs.tomcat85.webapps ]"Declared by:
services.tor.enable¶
Enable the Tor daemon. By default, the daemon is run without relay, exit, bridge or client connectivity.
Type: boolean
Default:
falseDeclared by:
services.tor.enableGeoIP¶
Whenever to configure Tor daemon to use GeoIP databases.
Disabling this will disable by-country statistics for bridges and relays and some client and third-party software functionality.
Type: boolean
Default:
trueDeclared by:
services.tor.client.enable¶
Whether to enable Tor daemon to route application connections. You might want to disable this if you plan running a dedicated Tor relay.
Type: boolean
Default:
falseDeclared by:
services.tor.client.dns.enable¶
Whether to enable tor dns resolver
Type: boolean
Default:
falseDeclared by:
services.tor.client.dns.automapHostsSuffixes¶
List of suffixes to use with automapHostsOnResolve
Type: list of strings
Default:
[ ".onion" ".exit" ]Example:
[ ".onion" ]Declared by:
services.tor.client.dns.isolationOptions¶
Tor isolation options
Type: list of one of “IsolateClientAddr”, “IsolateSOCKSAuth”, “IsolateClientProtocol”, “IsolateDestPort”, “IsolateDestAddr”s
Default: ``[
]``
Example:
[ "IsolateClientAddr" "IsolateSOCKSAuth" "IsolateClientProtocol" "IsolateDestPort" "IsolateDestAddr" ]Declared by:
services.tor.client.dns.listenAddress¶
Bind tor dns to this address.
Type: string
Default:
"127.0.0.1:9053"Example:
"192.168.0.1:9053"Declared by:
services.tor.client.privoxy.enable¶
Whether to enable and configure the system Privoxy to use Tor’s faster port, suitable for HTTP.
To have anonymity, protocols need to be scrubbed of identifying information, and this can be accomplished for HTTP by Privoxy.
Privoxy can also be useful for KDE torification. A good setup would be: setting SOCKS proxy to the default Tor port, providing maximum circuit isolation where possible; and setting HTTP proxy to Privoxy to route HTTP traffic over faster, but less isolated port.
Type: boolean
Default:
trueDeclared by:
services.tor.client.socksIsolationOptions¶
Tor isolation options
Type: list of one of “IsolateClientAddr”, “IsolateSOCKSAuth”, “IsolateClientProtocol”, “IsolateDestPort”, “IsolateDestAddr”s
Default:
[ "IsolateDestAddr" ]Example:
[ "IsolateClientAddr" "IsolateSOCKSAuth" "IsolateClientProtocol" "IsolateDestPort" "IsolateDestAddr" ]Declared by:
services.tor.client.socksListenAddress¶
Bind to this address to listen for connections from Socks-speaking applications. Provides strong circuit isolation, separate circuit per IP address.
Type: string
Default:
"127.0.0.1:9050"Example:
"192.168.0.1:9100"Declared by:
services.tor.client.socksListenAddressFaster¶
Bind to this address to listen for connections from Socks-speaking applications. Same as but uses weaker circuit isolation to provide performance suitable for a web browser.
Type: string
Default:
"127.0.0.1:9063"Example:
"192.168.0.1:9101"Declared by:
services.tor.client.socksPolicy¶
Entry policies to allow/deny SOCKS requests based on IP address. First entry that matches wins. If no SocksPolicy is set, we accept all (and only) requests from.
Type: null or string
Default:
nullExample:
"accept 192.168.0.0/16, reject \*"Declared by:
services.tor.client.transparentProxy.enable¶
Whether to enable tor transparent proxy
Type: boolean
Default:
falseDeclared by:
services.tor.client.transparentProxy.isolationOptions¶
Tor isolation options
Type: list of one of “IsolateClientAddr”, “IsolateSOCKSAuth”, “IsolateClientProtocol”, “IsolateDestPort”, “IsolateDestAddr”s
Default: ``[
]``
Example:
[ "IsolateClientAddr" "IsolateSOCKSAuth" "IsolateClientProtocol" "IsolateDestPort" "IsolateDestAddr" ]Declared by:
services.tor.client.transparentProxy.listenAddress¶
Bind transparent proxy to this address.
Type: string
Default:
"127.0.0.1:9040"Example:
"192.168.0.1:9040"Declared by:
services.tor.controlPort¶
If set, Tor will accept connections on the specified port and allow them to control the tor process.
Type: null or signed integer or string
Default:
nullExample:
9051Declared by:
services.tor.controlSocket.enable¶
Wheter to enable Tor control socket. Control socket is created in
/run/tor/controlType: boolean
Default:
falseDeclared by:
services.tor.extraConfig¶
Extra configuration. Contents will be added verbatim to the configuration file at the end.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.tor.relay.enable¶
Whether to enable relaying TOR traffic for others.
See ` <https://www.torproject.org/docs/tor-doc-relay>`_ for details.
Setting this to true requires setting and options.
Type: boolean
Default:
falseDeclared by:
services.tor.relay.accountingMax¶
Specify maximum bandwidth allowed during an accounting period. This allows you to limit overall tor bandwidth over some time period. See the
AccountingMaxoption by looking at the tor manual tor1 for more.Note this limit applies individually to upload and download; if you specify
"500 GBytes"here, then you may transfer up to 1 TBytes of overall bandwidth (500 GB upload, 500 GB download).Type: null or string
Default:
nullExample:
"450 GBytes"Declared by:
services.tor.relay.accountingStart¶
Specify length of an accounting period. This allows you to limit overall tor bandwidth over some time period. See the``AccountingStart`` option by looking at the tor manual tor1 for more.
Type: null or string
Default:
nullExample:
"month 1 1:00"Declared by:
services.tor.relay.address¶
The IP address or full DNS name for advertised address of your relay. Leave unset and Tor will guess.
Type: null or string
Default:
nullExample:
"noname.example.com"Declared by:
services.tor.relay.bandwidthBurst¶
Specify this to allow bursts of the bandwidth usage of relayed (server) traffic. The average usage will still be as specified in relayBandwidthRate. Your own traffic is still unthrottled. Units: bytes/second.
Type: null or signed integer
Default:
nullExample:
200Declared by:
services.tor.relay.bandwidthRate¶
Specify this to limit the bandwidth usage of relayed (server) traffic. Your own traffic is still unthrottled. Units: bytes/second.
Type: null or signed integer
Default:
nullExample:
100Declared by:
services.tor.relay.bridgeTransports¶
List of pluggable transports
Type: list of strings
Default:
[ "obfs4" ]Example:
[ "obfs2" "obfs3" "obfs4" "scramblesuit" ]Declared by:
services.tor.relay.contactInfo¶
Contact information for the relay owner (e.g. a mail address and GPG key ID).
Type: null or string
Default:
nullExample:
"admin@relay.com"Declared by:
services.tor.relay.exitPolicy¶
A comma-separated list of exit policies. They’re considered first to last, and the first match wins. If you want to _replace_ the default exit policy, end this with either a reject *:* or an accept *:*. Otherwise, you’re _augmenting_ (prepending to) the default exit policy. Leave commented to just use the default, which is available in the man page or at` <https://www.torproject.org/documentation.html>`_.
Look at` <https://www.torproject.org/faq-abuse.html#TypicalAbuses>`_ for issues you might encounter if you use the default exit policy.
If certain IPs and ports are blocked externally, e.g. by your firewall, you should update your exit policy to reflect this – otherwise Tor users will be told that those destinations are down.
Type: null or string
Default:
nullExample:
"accept \*:6660-6667,reject \*:*"Declared by:
services.tor.relay.nickname¶
A unique handle for your TOR relay.
Type: string
Default:
"anonymous"Declared by:
services.tor.relay.port¶
What port to advertise for Tor connections. This corresponds to the``ORPort`` section in the Tor manual; seetor1 for more details.
At a minimum, you should just specify the port for the relay to listen on; a common one like 143, 22, 80, or 443 to help Tor users who may have very restrictive port-based firewalls.
Type: signed integer or string
Example:
143Declared by:
services.tor.relay.role¶
Your role in Tor network. There’re several options:
exitAn exit relay. This allows Tor users to access regular Internet services through your public IP.
Important
Running an exit relay may expose you to abuse complaints. See ` <https://www.torproject.org/faq.html.en#ExitPolicies>`_ for more info.
You can specify which services Tor users may access via your exit relay using option.
relayRegular relay. This allows Tor users to relay onion traffic to other Tor nodes, but not to public Internet.
Important
Note that some misconfigured and/or disrespectful towards privacy sites will block you even if your relay is not an exit relay. That is, just being listed in a public relay directory can have unwanted consequences.
Which means you might not want to use this role if you browse public Internet from the same network as your relay, unless you want to write e-mails to those sites (you should!).
See ` <https://www.torproject.org/docs/tor-doc-relay.html.en>`_ for more info.
bridgeRegular bridge. Works like a regular relay, but doesn’t list you in the public relay directory and hides your Tor node behind obfs4proxy.
Using this option will make Tor advertise your bridge to users through various mechanisms like ` <https://bridges.torproject.org/>`_, though.
Important
WARNING: THE FOLLOWING PARAGRAPH IS NOT LEGAL ADVICE. Consult with your lawer when in doubt.
This role should be safe to use in most situations (unless the act of forwarding traffic for others is a punishable offence under your local laws, which would be pretty insane as it would make ISP illegal).
See ` <https://www.torproject.org/docs/bridges.html.en>`_ for more info.
private-bridgePrivate bridge. Works like regular bridge, but does not advertise your node in any way.
Using this role means that you won’t contribute to Tor network in any way unless you advertise your node yourself in some way.
Use this if you want to run a private bridge, for example because you’ll give out your bridge address manually to your friends.
Switching to this role after measurable time in “bridge” role is pretty useless as some Tor users would have learned about your node already. In the latter case you can still change option.
See ` <https://www.torproject.org/docs/bridges.html.en>`_ for more info.
Type: one of “exit”, “relay”, “bridge”, “private-bridge”
Declared by:
services.tor.torsocks.enable¶
Whether to build
/etc/tor/torsocks.confcontaining the specified global torsocks configuration.Type: boolean
Default:
falseDeclared by:
services.tor.torsocks.allowInbound¶
Set Torsocks to accept inbound connections. If set to``true``, listen() and accept() will be allowed to be used with non localhost address.
Type: boolean
Default:
falseDeclared by:
services.tor.torsocks.fasterServer¶
IP/Port of the Tor SOCKS server for torsocks-faster wrapper suitable for HTTP. Currently, hostnames are NOT supported by torsocks.
Type: string
Default:
"127.0.0.1:9063"Example:
"192.168.0.20:1234"Declared by:
services.tor.torsocks.onionAddrRange¶
Tor hidden sites do not have real IP addresses. This specifies what range of IP addresses will be handed to the application as “cookies” for .onion names. Of course, you should pick a block of addresses which you aren’t going to ever need to actually connect to. This is similar to the MapAddress feature of the main tor daemon.
Type: string
Default:
"127.42.42.0/24"Declared by:
services.tor.torsocks.server¶
IP/Port of the Tor SOCKS server. Currently, hostnames are NOT supported by torsocks.
Type: string
Default:
"127.0.0.1:9050"Example:
"192.168.0.20:1234"Declared by:
services.tor.torsocks.socks5Password¶
SOCKS5 password. The
TORSOCKS_PASSWORDenvironment variable overrides this option if it is set.Type: null or string
Default:
nullExample:
"sekret"Declared by:
services.tor.torsocks.socks5Username¶
SOCKS5 username. The
TORSOCKS_USERNAMEenvironment variable overrides this option if it is set.Type: null or string
Default:
nullExample:
"bob"Declared by:
services.tor.tsocks.enable¶
Whether to build tsocks wrapper script to relay application traffic via Tor.
Important
You shouldn’t use this unless you know what you’re doing because your installation of Tor already comes with its own superior (doesn’t leak DNS queries)
torsockswrapper which does pretty much exactly the same thing as this.Type: boolean
Default:
falseDeclared by:
services.tor.tsocks.config¶
Extra configuration. Contents will be added verbatim to TSocks configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.tor.tsocks.server¶
IP address of TOR client to use.
Type: string
Default:
"localhost:9050"Example:
"192.168.0.20"Declared by:
services.torque.mom.enable¶
Whether to enable torque computing node.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.torque.mom.serverNode¶
Hostname running pbs server.
Type: string
Declared by:
services.torque.server.enable¶
Whether to enable torque server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.tox-node.enable¶
Whether to enable Tox Node service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.tox-node.keysFile¶
Path to the file where DHT keys are stored.
Type: string
Default:
"/var/lib/tox-node/keys"Declared by:
services.tox-node.lanDiscovery¶
Enable local network discovery.
Type: boolean
Default:
trueDeclared by:
services.tox-node.logType¶
Logging implementation.
Type: one of “Stderr”, “Stdout”, “Syslog”, “None”
Default:
"Stderr"Declared by:
services.tox-node.motd¶
Message of the day
Type: string
Default:
"Hi from tox-rs! I'm up {{uptime}}. TCP: incoming {{tcp_packets_in}}, outgoing {{tcp_packets_out}}, UDP: incoming {{udp_packets_in}}, outgoing {{udp_packets_out}}"Declared by:
services.tox-node.tcpAddresses¶
TCP addresses to run TCP relay.
Type: list of strings
Default:
[ "0.0.0.0:33445" ]Declared by:
services.tox-node.tcpConnectionLimit¶
Maximum number of active TCP connections relay can hold
Type: signed integer
Default:
8192Declared by:
services.tox-node.threads¶
Number of threads for execution
Type: signed integer
Default:
1Declared by:
services.tox-node.udpAddress¶
UDP address to run DHT node.
Type: string
Default:
"0.0.0.0:33445"Declared by:
services.toxBootstrapd.enable¶
Whether to enable the Tox DHT bootstrap daemon.
Type: boolean
Default:
falseDeclared by:
services.toxBootstrapd.extraConfig¶
Configuration for bootstrap daemon. See ` <https://github.com/irungentoo/toxcore/blob/master/other/bootstrap_daemon/tox-bootstrapd.conf>`_ and ` <http://wiki.tox.im/Nodes>`_.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.toxBootstrapd.keysFile¶
Node key file.
Type: string
Default:
"/var/lib/tox-bootstrapd/keys"Declared by:
services.toxBootstrapd.port¶
Listening port (UDP).
Type: signed integer
Default:
33445Declared by:
services.toxvpn.enable¶
Whether to enable toxvpn running on startup.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.toxvpn.auto_add_peers¶
peers to automatically connect to on startup
Type: list of strings
Default: ``[
]``
Example:
''[ "toxid1" "toxid2" ]''Declared by:
services.toxvpn.localip¶
your ip on the vpn
Type: string
Default:
"10.123.123.1"Declared by:
services.toxvpn.port¶
udp port for toxcore, port-forward to help with connectivity if you run many nodes behind one NAT
Type: signed integer
Default:
33445Declared by:
services.trac.enable¶
Whether to enable Trac service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.trac.dataDir¶
The directory for storing the Trac data.
Type: path
Default:
"/var/lib/trac"Declared by:
services.trac.listen.ip¶
IP address that Trac should listen on.
Type: string
Default:
"0.0.0.0"Declared by:
services.trac.listen.port¶
Listen port for Trac.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
8000Declared by:
services.trac.openFirewall¶
Open ports in the firewall for Trac.
Type: boolean
Default:
falseDeclared by:
services.traefik.enable¶
Whether to enable Traefik web server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.traefik.package¶
Traefik package to use.
Type: package
Default:
"pkgs.traefik"Declared by:
services.traefik.configFile¶
Path to verbatim traefik.toml to use. (Using that option has precedence over
configOptions)Type: null or path
Default:
nullExample:
/path/to/config.tomlDeclared by:
services.traefik.configOptions¶
Config for Traefik.
Type: attribute set
Default:
{ defaultEntryPoints = [ "http" ] ; entryPoints = { http = { address = ":80"; } ; } ; }Example: ``{ backends = { backend1 = { servers = { server1 = { url = “http://localhost:8000”; } ; } ; } ; } ; defaultEntrypoints = [ “http” ] ; entryPoints = { http = { address = “:80”; } ; } ; file = {
} ; frontends = { frontend1 = { backend = “backend1”; routes = { test_1 = { rule = “Host:localhost”; } ; } ; } ; } ; web = { address = “:8080”; } ; }``
Declared by:
services.traefik.dataDir¶
Location for any persistent data traefik creates, ie. acme
Type: path
Default:
"/var/lib/traefik"Declared by:
services.traefik.group¶
Set the group that traefik runs under. For the docker backend this needs to be set to
dockerinstead.Type: string
Default:
"traefik"Example:
"docker"Declared by:
services.transmission.enable¶
Whether or not to enable the headless Transmission BitTorrent daemon.
Transmission daemon can be controlled via the RPC interface using transmission-remote or the WebUI (http://localhost:9091/ by default).
Torrents are downloaded to /var/lib/transmission/Downloads by default and are accessible to users in the “transmission” group.
Type: boolean
Default:
falseDeclared by:
services.transmission.downloadDirPermissions¶
The permissions to set for download-dir and incomplete-dir. They will be applied on every service start.
Type: string
Default:
"770"Example:
"775"Declared by:
services.transmission.group¶
Group account under which Transmission runs.
Type: string
Default:
"transmission"Declared by:
services.transmission.home¶
The directory where transmission will create files.
Type: path
Default:
"/var/lib/transmission"Declared by:
services.transmission.port¶
TCP port number to run the RPC/web interface.
Type: signed integer
Default:
9091Declared by:
services.transmission.settings¶
Attribute set whos fields overwrites fields in settings.json (each time the service starts). String values must be quoted, integer and boolean values must not.
See https://github.com/transmission/transmission/wiki/Editing-Configuration-Files for documentation.
Type: attribute set
Default:
{ download-dir = "/var/lib/transmission/Downloads"; incomplete-dir = "/var/lib/transmission/.incomplete"; incomplete-dir-enabled = true; }Example:
{ download-dir = "/srv/torrents/"; incomplete-dir = "/srv/torrents/.incomplete/"; incomplete-dir-enabled = true; rpc-whitelist = "127.0.0.1,192.168.*.*"; }Declared by:
services.transmission.user¶
User account under which Transmission runs.
Type: string
Default:
"transmission"Declared by:
services.trezord.enable¶
Enable Trezor bridge daemon, for use with Trezor hardware bitcoin wallets.
Type: boolean
Default:
falseDeclared by:
services.trezord.emulator.enable¶
Enable Trezor emulator support.
Type: boolean
Default:
falseDeclared by:
services.trezord.emulator.port¶
Listening port for the Trezor emulator.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
21324Declared by:
services.trickster.enable¶
Enable Trickster.
Type: boolean
Default:
falseDeclared by:
services.trickster.package¶
Package that should be used for trickster.
Type: package
Default:
"pkgs.trickster"Declared by:
services.trickster.configFile¶
Path to configuration file.
Type: null or path
Default:
nullDeclared by:
services.trickster.instance-id¶
Instance ID for when running multiple processes (default null).
Type: null or signed integer
Default:
nullDeclared by:
services.trickster.log-level¶
Level of Logging to use (debug, info, warn, error) (default “info”).
Type: string
Default:
"info"Declared by:
services.trickster.metrics-port¶
Port that the /metrics endpoint will listen on.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
8082Declared by:
services.trickster.origin¶
URL to the Prometheus Origin. Enter it like you would in grafana, e.g., http://prometheus:9090 (default http://prometheus:9090).
Type: string
Default:
"http://prometheus:9090"Declared by:
services.trickster.profiler-port¶
Port that the /debug/pprof endpoint will listen on.
Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
nullDeclared by:
services.trickster.proxy-port¶
Port that the Proxy server will listen on.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
9090Declared by:
services.triggerhappy.enable¶
Whether to enable the triggerhappy hotkey daemon.
Type: boolean
Default:
falseDeclared by:
services.triggerhappy.bindings¶
Key bindings for triggerhappy.
Type: list of submodules
Default: ``[
]``
Example:
[ { keys = ["PLAYPAUSE"]; cmd = "${pkgs.mpc_cli}/bin/mpc -q toggle"; } ]Declared by:
services.triggerhappy.bindings.*.cmd¶
services.triggerhappy.bindings.*.event¶
Event to match.
Type: one of “press”, “hold”, “release”
Default:
"press"Declared by:
services.triggerhappy.bindings.*.keys¶
List of keys to match. Key names as defined in linux/input-event-codes.h
Type: list of strings
Declared by:
services.triggerhappy.extraConfig¶
Literal contents to append to the end of triggerhappy configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.triggerhappy.user¶
User account under which triggerhappy runs.
Type: string
Default:
"nobody"Example:
"root"Declared by:
services.trilium-server.enable¶
Whether to enable trilium-server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.trilium-server.dataDir¶
The directory storing the nodes database and the configuration.
Type: string
Default:
"/var/lib/trilium"Declared by:
services.trilium-server.host¶
The host address to bind to (defaults to localhost).
Type: string
Default:
"127.0.0.1"Declared by:
services.trilium-server.instanceName¶
Instance name used to distinguish between different instances
Type: string
Default:
"Trilium"Declared by:
services.trilium-server.nginx¶
services.trilium-server.nginx.enable¶
Configure the nginx reverse proxy settings.
Type: boolean
Default:
falseDeclared by:
services.trilium-server.nginx.hostName¶
The hostname use to setup the virtualhost configuration
Type: string
Declared by:
services.trilium-server.port¶
The port number to bind to.
Type: signed integer
Default:
8080Declared by:
services.tsmBackup.enable¶
Whether to enable automatic backups with the IBM Spectrum Protect (Tivoli Storage Manager, TSM) client. This also enables .
Type: boolean
Default:
falseExample:
trueDeclared by:
services.tsmBackup.autoTime¶
The backup service will be invoked automatically at the given date/time, which must be in the format described insystemd.time5. The default
nulldisables automatic backups.Type: null or string matching the pattern .+
Default:
nullExample:
"12:00"Declared by:
services.tsmBackup.command¶
The actual command passed to the``dsmc`` executable to start the backup.
Type: string matching the pattern .+
Default:
"backup"Example:
"incr"Declared by:
services.tsmBackup.servername¶
Create a systemd system service``tsm-backup.service`` that starts a backup based on the given servername’s stanza. Note that this server’s will default to:file:/var/lib/tsm-backup/password (but may be overridden); also, the service will use:file:/var/lib/tsm-backup as``HOME`` when calling``dsmc``.
Type: string matching the pattern .+
Example:
"mainTsmServer"Declared by:
services.tt-rss.enable¶
Whether to enable tt-rss.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.tt-rss.enableGZipOutput¶
Selectively gzip output to improve wire performance. This requires PHP Zlib extension on the server. Enabling this can break tt-rss in several httpd/php configurations, if you experience weird errors and tt-rss failing to start, blank pages after login, or content encoding errors, disable it.
Type: boolean
Default:
trueDeclared by:
services.tt-rss.auth.autoCreate¶
Allow authentication modules to auto-create users in tt-rss internal database when authenticated successfully.
Type: boolean
Default:
trueDeclared by:
services.tt-rss.auth.autoLogin¶
Automatically login user on remote or other kind of externally supplied authentication, otherwise redirect to login form as normal. If set to true, users won’t be able to set application language and settings profile.
Type: boolean
Default:
trueDeclared by:
services.tt-rss.database.createLocally¶
Create the database and database user locally.
Type: boolean
Default:
trueDeclared by:
services.tt-rss.database.host¶
Host of the database. Leave null to use Unix domain socket.
Type: null or string
Default:
nullDeclared by:
services.tt-rss.database.name¶
Name of the existing database.
Type: string
Default:
"tt_rss"Declared by:
services.tt-rss.database.password¶
The database user’s password.
Type: null or string
Default:
nullDeclared by:
services.tt-rss.database.passwordFile¶
The database user’s password.
Type: null or string
Default:
nullDeclared by:
services.tt-rss.database.port¶
The database’s port. If not set, the default ports will be provided (5432 and 3306 for pgsql and mysql respectively).
Type: null or signed integer
Default:
nullDeclared by:
services.tt-rss.database.type¶
Database to store feeds. Supported are pgsql and mysql.
Type: one of “pgsql”, “mysql”
Default:
"pgsql"Declared by:
services.tt-rss.database.user¶
The database user. The user must exist and has access to the specified database.
Type: string
Default:
"tt_rss"Declared by:
services.tt-rss.email.digestSubject¶
Subject line for email digests.
Type: string
Default:
"\[tt-rss] New headlines for last 24 hours"Declared by:
services.tt-rss.email.fromAddress¶
Address for sending outgoing mail. This applies to password reset notifications, digest emails and any other mail.
Type: string
Default:
""Declared by:
services.tt-rss.email.fromName¶
Name for sending outgoing mail. This applies to password reset notifications, digest emails and any other mail.
Type: string
Default:
"Tiny Tiny RSS"Declared by:
services.tt-rss.email.login¶
SMTP authentication login used when sending outgoing mail.
Type: string
Default:
""Declared by:
services.tt-rss.email.password¶
SMTP authentication password used when sending outgoing mail.
Type: string
Default:
""Declared by:
services.tt-rss.email.security¶
Used to select a secure SMTP connection. Allowed values: ssl, tls, or empty.
Type: one of “”, “ssl”, “tls”
Default:
""Declared by:
services.tt-rss.email.server¶
Hostname:port combination to send outgoing mail. Blank - use system MTA.
Type: string
Default:
""Example:
"localhost:25"Declared by:
services.tt-rss.extraConfig¶
Additional lines to append to
config.php.Type: strings concatenated with “\n”
Default:
""Declared by:
services.tt-rss.feedCryptKey¶
Key used for encryption of passwords for password-protected feeds in the database. A string of 24 random characters. If left blank, encryption is not used. Requires mcrypt functions. Warning: changing this key will make your stored feed passwords impossible to decrypt.
Type: string
Default:
""Declared by:
services.tt-rss.forceArticlePurge¶
When this option is not 0, users ability to control feed purging intervals is disabled and all articles (which are not starred) older than this amount of days are purged.
Type: signed integer
Default:
0Declared by:
services.tt-rss.logDestination¶
Log destination to use. Possible values: sql (uses internal logging you can read in Preferences -> System), syslog - logs to system log. Setting this to blank uses PHP logging (usually to http server error.log).
Type: one of “”, “sql”, “syslog”
Default:
"sql"Declared by:
services.tt-rss.pluginPackages¶
List of plugins to install. The list elements are expected to be derivations. All elements in this derivation are automatically copied to the
plugins.localdirectory.Type: list of packages
Default: ``[
]``
Declared by:
services.tt-rss.plugins¶
List of plugins to load automatically for all users. System plugins have to be specified here. Please enable at least one authentication plugin here (auth_*). Users may enable other user plugins from Preferences/Plugins but may not disable plugins specified in this list. Disabling auth_internal in this list would automatically disable reset password link on the login form.
Type: list of strings
Default:
[ "auth_internal" "note" ]Declared by:
services.tt-rss.pool¶
Name of existing phpfpm pool that is used to run web-application. If not specified a pool will be created automatically with default values.
Type: string
Default:
"tt-rss"Declared by:
services.tt-rss.pubSubHubbub.enable¶
Enable client PubSubHubbub support in tt-rss. When disabled, tt-rss won’t try to subscribe to PUSH feed updates.
Type: boolean
Default:
falseDeclared by:
services.tt-rss.pubSubHubbub.hub¶
URL to a PubSubHubbub-compatible hub server. If defined, “Published articles” generated feed would automatically become PUSH-enabled.
Type: string
Default:
""Declared by:
services.tt-rss.registration.enable¶
Allow users to register themselves. Please be aware that allowing random people to access your tt-rss installation is a security risk and potentially might lead to data loss or server exploit. Disabled by default.
Type: boolean
Default:
falseDeclared by:
services.tt-rss.registration.maxUsers¶
Maximum amount of users which will be allowed to register on this system. 0 - no limit.
Type: signed integer
Default:
0Declared by:
services.tt-rss.registration.notifyAddress¶
Email address to send new user notifications to.
Type: string
Default:
""Declared by:
services.tt-rss.root¶
Root of the application.
Type: path
Default:
"/var/lib/tt-rss"Example:
"/var/lib/tt-rss"Declared by:
services.tt-rss.selfUrlPath¶
Full URL of your tt-rss installation. This should be set to the location of tt-rss directory, e.g. http://example.org/tt-rss/ You need to set this option correctly otherwise several features including PUSH, bookmarklets and browser integration will not work properly.
Type: string
Example:
"http://localhost"Declared by:
services.tt-rss.sessionCookieLifetime¶
Default lifetime of a session (e.g. login) cookie. In seconds, 0 means cookie will be deleted when browser closes.
Type: signed integer
Default:
86400Declared by:
services.tt-rss.simpleUpdateMode¶
Enables fallback update mode where tt-rss tries to update feeds in background while tt-rss is open in your browser. If you don’t have a lot of feeds and don’t want to or can’t run background processes while not running tt-rss, this method is generally viable to keep your feeds up to date. Still, there are more robust (and recommended) updating methods available, you can read about them here: http://tt-rss.org/wiki/UpdatingFeeds
Type: boolean
Default:
falseDeclared by:
services.tt-rss.singleUserMode¶
Operate in single user mode, disables all functionality related to multiple users and authentication. Enabling this assumes you have your tt-rss directory protected by other means (e.g. http auth).
Type: boolean
Default:
falseDeclared by:
services.tt-rss.sphinx.index¶
Index names in Sphinx configuration. Example configuration files are available on tt-rss wiki.
Type: list of strings
Default:
[ "ttrss" "delta" ]Declared by:
services.tt-rss.sphinx.server¶
Hostname:port combination for the Sphinx server.
Type: string
Default:
"localhost:9312"Declared by:
services.tt-rss.themePackages¶
List of themes to install. The list elements are expected to be derivations. All elements in this derivation are automatically copied to the
themes.localdirectory.Type: list of packages
Default: ``[
]``
Declared by:
services.tt-rss.user¶
User account under which both the update daemon and the web-application run.
Type: string
Default:
"tt_rss"Example:
"tt_rss"Declared by:
services.tt-rss.virtualHost¶
Name of the nginx virtualhost to use and setup. If null, do not setup any virtualhost.
Type: null or string
Default:
"tt-rss"Declared by:
services.ttyd.enable¶
Whether to enable ttyd daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.ttyd.enableIPv6¶
Whether or not to enable IPv6 support.
Type: boolean
Default:
falseDeclared by:
services.ttyd.enableSSL¶
Whether or not to enable SSL (https) support.
Type: boolean
Default:
falseDeclared by:
services.ttyd.caFile¶
SSL CA file path for client certificate verification.
Type: null or path
Default:
nullDeclared by:
services.ttyd.certFile¶
SSL certificate file path.
Type: null or path
Default:
nullDeclared by:
services.ttyd.checkOrigin¶
Whether to allow a websocket connection from a different origin.
Type: boolean
Default:
falseDeclared by:
services.ttyd.clientOptions¶
Attribute set of client options for xtermjs.` <https://xtermjs.org/docs/api/terminal/interfaces/iterminaloptions/>`_
Type: attribute set of strings
Default: ``{
}``
Example:
{ fontSize = "16"; fontFamily = "Fira Code"; }Declared by:
services.ttyd.indexFile¶
Custom index.html path
Type: null or path
Default:
nullDeclared by:
services.ttyd.interface¶
Network interface to bind.
Type: null or string
Default:
nullExample:
"eth0"Declared by:
services.ttyd.keyFile¶
SSL key file path. For insecurely putting the keyFile in the globally readable store use``pkgs.writeText “ttydKeyFile” “SSLKEY”``.
Type: null or path
Default:
nullDeclared by:
services.ttyd.logLevel¶
Set log level.
Type: signed integer
Default:
7Declared by:
services.ttyd.maxClients¶
Maximum clients to support (0, no limit)
Type: signed integer
Default:
0Declared by:
services.ttyd.passwordFile¶
File containing the password to use for basic authentication. For insecurely putting the password in the globally readable store use``pkgs.writeText “ttydpw” “MyPassword”``.
Type: null or path
Default:
nullDeclared by:
services.ttyd.port¶
Port to listen on (use 0 for random port)
Type: signed integer
Default:
7681Declared by:
services.ttyd.signal¶
Signal to send to the command on session close.
Type: 8 bit unsigned integer; between 0 and 255 (both inclusive)
Default:
1Declared by:
services.ttyd.socket¶
UNIX domain socket path to bind.
Type: null or path
Default:
nullExample:
"/var/run/ttyd.sock"Declared by:
services.ttyd.terminalType¶
Terminal type to report.
Type: string
Default:
"xterm-256color"Declared by:
services.ttyd.username¶
Username for basic authentication.
Type: null or string
Default:
nullDeclared by:
services.tumbler.enable¶
Whether to enable Tumbler, A D-Bus thumbnailer service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.tvheadend.enable¶
Whether to enable Tvheadend.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.tvheadend.htspPort¶
Port to bind HTSP to.
Type: signed integer
Default:
9982Declared by:
services.tvheadend.httpPort¶
Port to bind HTTP to.
Type: signed integer
Default:
9981Declared by:
services.tzupdate.enable¶
Enable the tzupdate timezone updating service. This provides a one-shot service which can be activated with systemctl to update the timezone.
Type: boolean
Default:
falseDeclared by:
services.u9fs.enable¶
Whether to run the u9fs 9P server for Unix.
Type: boolean
Default:
falseDeclared by:
services.u9fs.extraArgs¶
Extra arguments to pass on invocation, see man 4 u9fs
Type: string
Default:
""Example:
"-a none"Declared by:
services.u9fs.listenStreams¶
Sockets to listen for clients on. See man 5 systemd.socket for socket syntax.
Type: list of strings
Default:
[ "564" ]Example:
[ "192.168.16.1:564" ]Declared by:
services.u9fs.user¶
User to run u9fs under.
Type: string
Default:
"nobody"Declared by:
services.udev.packages¶
List of packages containing udev rules. All files found in:file:None and:file:None will be included.
Type: list of paths
Default: ``[
]``
Declared by:
services.udev.extraHwdb¶
Additional hwdb files. They’ll be written into file
99-local.hwdb. Thus they are read after all other files.Type: strings concatenated with “\n”
Default:
""Example:
'' evdev:input:b0003v05AFp8277* KEYBOARD_KEY_70039=leftalt KEYBOARD_KEY_700e2=leftctrl ''Declared by:
services.udev.extraRules¶
Additional udev rules. They’ll be written into file
99-local.rules. Thus they are read and applied after all other rules.Type: strings concatenated with “\n”
Default:
""Example:
'' KERNEL=="eth*", ATTR{address}=="00:1D:60:B9:6D:4F", NAME="my_fast_network_card" ''Declared by:
services.udev.path¶
Packages added to the PATH environment variable when executing programs from Udev rules.
Type: list of paths
Default: ``[
]``
Declared by:
services.udisks2.enable¶
Whether to enable Udisks, a DBus service that allows applications to query and manipulate storage devices.
Type: boolean
Default:
trueDeclared by:
services.uhub.enable¶
Whether to enable the uhub ADC hub.
Type: boolean
Default:
falseDeclared by:
services.uhub.enableTLS¶
Whether to enable TLS support.
Type: boolean
Default:
falseDeclared by:
services.uhub.aclConfig¶
Contents of user ACL configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.uhub.address¶
Address to bind the hub to.
Type: string
Default:
"any"Declared by:
services.uhub.hubConfig¶
Contents of uhub configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.uhub.plugins.authSqlite.enable¶
Whether to enable the Sqlite authentication database plugin
Type: boolean
Default:
falseDeclared by:
services.uhub.plugins.authSqlite.file¶
Path to user database. Use the uhub-passwd utility to create the database and add/remove users.
Type: path
Example:
"/var/db/uhub-users"Declared by:
services.uhub.plugins.history.enable¶
Whether to enable the history plugin.
Type: boolean
Default:
falseDeclared by:
services.uhub.plugins.history.connect¶
The number of chat history messages to send when users connect (0 = do not send any history).
Type: signed integer
Default:
5Declared by:
services.uhub.plugins.history.default¶
When !history is provided without arguments, then this default number of messages are returned.
Type: signed integer
Default:
10Declared by:
services.uhub.plugins.history.max¶
The maximum number of messages to keep in history
Type: signed integer
Default:
200Declared by:
services.uhub.plugins.logging.enable¶
Whether to enable the logging plugin.
Type: boolean
Default:
falseDeclared by:
services.uhub.plugins.logging.file¶
Path of log file.
Type: string
Default:
""Declared by:
services.uhub.plugins.logging.syslog¶
If true then the system log is used instead of writing to file.
Type: boolean
Default:
falseDeclared by:
services.uhub.plugins.welcome.enable¶
Whether to enable the welcome plugin.
Type: boolean
Default:
falseDeclared by:
services.uhub.plugins.welcome.motd¶
Welcome message displayed to clients after connecting and with the
!motdcommand.Type: strings concatenated with “\n”
Default:
""Declared by:
services.uhub.plugins.welcome.rules¶
Rules message, displayed to clients with the
!rulescommand.Type: strings concatenated with “\n”
Default:
""Declared by:
services.uhub.port¶
TCP port to bind the hub to.
Type: signed integer
Default:
1511Declared by:
services.unbound.enable¶
Whether to enable Unbound domain name server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.unbound.enableRootTrustAnchor¶
Use and update root trust anchor for DNSSEC validation.
Type: boolean
Default:
trueDeclared by:
services.unbound.package¶
The unbound package to use
Type: package
Default:
"pkgs.unbound"Declared by:
services.unbound.allowedAccess¶
What networks are allowed to use unbound as a resolver.
Type: list of strings
Default:
[ "127.0.0.0/24" ]Declared by:
services.unbound.extraConfig¶
Extra unbound config. Seeunbound.conf8.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.unbound.forwardAddresses¶
services.unbound.interfaces¶
What addresses the server should listen on.
Type: list of strings
Default:
[ "127.0.0.1" "::1" ]Declared by:
services.unclutter.enable¶
Enable unclutter to hide your mouse cursor when inactive
Type: boolean
Default:
falseDeclared by:
services.unclutter.package¶
unclutter derivation to use.
Type: package
Default:
"pkgs.unclutter"Declared by:
services.unclutter.excluded¶
Names of windows where unclutter should not apply
Type: list of strings
Default: ``[
]``
Example:
[ "" ]Declared by:
services.unclutter.extraOptions¶
More arguments to pass to the unclutter command
Type: list of strings
Default: ``[
]``
Example:
[ "noevent" "grab" ]Declared by:
services.unclutter.keystroke¶
Wait for a keystroke before hiding the cursor
Type: boolean
Default:
falseDeclared by:
services.unclutter.threshold¶
Minimum number of pixels considered cursor movement
Type: signed integer
Default:
1Declared by:
services.unclutter.timeout¶
Number of seconds before the cursor is marked inactive
Type: signed integer
Default:
1Declared by:
services.unclutter-xfixes.enable¶
Enable unclutter-xfixes to hide your mouse cursor when inactive.
Type: boolean
Default:
falseDeclared by:
services.unclutter-xfixes.package¶
unclutter-xfixes derivation to use.
Type: package
Default:
"pkgs.unclutter-xfixes"Declared by:
services.unclutter-xfixes.extraOptions¶
More arguments to pass to the unclutter-xfixes command.
Type: list of strings
Default: ``[
]``
Example:
[ "exclude-root" "ignore-scrolling" "fork" ]Declared by:
services.unclutter-xfixes.threshold¶
Minimum number of pixels considered cursor movement.
Type: signed integer
Default:
1Declared by:
services.unclutter-xfixes.timeout¶
Number of seconds before the cursor is marked inactive.
Type: signed integer
Default:
1Declared by:
services.undervolt.enable¶
Whether to undervolt intel cpus.
Type: boolean
Default:
falseDeclared by:
services.undervolt.package¶
undervolt derivation to use.
Type: package
Default:
"pkgs.undervolt"Declared by:
services.undervolt.analogioOffset¶
The amount of voltage to offset analogio by. Accepts a floating point number.
Type: null or string
Default:
nullDeclared by:
services.undervolt.coreOffset¶
The amount of voltage to offset the CPU cores by. Accepts a floating point number.
Type: null or string
Default:
nullDeclared by:
services.undervolt.gpuOffset¶
The amount of voltage to offset the GPU by. Accepts a floating point number.
Type: null or string
Default:
nullDeclared by:
services.undervolt.temp¶
The temperature target. Accepts a floating point number.
Type: null or string
Default:
nullDeclared by:
services.undervolt.tempAc¶
The temperature target on AC power. Accepts a floating point number.
Type: null or string
Default:
nullDeclared by:
services.undervolt.tempBat¶
The temperature target on battery power. Accepts a floating point number.
Type: null or string
Default:
nullDeclared by:
services.undervolt.uncoreOffset¶
The amount of voltage to offset uncore by. Accepts a floating point number.
Type: null or string
Default:
nullDeclared by:
services.undervolt.verbose¶
Whether to enable verbose logging.
Type: boolean
Default:
falseDeclared by:
services.unifi.enable¶
Whether or not to enable the unifi controller service.
Type: boolean
Default:
falseDeclared by:
services.unifi.dataDir¶
Where to store the database and other data.
This directory will be bind-mounted to /var/lib/unifi/data as part of the service startup.
Type: string
Default:
"/var/lib/unifi/data"Declared by:
services.unifi.initialJavaHeapSize¶
Set the initial heap size for the JVM in MB. If this option isn’t set, the JVM will decide this value at runtime.
Type: null or signed integer
Default:
nullExample:
1024Declared by:
services.unifi.jrePackage¶
The JRE package to use. Check the release notes to ensure it is supported.
Type: package
Default:
"pkgs.jre8"Declared by:
services.unifi.maximumJavaHeapSize¶
Set the maximimum heap size for the JVM in MB. If this option isn’t set, the JVM will decide this value at runtime.
Type: null or signed integer
Default:
nullExample:
4096Declared by:
services.unifi.mongodbPackage¶
The mongodb package to use.
Type: package
Default:
"pkgs.mongodb"Declared by:
services.unifi.openPorts¶
Whether or not to open the minimum required ports on the firewall.
This is necessary to allow firmware upgrades and device discovery to work. For remote login, you should additionally open (or forward) port 8443.
Type: boolean
Default:
trueDeclared by:
services.unifi.unifiPackage¶
The unifi package to use.
Type: package
Default:
"pkgs.unifiLTS"Declared by:
services.unit.enable¶
Whether to enable Unit App Server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.unit.package¶
Unit package to use.
Type: package
Default:
"pkgs.unit"Declared by:
services.unit.config¶
Unit configuration in JSON format. More details here https://unit.nginx.org/configuration
Type: string
Default:
'' { "listeners": {}, "applications": {} } ''Example:
{ "listeners": { "*:8300": { "application": "example-php-72" } }, "applications": { "example-php-72": { "type": "php 7.2", "processes": 4, "user": "nginx", "group": "nginx", "root": "/var/www", "index": "index.php", "options": { "file": "/etc/php.d/default.ini", "admin": { "max_execution_time": "30", "max_input_time": "30", "display_errors": "off", "display_startup_errors": "off", "open_basedir": "/dev/urandom:/proc/cpuinfo:/proc/meminfo:/etc/ssl/certs:/var/www", "disable_functions": "exec,passthru,shell_exec,system" } } } } }Declared by:
services.unit.group¶
Group account under which unit runs.
Type: string
Default:
"unit"Declared by:
services.unit.logDir¶
Unit log directory.
Type: unspecified
Default:
"/var/log/unit"Declared by:
services.unit.stateDir¶
Unit data directory.
Type: unspecified
Default:
"/var/spool/unit"Declared by:
services.unit.user¶
User account under which unit runs.
Type: string
Default:
"unit"Declared by:
services.upower.enable¶
Whether to enable Upower, a DBus service that provides power management support to applications.
Type: boolean
Default:
falseDeclared by:
services.upower.enableWattsUpPro¶
Enable the Watts Up Pro device.
The Watts Up Pro contains a generic FTDI USB device without a specific vendor and product ID. When we probe for WUP devices, we can cause the user to get a perplexing “Device or resource busy” error when attempting to use their non-WUP device.
The generic FTDI device is known to also be used on:
- Sparkfun FT232 breakout board
- Parallax Propeller
Type: boolean
Default:
falseDeclared by:
services.upower.package¶
Which upower package to use.
Type: package
Default:
"pkgs.upower"Example:
pkgs.upowerDeclared by:
services.upower.criticalPowerAction¶
The action to take when
timeActionor``percentageAction`` has been reached for the batteries (UPS or laptop batteries) supplying the computerType: one of “PowerOff”, “Hibernate”, “HybridSleep”
Default:
"HybridSleep"Declared by:
services.upower.ignoreLid¶
Do we ignore the lid state
Some laptops are broken. The lid state is either inverted, or stuck on or off. We can’t do much to fix these problems, but this is a way for users to make the laptop panel vanish, a state that might be used by a couple of user-space daemons. On Linux systems, see also logind.conf(5).
Type: boolean
Default:
falseDeclared by:
services.upower.noPollBatteries¶
Don’t poll the kernel for battery level changes.
Some hardware will send us battery level changes through events, rather than us having to poll for it. This option allows disabling polling for hardware that sends out events.
Type: boolean
Default:
falseDeclared by:
services.upower.percentageAction¶
When
usePercentageForPolicyis``true``, the levels at which UPower will take action for the critical battery level.This will also be used for batteries which don’t have time information such as that of peripherals.
If any value (of
percentageLow,``percentageCritical`` and``percentageAction``) is invalid, or not in descending order, the defaults will be used.Type: unsigned integer, meaning >=0
Default:
2Declared by:
services.upower.percentageCritical¶
When
usePercentageForPolicyis``true``, the levels at which UPower will consider the battery critical.This will also be used for batteries which don’t have time information such as that of peripherals.
If any value (of
percentageLow,``percentageCritical`` and``percentageAction``) is invalid, or not in descending order, the defaults will be used.Type: unsigned integer, meaning >=0
Default:
3Declared by:
services.upower.percentageLow¶
When
usePercentageForPolicyis``true``, the levels at which UPower will consider the battery low.This will also be used for batteries which don’t have time information such as that of peripherals.
If any value (of
percentageLow,``percentageCritical`` and``percentageAction``) is invalid, or not in descending order, the defaults will be used.Type: unsigned integer, meaning >=0
Default:
10Declared by:
services.upower.timeAction¶
When
usePercentageForPolicyis``false``, the time remaining at which UPower will take action for the critical battery level.If any value (of
timeLow,``timeCritical`` andtimeAction) is invalid, or not in descending order, the defaults will be used.Type: unsigned integer, meaning >=0
Default:
120Declared by:
services.upower.timeCritical¶
When
usePercentageForPolicyis``false``, the time remaining at which UPower will consider the battery critical.If any value (of
timeLow,``timeCritical`` andtimeAction) is invalid, or not in descending order, the defaults will be used.Type: unsigned integer, meaning >=0
Default:
300Declared by:
services.upower.timeLow¶
When
usePercentageForPolicyis``false``, the time remaining at which UPower will consider the battery low.If any value (of
timeLow,``timeCritical`` andtimeAction) is invalid, or not in descending order, the defaults will be used.Type: unsigned integer, meaning >=0
Default:
1200Declared by:
services.upower.usePercentageForPolicy¶
Policy for warnings and action based on battery levels
Whether battery percentage based policy should be used. The default is to use the percentage, which should work around broken firmwares. It is also more reliable than the time left (frantically saving all your files is going to use more battery than letting it rest for example).
Type: boolean
Default:
trueDeclared by:
services.uptime.enableSeparateMonitoringService¶
Whether to enable the uptime monitoring service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.uptime.enableWebService¶
Whether to enable the uptime monitoring program web service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.uptime.configFile¶
The uptime configuration file
If mongodb: server != localhost, please set usesRemoteMongo = true
If you only want to run the monitor, please set enableWebService = false and enableSeparateMonitoringService = true
If autoStartMonitor: false (recommended) and you want to run both services, please set enableSeparateMonitoringService = true
Type: null or path
Default:
nullDeclared by:
services.uptime.nodeEnv¶
The node environment to run in (development, production, etc.)
Type: string
Default:
"production"Declared by:
services.uptime.usesRemoteMongo¶
Whether the configuration file specifies a remote mongo instance
Type: boolean
Default:
falseDeclared by:
services.uptimed.enable¶
Enable
uptimed, allowing you to track your highest uptimes.Type: unspecified
Default:
falseDeclared by:
services.urxvtd.enable¶
Enable urxvtd, the urxvt terminal daemon. To use urxvtd, run “urxvtc”.
Type: boolean
Default:
falseDeclared by:
services.urxvtd.package¶
Package to install. Usually pkgs.rxvt-unicode.
Type: package
Default:
"pkgs.rxvt-unicode"Declared by:
services.usbguard.enable¶
Whether to enable USBGuard daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.usbguard.package¶
The usbguard package to use. If you do not need the Qt GUI, use``pkgs.usbguard-nox`` to save disk space.
Type: package
Default:
"pkgs.usbguard"Declared by:
services.usbguard.IPCAccessControlFiles¶
The files at this location will be interpreted by the daemon as IPC access control definition files. See the IPC ACCESS CONTROL section in usbguard-daemon.conf5 for more details.
Type: path
Default:
"/var/lib/usbguard/IPCAccessControl.d/"Declared by:
services.usbguard.IPCAllowedGroups¶
A list of groupnames that the daemon will accept IPC connections from.
Type: list of strings
Default: ``[
]``
Example:
[ "wheel" ]Declared by:
services.usbguard.IPCAllowedUsers¶
A list of usernames that the daemon will accept IPC connections from.
Type: list of strings
Default:
[ "root" ]Example:
[ "root" "yourusername" ]Declared by:
services.usbguard.auditFilePath¶
USBGuard audit events log file path.
Type: path
Default:
"/var/log/usbguard/usbguard-audit.log"Declared by:
services.usbguard.deviceRulesWithPort¶
Generate device specific rules including the “via-port” attribute.
Type: boolean
Default:
falseDeclared by:
services.usbguard.implictPolicyTarget¶
How to treat USB devices that don’t match any rule in the policy. Target should be one of allow, block or reject (logically remove the device node from the system).
Type: one of “allow”, “block”, “reject”, “keep”, “apply-policy”
Default:
"block"Declared by:
services.usbguard.insertedDevicePolicy¶
How to treat USB devices that are already connected after the daemon starts. One of block, reject, apply-policy.
Type: one of “allow”, “block”, “reject”, “keep”, “apply-policy”
Default:
"apply-policy"Declared by:
services.usbguard.presentControllerPolicy¶
How to treat USB controller devices that are already connected when the daemon starts. One of allow, block, reject, keep or apply-policy.
Type: one of “allow”, “block”, “reject”, “keep”, “apply-policy”
Default:
"keep"Declared by:
services.usbguard.presentDevicePolicy¶
How to treat USB devices that are already connected when the daemon starts. Policy should be one of allow, block, reject, keep (keep whatever state the device is currently in) or apply-policy (evaluate the rule set for every present device).
Type: one of “allow”, “block”, “reject”, “keep”, “apply-policy”
Default:
"apply-policy"Declared by:
services.usbguard.restoreControllerDeviceState¶
The USBGuard daemon modifies some attributes of controller devices like the default authorization state of new child device instances. Using this setting, you can controll whether the daemon will try to restore the attribute values to the state before modificaton on shutdown.
Type: boolean
Default:
falseDeclared by:
services.usbguard.ruleFile¶
The USBGuard daemon will use this file to load the policy rule set from it and to write new rules received via the IPC interface.
Running the command
usbguard generate-policyas root will generate a config for your currently plugged in devices. For a in depth guide consult the official documentation.Setting the
rulesoption will ignore the``ruleFile`` option.Type: path
Default:
"/var/lib/usbguard/rules.conf"Declared by:
services.usbguard.rules¶
The USBGuard daemon will load this policy rule set. Modifying it via the IPC interface won’t work if you use this option, since the contents of this option will be written into the nix-store it will be read-only.
You can still use
usbguard generate-policyto generate rules, but you would have to insert them here.Setting the
rulesoption will ignore the``ruleFile`` option.Type: null or strings concatenated with “\n”
Default:
nullExample:
'' allow with-interface equals { 08:*:* } ''Declared by:
services.usbmuxd.enable¶
Enable the usbmuxd (“USB multiplexing daemon”) service. This daemon is in charge of multiplexing connections over USB to an iOS device. This is needed for transferring data from and to iOS devices (see ifuse). Also this may enable plug-n-play tethering for iPhones.
Type: boolean
Default:
falseDeclared by:
services.usbmuxd.group¶
The group usbmuxd should use to run after startup.
Type: string
Default:
"usbmux"Declared by:
services.usbmuxd.user¶
The user usbmuxd should use to run after startup.
Type: string
Default:
"usbmux"Declared by:
services.uvcvideo.dynctrl.enable¶
Whether to enable uvcvideo dynamic controls.
Note that enabling this brings the uvcdynctrl tool into your environement and register all dynamic controls from specified packages to the uvcvideo driver.
Type: boolean
Default:
falseDeclared by:
services.uvcvideo.dynctrl.packages¶
List of packages containing uvcvideo dynamic controls rules. All files found in:file:None will be included.
Note that these will serve as input to the libwebcam package which through its own udev rule will register the dynamic controls from specified packages to the uvcvideo driver.
Type: list of paths
Example:
[ pkgs.tiscamera ]Declared by:
services.uwsgi.enable¶
Enable uWSGI
Type: boolean
Default:
falseDeclared by:
services.uwsgi.group¶
Group account under which uwsgi runs.
Type: string
Default:
"uwsgi"Declared by:
services.uwsgi.instance¶
uWSGI configuration. It awaits an attribute
typeinside which can be either``normal`` oremperor.For
normalmode you can specifypythonPackagesas a function from libraries set into a list of libraries.pythonpathwill be set accordingly.For
emperormode, you should usevassalsattribute which should be either a set of names and configurations or a path to a directory.Other attributes will be used in configuration file as-is. Notice that you can redefine``plugins`` setting here.
Type: attribute set
Default:
{ type = "normal"; }Example:
{ type = "emperor"; vassals = { moin = { type = "normal"; pythonPackages = self: with self; [ moinmoin ]; socket = "/run/uwsgi/uwsgi.sock"; }; }; }Declared by:
services.uwsgi.runDir¶
Where uWSGI communication sockets can live
Type: path
Default:
"/run/uwsgi"Declared by:
services.uwsgi.user¶
User account under which uwsgi runs.
Type: string
Default:
"uwsgi"Declared by:
services.v2ray.enable¶
Whether to run v2ray server.
Either
configFileorconfigmust be specified.Type: boolean
Default:
falseDeclared by:
services.v2ray.config¶
The configuration object.
Either `configFile` or `config` must be specified.
See ` <https://v2ray.com/en/configuration/overview.html>`_.
Type: null or attribute set of unspecifieds
Default:
nullExample: ``{ inbounds = [
{ listen = “127.0.0.1”; port = 1080; protocol = “http”; }
] ; outbounds = [
{ protocol = “freedom”; }
}``
Declared by:
services.v2ray.configFile¶
The absolute path to the configuration file.
Either
configFileorconfigmust be specified.See ` <https://v2ray.com/en/configuration/overview.html>`_.
Type: null or string
Default:
nullExample:
"/etc/v2ray/config.json"Declared by:
services.varnish.enable¶
Whether to enable Varnish Server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.varnish.package¶
The package to use
Type: package
Default:
"pkgs.varnish"Declared by:
services.varnish.config¶
Verbatim default.vcl configuration.
Type: strings concatenated with “\n”
Declared by:
services.varnish.extraCommandLine¶
Command line switches for varnishd (run ‘varnishd -?’ to get list of options)
Type: string
Default:
""Example:
"-s malloc,256M"Declared by:
services.varnish.extraModules¶
Varnish modules (except ‘std’).
Type: list of packages
Default: ``[
]``
Example:
[ pkgs.varnishPackages.geoip ]Declared by:
services.varnish.http_address¶
HTTP listen address and port.
Type: string
Default:
"\*:6081"Declared by:
services.varnish.stateDir¶
Directory holding all state for Varnish to run.
Type: path
Default:
"/var/spool/varnish/nixos"Declared by:
services.vault.enable¶
Whether to enable Vault daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.vault.package¶
This option specifies the vault package to use.
Type: package
Default:
"pkgs.vault"Declared by:
services.vault.address¶
The name of the ip interface to listen to
Type: string
Default:
"127.0.0.1:8200"Declared by:
services.vault.extraConfig¶
Extra text appended to
vault.hcl.Type: strings concatenated with “\n”
Default:
""Declared by:
services.vault.listenerExtraConfig¶
Extra text appended to the listener section.
Type: strings concatenated with “\n”
Default:
'' tls_min_version = "tls12" ''Declared by:
services.vault.storageBackend¶
The name of the type of storage backend
Type: one of “inmem”, “file”, “consul”, “zookeeper”, “s3”, “azure”, “dynamodb”, “etcd”, “mssql”, “mysql”, “postgresql”, “swift”, “gcs”, “raft”
Default:
"inmem"Declared by:
services.vault.storageConfig¶
Storage configuration
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
services.vault.storagePath¶
Data directory for file backend
Type: null or path
Default:
nullDeclared by:
services.vault.telemetryConfig¶
Telemetry configuration
Type: strings concatenated with “\n”
Default:
""Declared by:
services.vault.tlsCertFile¶
TLS certificate file. TLS will be disabled unless this option is set
Type: null or string
Default:
nullExample:
"/path/to/your/cert.pem"Declared by:
services.vault.tlsKeyFile¶
TLS private key file. TLS will be disabled unless this option is set
Type: null or string
Default:
nullExample:
"/path/to/your/key.pem"Declared by:
services.vdr.enable¶
Whether to enable VDR. Please put config into /var/lib/vdr.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.vdr.enableLirc¶
Whether to enable LIRC.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.vdr.package¶
Package to use.
Type: package
Default:
"pkgs.vdr"Example:
pkgs.wrapVdr.override { plugins = with pkgs.vdrPlugins; [ hello ]; }Declared by:
services.vdr.extraArguments¶
Additional command line arguments to pass to VDR.
Type: list of strings
Default: ``[
]``
Declared by:
services.vdr.videoDir¶
Recording directory
Type: path
Default:
"/srv/vdr/video"Declared by:
services.venus.enable¶
Planet Venus is an awesome ‘river of news’ feed reader. It downloads news feeds published by web sites and aggregates their content together into a single combined feed, latest news first.
Type: boolean
Default:
falseDeclared by:
services.venus.cacheDirectory¶
Where cached feeds are stored.
Type: path
Default:
"/var/cache/venus"Declared by:
services.venus.dates¶
Specification (in the format described bysystemd.time7) of the time at which the Venus will collect feeds.
Type: string
Default:
"\*:0/15"Declared by:
services.venus.feeds¶
List of feeds.
Type: unspecified
Default: ``[
]``
Example: ``[
{ feedUrl = “http://url/to/rss/feed.xml”; homepageUrl = “http://garbas.si”; name = “Rok Garbas”; }
]``
Declared by:
services.venus.group¶
Group for running venus script.
Type: string
Default:
"root"Declared by:
services.venus.itemsPerPage¶
How many items to put on each page.
Type: signed integer
Default:
15Declared by:
services.venus.link¶
Link to the main page.
Type: string
Default:
"http://planet.nixos.org"Declared by:
services.venus.name¶
Your planet’s name.
Type: string
Default:
"NixOS Planet"Declared by:
services.venus.outputDirectory¶
services.venus.outputTheme¶
Directory containing a config.ini file which is merged with this one. This is typically used to specify templating and bill of material information.
Type: path
Default:
"\\${pkgs.venus}/themes/classic_fancy"Declared by:
services.venus.ownerEmail¶
Your e-mail address.
Type: string
Default:
"some@example.com"Declared by:
services.venus.ownerName¶
Your name.
Type: string
Default:
"Rok Garbas"Declared by:
services.venus.user¶
User for running venus script.
Type: string
Default:
"root"Declared by:
services.victoriametrics.enable¶
Whether to enable victoriametrics.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.victoriametrics.package¶
The VictoriaMetrics distribution to use.
Type: package
Default:
"pkgs.victoriametrics"Declared by:
services.victoriametrics.extraOptions¶
Extra options to pass to VictoriaMetrics. See the README: ` <https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/README.md>`_ or victoriametrics -help for more information.
Type: list of strings
Default: ``[
]``
Declared by:
services.victoriametrics.listenAddress¶
The listen address for the http interface.
Type: string
Default:
":8428"Declared by:
services.victoriametrics.retentionPeriod¶
Retention period in months.
Type: signed integer
Default:
1Declared by:
services.virtlyst.enable¶
Whether to enable Virtlyst libvirt web interface.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.virtlyst.adminPassword¶
Initial admin password with which the database will be seeded.
Type: string
Declared by:
services.virtlyst.httpSocket¶
IP and/or port to which to bind the http socket.
Type: string
Default:
"localhost:3000"Declared by:
services.virtuoso.enable¶
Whether to enable Virtuoso Opensource database server.
Type: unspecified
Default:
falseDeclared by:
services.virtuoso.config¶
Extra options to put into Virtuoso configuration file.
Type: unspecified
Default:
""Declared by:
services.virtuoso.dirsAllowed¶
A list of directories Virtuoso is allowed to access
Type: unspecified
Default:
nullExample:
"/www, /home/"Declared by:
services.virtuoso.httpListenAddress¶
ip:port or port for Virtuoso HTTP server to listen on.
Type: unspecified
Default:
nullExample:
"myserver:8080"Declared by:
services.virtuoso.listenAddress¶
ip:port or port to listen on.
Type: unspecified
Default:
"1111"Example:
"myserver:1323"Declared by:
services.virtuoso.parameters¶
Extra options to put into [Parameters] section of Virtuoso configuration file.
Type: unspecified
Default:
""Declared by:
services.vnstat.enable¶
Whether to enable update of network usage statistics via vnstatd.
Type: boolean
Default:
falseDeclared by:
services.vsftpd.enable¶
Whether to enable vsftpd.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.vsftpd.enableVirtualUsers¶
Whether to enable the
pam_userdb-based virtual user systemType: boolean
Default:
falseDeclared by:
services.vsftpd.allowWriteableChroot¶
Allow the use of writeable root inside chroot().
Type: boolean
Default:
falseDeclared by:
services.vsftpd.anonymousMkdirEnable¶
Whether any uploads are permitted to anonymous users.
Type: boolean
Default:
falseDeclared by:
services.vsftpd.anonymousUmask¶
Anonymous write umask.
Type: string
Default:
"077"Example:
"002"Declared by:
services.vsftpd.anonymousUploadEnable¶
Whether any uploads are permitted to anonymous users.
Type: boolean
Default:
falseDeclared by:
services.vsftpd.anonymousUser¶
Whether to enable the anonymous FTP user.
Type: boolean
Default:
falseDeclared by:
services.vsftpd.anonymousUserHome¶
Directory to consider the HOME of the anonymous user.
Type: path
Default:
"/home/ftp/"Declared by:
services.vsftpd.anonymousUserNoPassword¶
Whether to disable the password for the anonymous FTP user.
Type: boolean
Default:
falseDeclared by:
services.vsftpd.chrootlocalUser¶
Whether local users are confined to their home directory.
Type: boolean
Default:
falseDeclared by:
services.vsftpd.extraConfig¶
Extra configuration to add at the bottom of the generated configuration file.
Type: strings concatenated with “\n”
Default:
""Example:
"ftpd_banner=Hello"Declared by:
services.vsftpd.forceLocalDataSSL¶
Only applies if is true. Non anonymous (local) users must use a secure SSL connection for sending/receiving data on data connection.
Type: boolean
Default:
falseDeclared by:
services.vsftpd.forceLocalLoginsSSL¶
Only applies if is true. Non anonymous (local) users must use a secure SSL connection to send a password.
Type: boolean
Default:
falseDeclared by:
services.vsftpd.localRoot¶
This option represents a directory which vsftpd will try to change into after a local (i.e. non- anonymous) login.
Failure is silently ignored.
Type: null or string
Default:
nullExample:
"/var/www/\\$USER"Declared by:
services.vsftpd.localUsers¶
Whether to enable FTP for local users.
Type: boolean
Default:
falseDeclared by:
services.vsftpd.portPromiscuous¶
Set to YES if you want to disable the PORT security check that ensures that outgoing data connections can only connect to the client. Only enable if you know what you are doing!
Type: boolean
Default:
falseDeclared by:
services.vsftpd.rsaCertFile¶
RSA certificate file.
Type: null or path
Default:
nullDeclared by:
services.vsftpd.rsaKeyFile¶
RSA private key file.
Type: null or path
Default:
nullDeclared by:
services.vsftpd.ssl_sslv2¶
Only applies if is activated. If enabled, this option will permit SSL v2 protocol connections. TLS v1 connections are preferred.
Type: boolean
Default:
falseDeclared by:
services.vsftpd.ssl_sslv3¶
Only applies if is activated. If enabled, this option will permit SSL v3 protocol connections. TLS v1 connections are preferred.
Type: boolean
Default:
falseDeclared by:
services.vsftpd.ssl_tlsv1¶
Only applies if is activated. If enabled, this option will permit TLS v1 protocol connections. TLS v1 connections are preferred.
Type: boolean
Default:
trueDeclared by:
services.vsftpd.userDbPath¶
Only applies if is true. Path pointing to the
pam_userdbuser database used by vsftpd to authenticate the virtual users.This user list should be stored in the Berkeley DB database format.
To generate a new user database, create a text file, add your users using the following format:
user1 password1 user2 password2You can then install
pkgs.dbto generate the Berkeley DB usingdb_load -T -t hash -f logins.txt userDb.dbCaution:
pam_userdbwill automatically append a.dbsuffix to the filename you provide though this option. This option shouldn’t include this filetype suffix.Type: null or string
Default:
nullExample:
"/etc/vsftpd/userDb"Declared by:
services.vsftpd.userlistDeny¶
Specifies whether is a list of user names to allow or deny access. The default
falsemeans whitelist/allow.Type: boolean
Default:
falseDeclared by:
services.vsftpd.userlistEnable¶
Whether users are included.
Type: boolean
Default:
falseDeclared by:
services.vsftpd.userlistFile¶
Newline separated list of names to be allowed/denied if is
true. Meaning see .The default is a file containing the users from .
If explicitely set to null userlist_file will not be set in vsftpd’s config file.
Type: path
Default:
'' pkgs.writeText "userlist" (concatMapStrings (x: "''${x} ") cfg.userlist)''Declared by:
services.vsftpd.virtualUseLocalPrivs¶
If enabled, virtual users will use the same privileges as local users. By default, virtual users will use the same privileges as anonymous users, which tends to be more restrictive (especially in terms of write access).
Type: boolean
Default:
falseDeclared by:
services.vsftpd.writeEnable¶
Whether any write activity is permitted to users.
Type: boolean
Default:
falseDeclared by:
services.wakeonlan.interfaces¶
Interfaces where to enable Wake-On-LAN, and how. Two methods available: “magicpacket” and “password”. The password has the shape of six bytes in hexadecimal separated by a colon each. For more information, check the ethtool manual.
Type: unspecified
Default: ``[
]``
Example: ``[
{ interface = “eth0”; method = “password”; password = “00:11:22:33:44:55”; }
]``
Declared by:
services.weechat.enable¶
Whether to enable weechat.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.weechat.binary¶
Binary to execute (by default ${weechat}/bin/weechat).
Type: unspecified
Default:
"\\${pkgs.weechat}/bin/weechat"Example:
${pkgs.weechat}/bin/weechat-headlessDeclared by:
services.weechat.root¶
Weechat state directory.
Type: string
Default:
"/var/lib/weechat"Declared by:
services.weechat.sessionName¶
Name of the `screen’ session for weechat.
Type: string
Default:
"weechat-screen"Declared by:
services.wordpress¶
Specification of one or more WordPress sites to serve via Apache.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
services.wordpress.<name>.package¶
Which WordPress package to use.
Type: package
Default:
*(build of wordpress-5.3.2)*Declared by:
services.wordpress.<name>.database.createLocally¶
Create the database and database user locally.
Type: boolean
Default:
trueDeclared by:
services.wordpress.<name>.database.host¶
Database host address.
Type: string
Default:
"localhost"Declared by:
services.wordpress.<name>.database.name¶
Database name.
Type: string
Default:
"wordpress"Declared by:
services.wordpress.<name>.database.passwordFile¶
A file containing the password corresponding to.
Type: null or path
Default:
nullExample:
"/run/keys/wordpress-dbpassword"Declared by:
services.wordpress.<name>.database.port¶
Database host port.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
3306Declared by:
services.wordpress.<name>.database.socket¶
Path to the unix socket file to use for authentication.
Type: null or path
Default:
"/run/mysqld/mysqld.sock"Declared by:
services.wordpress.<name>.database.tablePrefix¶
The $table_prefix is the value placed in the front of your database tables. Change the value if you want to use something other than wp_ for your database prefix. Typically this is changed if you are installing multiple WordPress blogs in the same database.
See ` <https://codex.wordpress.org/Editing_wp-config.php#table_prefix>`_.
Type: string
Default:
"wp_"Declared by:
services.wordpress.<name>.database.user¶
Database user.
Type: string
Default:
"wordpress"Declared by:
services.wordpress.<name>.extraConfig¶
Any additional text to be appended to the wp-config.php configuration file. This is a PHP script. For configuration settings, see ` <https://codex.wordpress.org/Editing_wp-config.php>`_.
Type: strings concatenated with “\n”
Default:
""Example:
'' define( 'AUTOSAVE_INTERVAL', 60 ); // Seconds ''Declared by:
services.wordpress.<name>.plugins¶
List of path(s) to respective plugin(s) which are copied from the ‘plugins’ directory.
Note
These plugins need to be packaged before use, see example.
Type: list of paths
Default: ``[
]``
Example:
'' # Wordpress plugin 'embed-pdf-viewer' installation example embedPdfViewerPlugin = pkgs.stdenv.mkDerivation { name = "embed-pdf-viewer-plugin"; # Download the theme from the wordpress site src = pkgs.fetchurl { url = https://downloads.wordpress.org/plugin/embed-pdf-viewer.2.0.3.zip; sha256 = "1rhba5h5fjlhy8p05zf0p14c9iagfh96y91r36ni0rmk6y891lyd"; }; # We need unzip to build this package buildInputs = [ pkgs.unzip ]; # Installing simply means copying all files to the output directory installPhase = "mkdir -p $out; cp -R * $out/"; }; And then pass this theme to the themes list like this: plugins = [ embedPdfViewerPlugin ]; ''Declared by:
services.wordpress.<name>.poolConfig¶
Options for the WordPress PHP pool. See the documentation on
php-fpm.conffor details on configuration directives.Type: attribute set of string or signed integer or booleans
Default:
{ pm = "dynamic"; pm.max_children = 32; pm.max_requests = 500; pm.max_spare_servers = 4; pm.min_spare_servers = 2; pm.start_servers = 2; }Declared by:
services.wordpress.<name>.themes¶
List of path(s) to respective theme(s) which are copied from the ‘theme’ directory.
Note
These themes need to be packaged before use, see example.
Type: list of paths
Default: ``[
]``
Example:
'' # Let's package the responsive theme responsiveTheme = pkgs.stdenv.mkDerivation { name = "responsive-theme"; # Download the theme from the wordpress site src = pkgs.fetchurl { url = https://downloads.wordpress.org/theme/responsive.3.14.zip; sha256 = "0rjwm811f4aa4q43r77zxlpklyb85q08f9c8ns2akcarrvj5ydx3"; }; # We need unzip to build this package buildInputs = [ pkgs.unzip ]; # Installing simply means copying all files to the output directory installPhase = "mkdir -p $out; cp -R * $out/"; }; And then pass this theme to the themes list like this: themes = [ responsiveTheme ]; ''Declared by:
services.wordpress.<name>.uploadsDir¶
This directory is used for uploads of pictures. The directory passed here is automatically created and permissions adjusted as required.
Type: path
Default:
"/var/lib/wordpress/‹name›/uploads"Declared by:
services.wordpress.<name>.virtualHost¶
Apache configuration can be done by adapting .
Type: submodule
Example:
{ adminAddr = "webmaster@example.org"; forceSSL = true; enableACME = true; }Declared by:
services.wordpress.<name>.virtualHost.enableACME¶
Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through .
Type: boolean
Default:
falseDeclared by:
services.wordpress.<name>.virtualHost.enableUserDir¶
Whether to enable serving
~/public_htmlas``/~*username*``.Type: boolean
Default:
falseDeclared by:
services.wordpress.<name>.virtualHost.acmeRoot¶
Directory for the acme challenge which is PUBLIC, don’t put certs or keys in here
Type: string
Default:
"/var/lib/acme/acme-challenges"Declared by:
services.wordpress.<name>.virtualHost.addSSL¶
Whether to enable HTTPS in addition to plain HTTP. This will set defaults for``listen`` to listen on all interfaces on the respective default ports (80, 443).
Type: boolean
Default:
falseDeclared by:
services.wordpress.<name>.virtualHost.adminAddr¶
E-mail address of the server administrator.
Type: null or string
Default:
nullExample:
"admin@example.org"Declared by:
services.wordpress.<name>.virtualHost.documentRoot¶
The path of Apache’s document root directory. If left undefined, an empty directory in the Nix store will be used as root.
Type: null or path
Default:
nullExample:
"/data/webserver/docs"Declared by:
services.wordpress.<name>.virtualHost.extraConfig¶
These lines go to httpd.conf verbatim. They will go after directories and directory aliases defined by default.
Type: strings concatenated with “\n”
Default:
""Example:
'' <Directory /home> Options FollowSymlinks AllowOverride All </Directory> ''Declared by:
services.wordpress.<name>.virtualHost.forceSSL¶
Whether to add a separate nginx server block that permanently redirects (301) all plain HTTP traffic to HTTPS. This will set defaults for``listen`` to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
Type: boolean
Default:
falseDeclared by:
services.wordpress.<name>.virtualHost.globalRedirect¶
If set, all requests for this host are redirected permanently to the given URL.
Type: null or string
Default:
nullExample:
"http://newserver.example.org/"Declared by:
services.wordpress.<name>.virtualHost.hostName¶
Canonical hostname for the server.
Type: string
Default:
"‹name›"Declared by:
services.wordpress.<name>.virtualHost.http2¶
Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. However, if you use the prefork mpm, there will be severe restrictions. Refer to ` <https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config>`_ for details.
Type: boolean
Default:
falseDeclared by:
services.wordpress.<name>.virtualHost.listen¶
services.wordpress.<name>.virtualHost.listen.*.ip¶
IP to listen on. 0.0.0.0 for IPv4 only, * for all.
Type: string
Default:
"\*"Declared by:
services.wordpress.<name>.virtualHost.listen.*.port¶
Port to listen on
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Declared by:
services.wordpress.<name>.virtualHost.listen.*.ssl¶
Whether to enable SSL (https) support.
Type: boolean
Default:
falseDeclared by:
services.wordpress.<name>.virtualHost.locations¶
Declarative location config. See ` <https://httpd.apache.org/docs/2.4/mod/core.html#location>`_ for details.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ "/" = { proxyPass = "http://localhost:3000"; }; "/foo/bar.png" = { alias = "/home/eelco/some-file.png"; }; };Declared by:
services.wordpress.<name>.virtualHost.locations.<name>.alias¶
Alias directory for requests. See ` <https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias>`_.
Type: null or path
Default:
nullExample:
"/your/alias/directory"Declared by:
services.wordpress.<name>.virtualHost.locations.<name>.extraConfig¶
These lines go to the end of the location verbatim.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.wordpress.<name>.virtualHost.locations.<name>.index¶
Adds DirectoryIndex directive. See ` <https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryindex>`_.
Type: null or string
Default:
nullExample:
"index.php index.html"Declared by:
services.wordpress.<name>.virtualHost.locations.<name>.priority¶
Order of this location block in relation to the others in the vhost. The semantics are the same as with `lib.mkOrder`. Smaller values have a greater priority.
Type: signed integer
Default:
1000Declared by:
services.wordpress.<name>.virtualHost.locations.<name>.proxyPass¶
Sets up a simple reverse proxy as described by ` <https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html#simple>`_.
Type: null or string
Default:
nullExample:
"http://www.example.org/"Declared by:
services.wordpress.<name>.virtualHost.logFormat¶
Log format for Apache’s log files. Possible values are: combined, common, referer, agent.
Type: string
Default:
"common"Example:
"combined"Declared by:
services.wordpress.<name>.virtualHost.onlySSL¶
Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for
listento listen on all interfaces on port 443.Type: boolean
Default:
falseDeclared by:
services.wordpress.<name>.virtualHost.robotsEntries¶
Specification of pages to be ignored by web crawlers. See ` <http://www.robotstxt.org/>`_ for details.
Type: strings concatenated with “\n”
Default:
""Example:
"Disallow: /foo/"Declared by:
services.wordpress.<name>.virtualHost.servedDirs¶
services.wordpress.<name>.virtualHost.servedFiles¶
This option provides a simple way to serve individual, static files.
Note
This option has been deprecated and will be removed in a future version of NixOS. You can achieve the same result by making use of the
locations.<name>.aliasoption.Type: list of attribute sets
Default: ``[
]``
Example: ``[
{ file = “/home/eelco/some-file.png”; urlPath = “/foo/bar.png”; }
]``
Declared by:
services.wordpress.<name>.virtualHost.serverAliases¶
Additional names of virtual hosts served by this virtual host configuration.
Type: list of strings
Default: ``[
]``
Example:
[ "www.example.org" "www.example.org:8080" "example.org" ]Declared by:
services.wordpress.<name>.virtualHost.sslServerCert¶
Path to server SSL certificate.
Type: path
Example:
"/var/host.cert"Declared by:
services.wordpress.<name>.virtualHost.sslServerChain¶
Path to server SSL chain file.
Type: null or path
Default:
nullExample:
"/var/ca.pem"Declared by:
services.wordpress.<name>.virtualHost.sslServerKey¶
Path to server SSL certificate key.
Type: path
Example:
"/var/host.key"Declared by:
services.wordpress.<name>.virtualHost.useACMEHost¶
A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the`rate limit <https://letsencrypt.org/docs/rate-limits/>`_. Alternately, you can generate a certificate through .*Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.*
Type: null or string
Default:
nullDeclared by:
services.xandikos.enable¶
Whether to enable Xandikos CalDAV and CardDAV server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xandikos.package¶
The Xandikos package to use.
Type: package
Default:
"pkgs.xandikos"Declared by:
services.xandikos.address¶
The IP address on which Xandikos will listen. By default listens on localhost.
Type: string
Default:
"localhost"Declared by:
services.xandikos.extraOptions¶
Extra command line arguments to pass to xandikos.
Type: list of strings
Default: ``[
]``
Example:
[ "--autocreate" "--defaults" "--current-user-principal user" "--dump-dav-xml" ]Declared by:
services.xandikos.nginx¶
services.xandikos.nginx.enable¶
Configure the nginx reverse proxy settings.
Type: boolean
Default:
falseDeclared by:
services.xandikos.nginx.hostName¶
The hostname use to setup the virtualhost configuration
Type: string
Declared by:
services.xandikos.port¶
The port of the Xandikos web application
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
8080Declared by:
services.xandikos.routePrefix¶
Path to Xandikos. Useful when Xandikos is behind a reverse proxy.
Type: string
Default:
"/"Declared by:
services.xbanish.enable¶
Whether to enable xbanish.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xbanish.arguments¶
Arguments to pass to xbanish command
Type: string
Default:
""Example:
"-d -i shift"Declared by:
services.xe-guest-utilities.enable¶
Whether to enable the Xen guest utilities daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xfs.enable¶
Whether to enable the X Font Server.
Type: boolean
Default:
falseDeclared by:
services.xinetd.enable¶
Whether to enable the xinetd super-server daemon.
Type: unspecified
Default:
falseDeclared by:
services.xinetd.extraDefaults¶
Additional configuration lines added to the default section of xinetd’s configuration.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.xinetd.services¶
services.xinetd.services.*.extraConfig¶
Extra configuration-lines added to the section of the service.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.xinetd.services.*.flags¶
services.xinetd.services.*.name¶
Name of the service.
Type: string
Example:
"login"Declared by:
services.xinetd.services.*.port¶
Port number of the service.
Type: signed integer
Default:
0Example:
123Declared by:
services.xinetd.services.*.protocol¶
Protocol of the service. Usually
tcporudp.Type: string
Default:
"tcp"Declared by:
services.xinetd.services.*.server¶
Path of the program that implements the service.
Type: string
Example:
"/foo/bin/ftpd"Declared by:
services.xinetd.services.*.serverArgs¶
Command-line arguments for the server program.
Type: strings concatenated with ” “
Default:
""Declared by:
services.xinetd.services.*.unlisted¶
Whether this server is listed in:file:/etc/services. If so, the port number can be omitted.
Type: boolean
Default:
falseDeclared by:
services.xinetd.services.*.user¶
User account for the service
Type: string
Default:
"nobody"Declared by:
services.xl2tpd.enable¶
Whether to enable xl2tpd, the Layer 2 Tunnelling Protocol Daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xl2tpd.clientIpRange¶
The range from which client IPs are drawn.
Type: string
Default:
"10.125.125.2-11"Declared by:
services.xl2tpd.extraPppdOptions¶
Adds extra lines to the pppd options file.
Type: strings concatenated with “\n”
Default:
""Example:
'' ms-dns 8.8.8.8 ms-dns 8.8.4.4 ''Declared by:
services.xl2tpd.extraXl2tpOptions¶
Adds extra lines to the xl2tpd configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.xl2tpd.serverIp¶
The server-side IP address.
Type: string
Default:
"10.125.125.1"Declared by:
services.xmr-stak.enable¶
Whether to enable xmr-stak miner.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xmr-stak.configFiles¶
Content of config files like config.txt, pools.txt or cpu.txt.
Type: attribute set of strings
Default: ``{
}``
Example:
{ "config.txt" = '' "verbose_level" : 4, "h_print_time" : 60, "tls_secure_algo" : true, ''; "pools.txt" = '' "currency" : "monero7", "pool_list" : [ { "pool_address" : "pool.supportxmr.com:443", "wallet_address" : "my-wallet-address", "rig_id" : "", "pool_password" : "nixos", "use_nicehash" : false, "use_tls" : true, "tls_fingerprint" : "", "pool_weight" : 23 }, ], ''; }Declared by:
services.xmr-stak.cudaSupport¶
Whether to enable support for CUDA (NVidia graphics cards).
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xmr-stak.extraArgs¶
List of parameters to pass to xmr-stak.
Type: list of strings
Default: ``[
]``
Example:
[ "--noCPU" "--currency monero" ]Declared by:
services.xmr-stak.openclSupport¶
Whether to enable support for OpenCL (AMD/ATI graphics cards).
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xrdp.enable¶
Whether to enable xrdp, the Remote Desktop Protocol server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xrdp.package¶
The package to use for the xrdp daemon’s binary.
Type: package
Default:
"pkgs.xrdp"Declared by:
services.xrdp.defaultWindowManager¶
The script to run when user log in, usually a window manager, e.g. “icewm”, “xfce4-session” This is per-user overridable, if file ~/startwm.sh exists it will be used instead.
Type: string
Default:
"xterm"Example:
"xfce4-session"Declared by:
services.xrdp.port¶
Specifies on which port the xrdp daemon listens.
Type: signed integer
Default:
3389Declared by:
services.xrdp.sslCert¶
ssl certificate path A self-signed certificate will be generated if file not exists.
Type: string
Default:
"/etc/xrdp/cert.pem"Example:
"/path/to/your/cert.pem"Declared by:
services.xrdp.sslKey¶
ssl private key path A self-signed certificate will be generated if file not exists.
Type: string
Default:
"/etc/xrdp/key.pem"Example:
"/path/to/your/key.pem"Declared by:
services.xserver.enable¶
Whether to enable the X server.
Type: boolean
Default:
falseDeclared by:
services.xserver.enableCtrlAltBackspace¶
Whether to enable the DontZap option, which binds Ctrl+Alt+Backspace to forcefully kill X. This can lead to data loss and is disabled by default.
Type: boolean
Default:
falseDeclared by:
services.xserver.enableTCP¶
Whether to allow the X server to accept TCP connections.
Type: boolean
Default:
falseDeclared by:
services.xserver.autoRepeatDelay¶
Sets the autorepeat delay (length of time in milliseconds that a key must be depressed before autorepeat starts).
Type: null or signed integer
Default:
nullDeclared by:
services.xserver.autoRepeatInterval¶
Sets the autorepeat interval (length of time in milliseconds that should elapse between autorepeat-generated keystrokes).
Type: null or signed integer
Default:
nullDeclared by:
services.xserver.autorun¶
Whether to start the X server automatically.
Type: boolean
Default:
trueDeclared by:
services.xserver.cmt.enable¶
Enable chrome multitouch input (cmt). Touchpad drivers that are configured for chromebooks.
Type: boolean
Default:
falseDeclared by:
services.xserver.cmt.models¶
Which models to enable cmt for. Enter the Code Name for your Chromebook. Code Name can be found at ` <https://www.chromium.org/chromium-os/developer-information-for-chrome-os-devices>`_.
Type: one of “atlas”, “banjo”, “candy”, “caroline”, “cave”, “celes”, “clapper”, “cyan”, “daisy”, “elan”, “elm”, “enguarde”, “eve”, “expresso”, “falco”, “gandof”, “glimmer”, “gnawty”, “heli”, “kevin”, “kip”, “leon”, “lulu”, “orco”, “pbody”, “peppy”, “pi”, “pit”, “puppy”, “quawks”, “rambi”, “samus”, “snappy”, “spring”, “squawks”, “swanky”, “winky”, “wolf”, “auron_paine”, “auron_yuna”, “daisy_skate”, “nyan_big”, “nyan_blaze”, “veyron_jaq”, “veyron_jerry”, “veyron_mighty”, “veyron_minnie”, “veyron_speedy”
Example:
"banjo"Declared by:
services.xserver.config¶
The contents of the configuration file of the X server (
xorg.conf).Type: strings concatenated with “\n”
Declared by:
services.xserver.defaultDepth¶
Default colour depth.
Type: signed integer
Default:
0Example:
8Declared by:
services.xserver.desktopManager.cde.enable¶
Whether to enable Common Desktop Environment.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.desktopManager.default¶
Deprecated, please use services.xserver.displayManager.defaultSession instead.
Default desktop manager loaded if none have been chosen.
Type: null or string
Default:
nullExample:
"none"Declared by:
services.xserver.desktopManager.enlightenment.enable¶
Enable the Enlightenment desktop environment.
Type: unspecified
Default:
falseDeclared by:
services.xserver.desktopManager.gnome3.enable¶
Enable Gnome 3 desktop manager.
Type: unspecified
Default:
falseDeclared by:
services.xserver.desktopManager.gnome3.debug¶
Whether to enable gnome-session debug messages.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.desktopManager.gnome3.extraGSettingsOverridePackages¶
List of packages for which gsettings are overridden.
Type: list of paths
Default: ``[
]``
Declared by:
services.xserver.desktopManager.gnome3.extraGSettingsOverrides¶
Additional gsettings overrides.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.xserver.desktopManager.gnome3.flashback.enableMetacity¶
Whether to enable the standard GNOME Flashback session with Metacity.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.desktopManager.gnome3.flashback.customSessions¶
services.xserver.desktopManager.gnome3.flashback.customSessions.*.wmCommand¶
The executable of the window manager to use.
Type: string
Example:
"\\${pkgs.haskellPackages.xmonad}/bin/xmonad"Declared by:
services.xserver.desktopManager.gnome3.flashback.customSessions.*.wmLabel¶
The pretty name of the window manager to use.
Type: string
Example:
"XMonad"Declared by:
services.xserver.desktopManager.gnome3.flashback.customSessions.*.wmName¶
The filename-compatible name of the window manager to use.
Type: string
Example:
"xmonad"Declared by:
services.xserver.desktopManager.gnome3.sessionPath¶
Additional list of packages to be added to the session search path. Useful for GNOME Shell extensions or GSettings-conditional autostart.
Note that this should be a last resort; patching the package is preferred (see GPaste).
Type: unspecified
Default: ``[
]``
Example:
[ pkgs.gnome3.gpaste ]Declared by:
services.xserver.desktopManager.kodi.enable¶
Enable the kodi multimedia center.
Type: unspecified
Default:
falseDeclared by:
services.xserver.desktopManager.lumina.enable¶
Enable the Lumina desktop manager
Type: boolean
Default:
falseDeclared by:
services.xserver.desktopManager.lxqt.enable¶
Enable the LXQt desktop manager
Type: boolean
Default:
falseDeclared by:
services.xserver.desktopManager.mate.enable¶
Enable the MATE desktop environment
Type: boolean
Default:
falseDeclared by:
services.xserver.desktopManager.mate.debug¶
Whether to enable mate-session debug messages.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.desktopManager.maxx.enable¶
Whether to enable MaXX desktop environment.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.desktopManager.pantheon.enable¶
Enable the pantheon desktop manager
Type: boolean
Default:
falseDeclared by:
services.xserver.desktopManager.pantheon.debug¶
Whether to enable gnome-session debug messages.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.desktopManager.pantheon.extraGSettingsOverridePackages¶
List of packages for which gsettings are overridden.
Type: list of paths
Default: ``[
]``
Declared by:
services.xserver.desktopManager.pantheon.extraGSettingsOverrides¶
Additional gsettings overrides.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.xserver.desktopManager.pantheon.extraSwitchboardPlugs¶
Plugs to add to Switchboard.
Type: null or list of packages
Default:
nullDeclared by:
services.xserver.desktopManager.pantheon.extraWingpanelIndicators¶
Indicators to add to Wingpanel.
Type: null or list of packages
Default:
nullDeclared by:
services.xserver.desktopManager.pantheon.sessionPath¶
Additional list of packages to be added to the session search path. Useful for GSettings-conditional autostart.
Note that this should be a last resort; patching the package is preferred (see GPaste).
Type: unspecified
Default: ``[
]``
Example:
[ pkgs.gnome3.gpaste ]Declared by:
services.xserver.desktopManager.plasma5.enable¶
Enable the Plasma 5 (KDE 5) desktop environment.
Type: boolean
Default:
falseDeclared by:
services.xserver.desktopManager.plasma5.phononBackend¶
Phonon audio backend to install.
Type: one of “gstreamer”, “vlc”
Default:
"gstreamer"Example:
"vlc"Declared by:
services.xserver.desktopManager.surf-display.enable¶
Whether to enable surf-display as a kiosk browser session.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.desktopManager.surf-display.defaultWwwUri¶
Default URI to display.
Type: string
Default:
"\\${pkgs.surf-display}/share/surf-display/empty-page.html"Example:
"https://www.example.com/"Declared by:
services.xserver.desktopManager.surf-display.extraConfig¶
Extra configuration options to append to
/etc/default/surf-display.Type: strings concatenated with “\n”
Default:
""Example:
'' # Enforce fixed resolution for all displays (default: not set): DEFAULT_RESOLUTION="1920x1080" # HTTP proxy URL, if needed (default: not set). HTTP_PROXY_URL="http://webcache:3128" # Configure individual display screens with host specific parameters: DISPLAYS['display-host-0']="www_uri=https://www.displayserver.comany.net/display-1/index.html" DISPLAYS['display-host-1']="www_uri=https://www.displayserver.comany.net/display-2/index.html" DISPLAYS['display-host-2']="www_uri=https://www.displayserver.comany.net/display-3/index.html|res=1920x1280" DISPLAYS['display-host-3']="www_uri=https://www.displayserver.comany.net/display-4/index.html"|res=1280x1024" DISPLAYS['display-host-local-file']="www_uri=file:///usr/share/doc/surf-display/empty-page.html" ''Declared by:
services.xserver.desktopManager.surf-display.hideIdlePointer¶
Hide idle mouse pointer.
Type: string
Default:
"yes"Example:
"no"Declared by:
services.xserver.desktopManager.surf-display.inactivityInterval¶
Setting for internal inactivity timer to restart surf-display if the user goes inactive/idle to get a fresh session for the next user of the kiosk.
If this value is set to zero, the whole feature of restarting due to inactivity is disabled.
Type: signed integer
Default:
300Example:
"0"Declared by:
services.xserver.desktopManager.surf-display.pointerButtonMap¶
Disable right and middle pointer device click in browser sessions while keeping scrolling wheels’ functionality intact. See pointer subcommand on
man xmodmapfor details.Type: string
Default:
"1 0 0 4 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"Declared by:
services.xserver.desktopManager.surf-display.screensaverSettings¶
Screensaver settings, see
man 1 xsetfor possible options.Type: strings concatenated with ” “
Default:
""Declared by:
services.xserver.desktopManager.wallpaper.combineScreens¶
When set to
truethe wallpaper will stretch across all screens. When set tofalsethe wallpaper is duplicated to all screens.Type: boolean
Default:
falseDeclared by:
services.xserver.desktopManager.wallpaper.mode¶
The file
~/.background-imageis used as a background image. This option specifies the placement of this image onto your desktop.Possible values:
center: Center the image on the background. If it is too small, it will be surrounded by a black border.``fill``: Likescale, but preserves aspect ratio by zooming the image until it fits. Either a horizontal or a vertical part of the image will be cut off.``max``: Likefill, but scale the image to the maximum size that fits the screen with black borders on one side.``scale``: Fit the file into the background without repeating it, cutting off stuff or using borders. But the aspect ratio is not preserved either.``tile``: Tile (repeat) the image in case it is too small for the screen.Type: one of “center”, “fill”, “max”, “scale”, “tile”
Default:
"scale"Example:
"fill"Declared by:
services.xserver.desktopManager.xfce.enable¶
Enable the Xfce desktop environment.
Type: boolean
Default:
falseDeclared by:
services.xserver.desktopManager.xfce.enableXfwm¶
Enable the XFWM (default) window manager.
Type: boolean
Default:
trueDeclared by:
services.xserver.desktopManager.xfce.noDesktop¶
Don’t install XFCE desktop components (xfdesktop, panel and notification daemon).
Type: boolean
Default:
falseDeclared by:
services.xserver.desktopManager.xfce.thunarPlugins¶
A list of plugin that should be installed with Thunar.
Type: list of packages
Default: ``[
]``
Example:
[ pkgs.xfce.thunar-archive-plugin ]Declared by:
services.xserver.desktopManager.xterm.enable¶
Enable a xterm terminal as a desktop manager.
Type: boolean
Default:
"false"Declared by:
services.xserver.deviceSection¶
Contents of the first Device section of the X server configuration file.
Type: strings concatenated with “\n”
Default:
""Example:
"VideoRAM 131072"Declared by:
services.xserver.digimend.enable¶
Whether to enable the digimend drivers for Huion/XP-Pen/etc. tablets.
Type: unspecified
Default:
falseDeclared by:
services.xserver.display¶
Display number for the X server.
Type: null or signed integer
Default:
0Declared by:
services.xserver.displayManager.defaultSession¶
Graphical session to pre-select in the session chooser (only effective for GDM and LightDM).
On GDM, LightDM and SDDM, it will also be used as a session for auto-login.
Type: session name
Default:
nullExample:
"gnome"Declared by:
services.xserver.displayManager.gdm.enable¶
Whether to enable GDM, the GNOME Display Manager .
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.displayManager.gdm.autoLogin¶
services.xserver.displayManager.gdm.autoLogin.enable¶
Automatically log in as the sepecified .
Type: boolean
Default:
falseDeclared by:
services.xserver.displayManager.gdm.autoLogin.delay¶
Seconds of inactivity after which the autologin will be performed.
Type: signed integer
Default:
0Declared by:
services.xserver.displayManager.gdm.autoLogin.user¶
User to be used for the autologin.
Type: null or string
Default:
nullDeclared by:
services.xserver.displayManager.gdm.autoSuspend¶
Suspend the machine after inactivity.
Type: boolean
Default:
trueDeclared by:
services.xserver.displayManager.gdm.debug¶
Whether to enable debugging messages in GDM .
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.displayManager.gdm.nvidiaWayland¶
Whether to allow wayland to be used with the proprietary NVidia graphics driver.
Type: unspecified
Default:
falseDeclared by:
services.xserver.displayManager.gdm.wayland¶
Allow GDM to run on Wayland instead of Xserver. Note to enable Wayland with Nvidia you need to enable the .
Type: boolean
Default:
trueDeclared by:
services.xserver.displayManager.job.environment¶
Additional environment variables needed by the display manager.
Type: attribute set of unspecifieds
Default: ``{
}``
Declared by:
services.xserver.displayManager.job.execCmd¶
Command to start the display manager.
Type: string
Example:
"${pkgs.lightdm}/bin/lightdm"Declared by:
services.xserver.displayManager.job.logToFile¶
Whether the display manager redirects the output of the session script to
~/.xsession-errors.Type: boolean
Default:
falseDeclared by:
services.xserver.displayManager.job.logToJournal¶
Whether the display manager redirects the output of the session script to the systemd journal.
Type: boolean
Default:
trueDeclared by:
services.xserver.displayManager.job.preStart¶
Script executed before the display manager is started.
Type: strings concatenated with “\n”
Default:
""Example:
"rm -f /var/log/my-display-manager.log"Declared by:
services.xserver.displayManager.lightdm.enable¶
Whether to enable lightdm as the display manager.
Type: boolean
Default:
falseDeclared by:
services.xserver.displayManager.lightdm.autoLogin¶
services.xserver.displayManager.lightdm.autoLogin.enable¶
Automatically log in as the specified .
Type: boolean
Default:
falseDeclared by:
services.xserver.displayManager.lightdm.autoLogin.timeout¶
Show the greeter for this many seconds before automatic login occurs.
Type: signed integer
Default:
0Declared by:
services.xserver.displayManager.lightdm.autoLogin.user¶
User to be used for the automatic login.
Type: null or string
Default:
nullDeclared by:
services.xserver.displayManager.lightdm.background¶
The background image or color to use.
Type: string
Default:
"\\${pkgs.nixos-artwork.wallpapers.simple-dark-gray-bottom}/share/artwork/gnome/nix-wallpaper-simple-dark-gray_bottom.png"Declared by:
services.xserver.displayManager.lightdm.extraConfig¶
Extra lines to append to LightDM section.
Type: strings concatenated with “\n”
Default:
""Example:
'' user-authority-in-system-dir = true ''Declared by:
services.xserver.displayManager.lightdm.extraSeatDefaults¶
Extra lines to append to SeatDefaults section.
Type: strings concatenated with “\n”
Default:
""Example:
'' greeter-show-manual-login=true ''Declared by:
services.xserver.displayManager.lightdm.greeter.enable¶
If set to false, run lightdm in greeterless mode. This only works if autologin is enabled and autoLogin.timeout is zero.
Type: boolean
Default:
trueDeclared by:
services.xserver.displayManager.lightdm.greeter.package¶
The LightDM greeter to login via. The package should be a directory containing a .desktop file matching the name in the ‘name’ option.
Type: package
Declared by:
services.xserver.displayManager.lightdm.greeter.name¶
The name of a .desktop file in the directory specified in the ‘package’ option.
Type: string
Declared by:
services.xserver.displayManager.lightdm.greeters.enso.enable¶
Whether to enable enso-os-greeter as the lightdm greeter
Type: boolean
Default:
falseDeclared by:
services.xserver.displayManager.lightdm.greeters.enso.blur¶
Whether or not to enable blur
Type: boolean
Default:
falseDeclared by:
services.xserver.displayManager.lightdm.greeters.enso.brightness¶
Brightness
Type: signed integer
Default:
7Declared by:
services.xserver.displayManager.lightdm.greeters.enso.cursorTheme.package¶
The package path that contains the cursor theme given in the name option.
Type: package
Default:
"pkgs.capitaine-cursors"Declared by:
services.xserver.displayManager.lightdm.greeters.enso.cursorTheme.name¶
Name of the cursor theme to use for the lightdm-enso-os-greeter
Type: string
Default:
"capitane-cursors"Declared by:
services.xserver.displayManager.lightdm.greeters.enso.extraConfig¶
Extra configuration that should be put in the greeter.conf configuration file
Type: strings concatenated with “\n”
Default:
""Declared by:
services.xserver.displayManager.lightdm.greeters.enso.iconTheme.package¶
The package path that contains the icon theme given in the name option.
Type: package
Default:
"pkgs.papirus-icon-theme"Declared by:
services.xserver.displayManager.lightdm.greeters.enso.iconTheme.name¶
Name of the icon theme to use for the lightdm-enso-os-greeter
Type: string
Default:
"ePapirus"Declared by:
services.xserver.displayManager.lightdm.greeters.enso.theme.package¶
The package path that contains the theme given in the name option.
Type: package
Default:
"pkgs.gnome3.gnome-themes-extra"Declared by:
services.xserver.displayManager.lightdm.greeters.enso.theme.name¶
Name of the theme to use for the lightdm-enso-os-greeter
Type: string
Default:
"Adwaita"Declared by:
services.xserver.displayManager.lightdm.greeters.gtk.enable¶
Whether to enable lightdm-gtk-greeter as the lightdm greeter.
Type: boolean
Default:
trueDeclared by:
services.xserver.displayManager.lightdm.greeters.gtk.clock-format¶
Clock format string (as expected by strftime, e.g. “%H:%M”) to use with the lightdm gtk greeter panel.
If set to null the default clock format is used.
Type: null or string
Default:
nullExample:
"%F"Declared by:
services.xserver.displayManager.lightdm.greeters.gtk.cursorTheme.package¶
The package path that contains the cursor theme given in the name option.
Type: unspecified
Default:
"pkgs.gnome3.adwaita-icon-theme"Declared by:
services.xserver.displayManager.lightdm.greeters.gtk.cursorTheme.name¶
Name of the cursor theme to use for the lightdm-gtk-greeter.
Type: string
Default:
"Adwaita"Declared by:
services.xserver.displayManager.lightdm.greeters.gtk.cursorTheme.size¶
Size of the cursor theme to use for the lightdm-gtk-greeter.
Type: signed integer
Default:
16Declared by:
services.xserver.displayManager.lightdm.greeters.gtk.extraConfig¶
Extra configuration that should be put in the lightdm-gtk-greeter.conf configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.xserver.displayManager.lightdm.greeters.gtk.iconTheme.package¶
The package path that contains the icon theme given in the name option.
Type: package
Default:
"pkgs.gnome3.adwaita-icon-theme"Declared by:
services.xserver.displayManager.lightdm.greeters.gtk.iconTheme.name¶
Name of the icon theme to use for the lightdm-gtk-greeter.
Type: string
Default:
"Adwaita"Declared by:
services.xserver.displayManager.lightdm.greeters.gtk.indicators¶
List of allowed indicator modules to use for the lightdm gtk greeter panel.
Built-in indicators include “~a11y”, “~language”, “~session”, “~power”, “~clock”, “~host”, “~spacer”. Unity indicators can be represented by short name (e.g. “sound”, “power”), service file name, or absolute path.
If set to null the default indicators are used.
Type: null or list of strings
Default:
nullExample:
[ "~host" "~spacer" "~clock" "~spacer" "~session" "~language" "~a11y" "~power" ]Declared by:
services.xserver.displayManager.lightdm.greeters.gtk.theme.package¶
The package path that contains the theme given in the name option.
Type: package
Default:
"pkgs.gnome3.gnome-themes-extra"Declared by:
services.xserver.displayManager.lightdm.greeters.gtk.theme.name¶
Name of the theme to use for the lightdm-gtk-greeter.
Type: string
Default:
"Adwaita"Declared by:
services.xserver.displayManager.lightdm.greeters.mini.enable¶
Whether to enable lightdm-mini-greeter as the lightdm greeter.
Note that this greeter starts only the default X session. You can configure the default X session using:ref:opt-services.xserver.displayManager.defaultSession.
Type: boolean
Default:
falseDeclared by:
services.xserver.displayManager.lightdm.greeters.mini.extraConfig¶
Extra configuration that should be put in the lightdm-mini-greeter.conf configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.xserver.displayManager.lightdm.greeters.mini.user¶
The user to login as.
Type: string
Default:
"root"Declared by:
services.xserver.displayManager.lightdm.greeters.pantheon.enable¶
Whether to enable elementary-greeter as the lightdm greeter.
Type: boolean
Default:
falseDeclared by:
services.xserver.displayManager.sddm.enable¶
Whether to enable sddm as the display manager.
Type: boolean
Default:
falseDeclared by:
services.xserver.displayManager.sddm.enableHidpi¶
Whether to enable automatic HiDPI mode.
Versions up to 0.17 are broken so this only works from 0.18 onwards.
Type: boolean
Default:
trueDeclared by:
services.xserver.displayManager.sddm.autoLogin¶
services.xserver.displayManager.sddm.autoLogin.enable¶
Automatically log in as .
Type: boolean
Default:
falseDeclared by:
services.xserver.displayManager.sddm.autoLogin.relogin¶
If true automatic login will kick in again on session exit (logout), otherwise it will only log in automatically when the display-manager is started.
Type: boolean
Default:
falseDeclared by:
services.xserver.displayManager.sddm.autoLogin.user¶
User to be used for the automatic login.
Type: null or string
Default:
nullDeclared by:
services.xserver.displayManager.sddm.autoNumlock¶
Enable numlock at login.
Type: boolean
Default:
falseDeclared by:
services.xserver.displayManager.sddm.extraConfig¶
Extra lines appended to the configuration of SDDM.
Type: strings concatenated with “\n”
Default:
""Example:
'' [Autologin] User=john Session=plasma.desktop ''Declared by:
services.xserver.displayManager.sddm.setupScript¶
A script to execute when starting the display server. DEPRECATED, please use .
Type: string
Default:
""Example:
'' # workaround for using NVIDIA Optimus without Bumblebee xrandr --setprovideroutputsource modesetting NVIDIA-0 xrandr --auto ''Declared by:
services.xserver.displayManager.sddm.stopScript¶
A script to execute when stopping the display server.
Type: string
Default:
""Declared by:
services.xserver.displayManager.sddm.theme¶
Greeter theme to use.
Type: string
Default:
""Declared by:
services.xserver.displayManager.session¶
List of sessions supported with the command used to start each session. Each session script can set the``waitPID`` shell variable to make this script wait until the end of the user session. Each script is used to define either a window manager or a desktop manager. These can be differentiated by setting the attribute``manage`` either to
"window"or"desktop".The list of desktop manager and window manager should appear inside the display manager with the desktop manager name followed by the window manager name.
Type: unspecified
Default: ``[
]``
Example:
[ { manage = "desktop"; name = "xterm"; start = '' ${pkgs.xterm}/bin/xterm -ls & waitPID=$! ''; } ]Declared by:
services.xserver.displayManager.sessionCommands¶
Shell commands executed just before the window or desktop manager is started. These commands are not currently sourced for Wayland sessions.
Type: strings concatenated with “\n”
Default:
""Example:
'' xmessage "Hello World!" & ''Declared by:
services.xserver.displayManager.sessionPackages¶
A list of packages containing x11 or wayland session files to be passed to the display manager.
Type: list of package with provided sessionss
Default: ``[
]``
Declared by:
services.xserver.displayManager.setupCommands¶
Shell commands executed just after the X server has started.
This option is only effective for display managers for which this feature is supported; currently these are LightDM, GDM and SDDM.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.xserver.displayManager.startx.enable¶
Whether to enable the dummy “startx” pseudo-display manager, which allows users to start X manually via the “startx” command from a vt shell. The X server runs under the user’s id, not as root. The user must provide a ~/.xinitrc file containing session startup commands, see startx(1). This is not automatically generated from the desktopManager and windowManager settings.
Type: unspecified
Default:
falseDeclared by:
services.xserver.displayManager.xpra.enable¶
Whether to enable xpra as display manager.
Type: boolean
Default:
falseDeclared by:
services.xserver.displayManager.xpra.auth¶
Authentication to use when connecting to xpra
Type: string
Default:
"pam"Example:
"password:value=mysecret"Declared by:
services.xserver.displayManager.xpra.bindTcp¶
Bind xpra to TCP
Type: null or string
Default:
"127.0.0.1:10000"Example:
"0.0.0.0:10000"Declared by:
services.xserver.displayManager.xpra.extraOptions¶
services.xserver.displayManager.xpra.pulseaudio¶
Whether to enable pulseaudio audio streaming.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.displayManager.xserverArgs¶
List of arguments for the X server.
Type: list of strings
Default: ``[
]``
Example:
[ "-ac" "-logverbose" "-verbose" "-nolisten tcp" ]Declared by:
services.xserver.displayManager.xserverBin¶
Path to the X server used by display managers.
Type: path
Declared by:
services.xserver.dpi¶
DPI resolution to use for X server.
Type: null or signed integer
Default:
nullDeclared by:
services.xserver.exportConfiguration¶
Whether to symlink the X server configuration under:file:/etc/X11/xorg.conf.
Type: boolean
Default:
falseDeclared by:
services.xserver.extraConfig¶
Additional contents (sections) included in the X server configuration file
Type: strings concatenated with “\n”
Default:
""Declared by:
services.xserver.extraDisplaySettings¶
Lines to be added to every Display subsection of the Screen section.
Type: strings concatenated with “\n”
Default:
""Example:
"Virtual 2048 2048"Declared by:
services.xserver.extraLayouts¶
Extra custom layouts that will be included in the xkb configuration. Information on how to create a new layout can be found here:` <https://www.x.org/releases/current/doc/xorg-docs/input/XKB-Enhancing.html#Defining_New_Layouts>`_. For more examples see` <https://wiki.archlinux.org/index.php/X_KeyBoard_extension#Basic_examples>`_
Type: attribute set of submodules
Default: ``{
}``
Example:
{ mine = { description = "My custom xkb layout."; languages = [ "eng" ]; symbolsFile = /path/to/my/layout; }; }Declared by:
services.xserver.extraLayouts.<name>.compatFile¶
The path to the xkb compat file. This file sets the compatibility state, used to preserve compatibility with xkb-unaware programs. It must contain a
xkb_compat "name" { ... }block.Type: null or path
Default:
nullDeclared by:
services.xserver.extraLayouts.<name>.description¶
A short description of the layout.
Type: string
Declared by:
services.xserver.extraLayouts.<name>.geometryFile¶
The path to the xkb geometry file. This (completely optional) file describes the physical layout of keyboard, which maybe be used by programs to depict it. It must contain a
xkb_geometry "name" { ... }block.Type: null or path
Default:
nullDeclared by:
services.xserver.extraLayouts.<name>.keycodesFile¶
The path to the xkb keycodes file. This file specifies the range and the interpretation of the raw keycodes sent by the keyboard. It must contain a
xkb_keycodes "name" { ... }block.Type: null or path
Default:
nullDeclared by:
services.xserver.extraLayouts.<name>.languages¶
A list of languages provided by the layout. (Use ISO 639-2 codes, for example: “eng” for english)
Type: list of strings
Declared by:
services.xserver.extraLayouts.<name>.symbolsFile¶
The path to the xkb symbols file. This is the most important file: it defines which symbol or action maps to each key and must contain a``xkb_symbols “name” { … }`` block.
Type: null or path
Default:
nullDeclared by:
services.xserver.extraLayouts.<name>.typesFile¶
The path to the xkb types file. This file specifies the key types that can be associated with the various keyboard keys. It must contain a
xkb_types "name" { ... }block.Type: null or path
Default:
nullDeclared by:
services.xserver.gdk-pixbuf.modulePackages¶
Packages providing GDK-Pixbuf modules, for cache generation.
Type: list of packages
Default: ``[
]``
Declared by:
services.xserver.imwheel.enable¶
Whether to enable IMWheel service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.imwheel.extraOptions¶
Additional command-line arguments to pass to:command:imwheel.
Type: list of strings
Default:
[ "--buttons=45" ]Example:
[ "--debug" ]Declared by:
services.xserver.imwheel.rules¶
Window class translation rules. /etc/X11/imwheelrc is generated based on this config which means this config is global for all users. See offical man pages for more informations.
Type: attribute set of strings
Default: ``{
}``
Example:
".*" = '' None, Up, Button4, 8 None, Down, Button5, 8 Shift_L, Up, Shift_L|Button4, 4 Shift_L, Down, Shift_L|Button5, 4 Control_L, Up, Control_L|Button4 Control_L, Down, Control_L|Button5 '';Declared by:
services.xserver.inputClassSections¶
Content of additional InputClass sections of the X server configuration file.
Type: list of strings concatenated with “\n”s
Default: ``[
]``
Example:
[ '' Identifier "Trackpoint Wheel Emulation" MatchProduct "ThinkPad USB Keyboard with TrackPoint" Option "EmulateWheel" "true" Option "EmulateWheelButton" "2" Option "Emulate3Buttons" "false" '' ]Declared by:
services.xserver.layout¶
Keyboard layout, or multiple keyboard layouts separated by commas.
Type: string
Default:
"us"Declared by:
services.xserver.libinput.enable¶
Whether to enable libinput.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.libinput.accelProfile¶
Sets the pointer acceleration profile to the given profile. Permitted values are adaptive, flat. Not all devices support this option or all profiles. If a profile is unsupported, the default profile for this is used.``flat``: Pointer motion is accelerated by a constant (device-specific) factor, depending on the current speed.``adaptive``: Pointer acceleration depends on the input speed. This is the default profile for most devices.
Type: one of “flat”, “adaptive”
Default:
"adaptive"Example:
"flat"Declared by:
services.xserver.libinput.accelSpeed¶
Cursor acceleration (how fast speed increases from minSpeed to maxSpeed).
Type: null or string
Default:
nullDeclared by:
services.xserver.libinput.additionalOptions¶
Additional options for libinput touchpad driver.
Type: strings concatenated with “\n”
Default:
""Example:
'' Option "DragLockButtons" "L1 B1 L2 B2" ''Declared by:
services.xserver.libinput.buttonMapping¶
Sets the logical button mapping for this device, see XSetPointerMapping(3). The string must be a space-separated list of button mappings in the order of the logical buttons on the device, starting with button 1. The default mapping is “1 2 3 … 32”. A mapping of 0 deac‐ tivates the button. Multiple buttons can have the same mapping. Invalid mapping strings are discarded and the default mapping is used for all buttons. Buttons not specified in the user’s mapping use the default mapping. See section BUTTON MAPPING for more details.
Type: null or string
Default:
nullDeclared by:
services.xserver.libinput.calibrationMatrix¶
A string of 9 space-separated floating point numbers. Sets the calibration matrix to the 3x3 matrix where the first row is (abc), the second row is (def) and the third row is (ghi).
Type: null or string
Default:
nullDeclared by:
services.xserver.libinput.clickMethod¶
Enables a click method. Permitted values are
none,``buttonareas``,clickfinger. Not all devices support all methods, if an option is unsupported, the default click method for this device is used.Type: null or one of “none”, “buttonareas”, “clickfinger”
Default:
nullDeclared by:
services.xserver.libinput.dev¶
Path for touchpad device. Set to null to apply to any auto-detected touchpad.
Type: null or string
Default:
nullExample:
"/dev/input/event0"Declared by:
services.xserver.libinput.disableWhileTyping¶
Disable input method while typing.
Type: boolean
Default:
falseDeclared by:
services.xserver.libinput.horizontalScrolling¶
Disables horizontal scrolling. When disabled, this driver will discard any horizontal scroll events from libinput. Note that this does not disable horizontal scrolling, it merely discards the horizontal axis from any scroll events.
Type: boolean
Default:
trueDeclared by:
services.xserver.libinput.leftHanded¶
Enables left-handed button orientation, i.e. swapping left and right buttons.
Type: boolean
Default:
falseDeclared by:
services.xserver.libinput.middleEmulation¶
Enables middle button emulation. When enabled, pressing the left and right buttons simultaneously produces a middle mouse button click.
Type: boolean
Default:
trueDeclared by:
services.xserver.libinput.naturalScrolling¶
Enables or disables natural scrolling behavior.
Type: boolean
Default:
falseDeclared by:
services.xserver.libinput.scrollButton¶
Designates a button as scroll button. If the ScrollMethod is button and the button is logically held down, x/y axis movement is converted into scroll events.
Type: null or signed integer
Default:
nullExample:
1Declared by:
services.xserver.libinput.scrollMethod¶
Specify the scrolling method:
twofinger,edge,``button``, ornoneType: one of “twofinger”, “edge”, “button”, “none”
Default:
"twofinger"Example:
"edge"Declared by:
services.xserver.libinput.sendEventsMode¶
Sets the send events mode to
disabled,enabled, ordisabled-on-external-mouseType: one of “disabled”, “enabled”, “disabled-on-external-mouse”
Default:
"enabled"Example:
"disabled"Declared by:
services.xserver.libinput.tapping¶
Enables or disables tap-to-click behavior.
Type: boolean
Default:
trueDeclared by:
services.xserver.libinput.tappingDragLock¶
Enables or disables drag lock during tapping behavior. When enabled, a finger up during tap- and-drag will not immediately release the button. If the finger is set down again within the timeout, the draging process continues.
Type: boolean
Default:
trueDeclared by:
services.xserver.moduleSection¶
Contents of the Module section of the X server configuration file.
Type: strings concatenated with “\n”
Default:
""Example:
'' SubSection "extmod" EndSubsection ''Declared by:
services.xserver.modules¶
Packages to be added to the module search path of the X server.
Type: list of paths
Default: ``[
]``
Example:
[ pkgs.xf86_input_wacom ]Declared by:
services.xserver.monitorSection¶
Contents of the first Monitor section of the X server configuration file.
Type: strings concatenated with “\n”
Default:
""Example:
"HorizSync 28-49"Declared by:
services.xserver.resolutions¶
services.xserver.screenSection¶
Contents of the first Screen section of the X server configuration file.
Type: strings concatenated with “\n”
Default:
""Example:
'' Option "RandRRotation" "on" ''Declared by:
services.xserver.serverFlagsSection¶
Contents of the ServerFlags section of the X server configuration file.
Type: unspecified
Default:
""Example:
'' Option "BlankTime" "0" Option "StandbyTime" "0" Option "SuspendTime" "0" Option "OffTime" "0" ''Declared by:
services.xserver.serverLayoutSection¶
Contents of the ServerLayout section of the X server configuration file.
Type: strings concatenated with “\n”
Default:
""Example:
'' Option "AIGLX" "true" ''Declared by:
services.xserver.startDbusSession¶
Whether to start a new DBus session when you log in with dbus-launch.
Type: boolean
Default:
trueDeclared by:
services.xserver.synaptics.enable¶
Whether to enable touchpad support. Deprecated: Consider services.xserver.libinput.enable.
Type: boolean
Default:
falseDeclared by:
services.xserver.synaptics.accelFactor¶
Cursor acceleration (how fast speed increases from minSpeed to maxSpeed).
Type: null or string
Default:
"0.001"Declared by:
services.xserver.synaptics.additionalOptions¶
Additional options for synaptics touchpad driver.
Type: string
Default:
""Example:
'' Option "RTCornerButton" "2" Option "RBCornerButton" "3" ''Declared by:
services.xserver.synaptics.buttonsMap¶
Remap touchpad buttons.
Type: list of signed integers
Default:
[ 1 2 3 ]Example:
[ 1 3 2 ]Declared by:
services.xserver.synaptics.dev¶
Path for touchpad device. Set to null to apply to any auto-detected touchpad.
Type: null or string
Default:
nullExample:
"/dev/input/event0"Declared by:
services.xserver.synaptics.fingersMap¶
Remap several-fingers taps.
Type: list of signed integers
Default:
[ 1 2 3 ]Example:
[ 1 3 2 ]Declared by:
services.xserver.synaptics.horizEdgeScroll¶
Whether to enable horizontal edge drag-scrolling.
Type: boolean
Default:
trueDeclared by:
services.xserver.synaptics.horizTwoFingerScroll¶
Whether to enable horizontal two-finger drag-scrolling.
Type: boolean
Default:
falseDeclared by:
services.xserver.synaptics.horizontalScroll¶
Whether to enable horizontal scrolling (on touchpad)
Type: boolean
Default:
trueDeclared by:
services.xserver.synaptics.maxSpeed¶
Cursor speed factor for highest-speed finger motion.
Type: null or string
Default:
"1.0"Declared by:
services.xserver.synaptics.minSpeed¶
Cursor speed factor for precision finger motion.
Type: null or string
Default:
"0.6"Declared by:
services.xserver.synaptics.palmDetect¶
Whether to enable palm detection (hardware support required)
Type: boolean
Default:
falseDeclared by:
services.xserver.synaptics.palmMinWidth¶
Minimum finger width at which touch is considered a palm
Type: null or signed integer
Default:
nullExample:
5Declared by:
services.xserver.synaptics.palmMinZ¶
Minimum finger pressure at which touch is considered a palm
Type: null or signed integer
Default:
nullExample:
20Declared by:
services.xserver.synaptics.scrollDelta¶
Move distance of the finger for a scroll event.
Type: null or signed integer
Default:
nullExample:
75Declared by:
services.xserver.synaptics.tapButtons¶
Whether to enable tap buttons.
Type: boolean
Default:
trueDeclared by:
services.xserver.synaptics.twoFingerScroll¶
Whether to enable two-finger drag-scrolling. Overridden by horizTwoFingerScroll and vertTwoFingerScroll.
Type: boolean
Default:
falseDeclared by:
services.xserver.synaptics.vertEdgeScroll¶
Whether to enable vertical edge drag-scrolling.
Type: boolean
Default:
trueDeclared by:
services.xserver.synaptics.vertTwoFingerScroll¶
Whether to enable vertical two-finger drag-scrolling.
Type: boolean
Default:
falseDeclared by:
services.xserver.terminateOnReset¶
Whether to terminate X upon server reset.
Type: boolean
Default:
trueDeclared by:
services.xserver.tty¶
Virtual console for the X server.
Type: null or signed integer
Default:
7Declared by:
services.xserver.updateDbusEnvironment¶
Whether to update the DBus activation environment after launching the desktop manager.
Type: boolean
Default:
falseDeclared by:
services.xserver.useGlamor¶
Whether to use the Glamor module for 2D acceleration, if possible.
Type: boolean
Default:
falseDeclared by:
services.xserver.useXFS¶
Determines how to connect to the X Font Server.
Type: unspecified
Default:
falseExample:
"unix/:7100"Declared by:
services.xserver.verbose¶
Controls verbosity of X logging.
Type: null or signed integer
Default:
3Example:
7Declared by:
services.xserver.videoDriver¶
The name of the video driver for your graphics card. This option is obsolete; please set the instead.
Type: null or string
Default:
nullExample:
"i810"Declared by:
services.xserver.videoDrivers¶
The names of the video drivers the configuration supports. They will be tried in order until one that supports your card is found. Don’t combine those with “incompatible” OpenGL implementations, e.g. free ones (mesa-based) with proprietary ones.
For unfree “nvidia*”, the supported GPU lists are on https://www.nvidia.com/object/unix.html
Type: list of strings
Default:
[ "radeon" "cirrus" "vesa" "vmware" "modesetting" ]Example:
[ "ati_unfree" "amdgpu" "amdgpu-pro" "nv" "nvidia" "nvidiaLegacy390" "nvidiaLegacy340" "nvidiaLegacy304" ]Related packages:
amdgpu aka pkgs.xorg.xf86videoamdgpu (xf86-video-amdgpu-19.0.1): ???.apm aka pkgs.xorg.xf86videoapm (xf86-video-apm-1.3.0): ???.- ``ark aka pkgs.xorg.xf86videoark (xf86-video-ark-0.7.5)``*[UNAVAILABLE]*: ???.
ast aka pkgs.xorg.xf86videoast (xf86-video-ast-1.1.5): ???.ati aka pkgs.xorg.xf86videoati (xf86-video-ati-19.0.1): ???.chips aka pkgs.xorg.xf86videochips (xf86-video-chips-1.4.0): ???.cirrus aka pkgs.xorg.xf86videocirrus (xf86-video-cirrus-1.5.3): ???.dummy aka pkgs.xorg.xf86videodummy (xf86-video-dummy-0.3.8): ???.fbdev aka pkgs.xorg.xf86videofbdev (xf86-video-fbdev-0.5.0): ???.- ``geode aka pkgs.xorg.xf86videogeode (xf86-video-geode-2.11.19)``*[UNAVAILABLE]*: ???.
- ``glide aka pkgs.xorg.xf86videoglide (xf86-video-glide-1.2.2)``*[UNAVAILABLE]*: ???.
glint aka pkgs.xorg.xf86videoglint (xf86-video-glint-1.2.9): ???.- ``i128 aka pkgs.xorg.xf86videoi128 (xf86-video-i128-1.4.0)``*[UNAVAILABLE]*: ???.
i740 aka pkgs.xorg.xf86videoi740 (xf86-video-i740-1.4.0): ???.intel aka pkgs.xorg.xf86videointel (xf86-video-intel-2019-12-09): ???.mach64 aka pkgs.xorg.xf86videomach64 (xf86-video-mach64-6.9.6): ???.mga aka pkgs.xorg.xf86videomga (xf86-video-mga-2.0.0): ???.neomagic aka pkgs.xorg.xf86videoneomagic (xf86-video-neomagic-1.3.0): ???.- ``newport aka pkgs.xorg.xf86videonewport (xf86-video-newport-0.2.4)``*[UNAVAILABLE]*: ???.
nouveau aka pkgs.xorg.xf86videonouveau (xf86-video-nouveau-1.0.15): ???.nv aka pkgs.xorg.xf86videonv (xf86-video-nv-2.1.21): ???.omap aka pkgs.xorg.xf86videoomap (xf86-video-omap-0.4.5): ???.openchrome aka pkgs.xorg.xf86videoopenchrome (xf86-video-openchrome-0.6.0): ???.qxl aka pkgs.xorg.xf86videoqxl (xf86-video-qxl-0.1.5): ???.r128 aka pkgs.xorg.xf86videor128 (xf86-video-r128-6.11.0): ???.rendition aka pkgs.xorg.xf86videorendition (xf86-video-rendition-4.2.7): ???.- ``s3virge aka pkgs.xorg.xf86videos3virge (xf86-video-s3virge-1.11.0)``*[UNAVAILABLE]*: ???.
- ``savage aka pkgs.xorg.xf86videosavage (xf86-video-savage-2.3.9)``*[UNAVAILABLE]*: ???.
siliconmotion aka pkgs.xorg.xf86videosiliconmotion (xf86-video-siliconmotion-1.7.9): ???.sis aka pkgs.xorg.xf86videosis (xf86-video-sis-0.11.0): ???.sisusb aka pkgs.xorg.xf86videosisusb (xf86-video-sisusb-0.9.7): ???.suncg6 aka pkgs.xorg.xf86videosuncg6 (xf86-video-suncg6-1.1.2): ???.sunffb aka pkgs.xorg.xf86videosunffb (xf86-video-sunffb-1.2.2): ???.sunleo aka pkgs.xorg.xf86videosunleo (xf86-video-sunleo-1.2.2): ???.tdfx aka pkgs.xorg.xf86videotdfx (xf86-video-tdfx-1.5.0): ???.- ``tga aka pkgs.xorg.xf86videotga (xf86-video-tga-1.2.2)``*[UNAVAILABLE]*: ???.
trident aka pkgs.xorg.xf86videotrident (xf86-video-trident-1.3.8): ???.- ``v4l aka pkgs.xorg.xf86videov4l (xf86-video-v4l-0.3.0)``*[UNAVAILABLE]*: ???.
vboxvideo aka pkgs.xorg.xf86videovboxvideo (xf86-video-vboxvideo-1.0.0): ???.vesa aka pkgs.xorg.xf86videovesa (xf86-video-vesa-2.4.0): ???.vmware aka pkgs.xorg.xf86videovmware (xf86-video-vmware-13.3.0): ???.- ``voodoo aka pkgs.xorg.xf86videovoodoo (xf86-video-voodoo-1.2.5)``*[UNAVAILABLE]*: ???.
- ``wsfb aka pkgs.xorg.xf86videowsfb (xf86-video-wsfb-0.4.0)``*[UNAVAILABLE]*: ???.
xgi aka pkgs.xorg.xf86videoxgi (xf86-video-xgi-1.6.1): ???.Declared by:
services.xserver.virtualScreen¶
Virtual screen size for Xrandr.
Type: null or attribute set
Default:
nullExample:
{ x = 2048; y = 2048; }Declared by:
services.xserver.wacom.enable¶
Whether to enable the Wacom touchscreen/digitizer/tablet. If you ever have any issues such as, try switching to terminal (ctrl-alt-F1) and back which will make Xorg reconfigure the device ?
If you’re not satisfied by the default behaviour you can override in configuration.nix easily.
Type: unspecified
Default:
falseDeclared by:
services.xserver.windowManager.2bwm.enable¶
Whether to enable 2bwm.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.afterstep.enable¶
Whether to enable afterstep.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.awesome.enable¶
Whether to enable Awesome window manager.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.awesome.package¶
Package to use for running the Awesome WM.
Type: null or package
Default:
nullDeclared by:
services.xserver.windowManager.awesome.luaModules¶
List of lua packages available for being used in the Awesome configuration.
Type: list of packages
Default: ``[
]``
Example:
[ luaPackages.oocairo ]Declared by:
services.xserver.windowManager.awesome.noArgb¶
Disable client transparency support, which can be greatly detrimental to performance in some setups
Type: boolean
Default:
falseDeclared by:
services.xserver.windowManager.bspwm.enable¶
Whether to enable bspwm.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.bspwm.package¶
bspwm package to use.
Type: package
Default:
"pkgs.bspwm"Example:
"pkgs.bspwm-unstable"Declared by:
services.xserver.windowManager.bspwm.configFile¶
Path to the bspwm configuration file. If null, $HOME/.config/bspwm/bspwmrc will be used.
Type: null or path
Default:
nullExample:
"\\${pkgs.bspwm}/share/doc/bspwm/examples/bspwmrc"Declared by:
services.xserver.windowManager.bspwm.sxhkd.package¶
sxhkd package to use.
Type: package
Default:
"pkgs.sxhkd"Example:
"pkgs.sxhkd-unstable"Declared by:
services.xserver.windowManager.bspwm.sxhkd.configFile¶
Path to the sxhkd configuration file. If null, $HOME/.config/sxhkd/sxhkdrc will be used.
Type: null or path
Default:
nullExample:
"\\${pkgs.bspwm}/share/doc/bspwm/examples/sxhkdrc"Declared by:
services.xserver.windowManager.cwm.enable¶
Whether to enable cwm.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.default¶
Deprecated, please use services.xserver.displayManager.defaultSession instead.
Default window manager loaded if none have been chosen.
Type: null or string
Default:
nullExample:
"wmii"Declared by:
services.xserver.windowManager.dwm.enable¶
Whether to enable dwm.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.evilwm.enable¶
Whether to enable evilwm.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.exwm.enable¶
Whether to enable exwm.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.exwm.enableDefaultConfig¶
Enable an uncustomised exwm configuration.
Type: boolean
Default:
trueDeclared by:
services.xserver.windowManager.exwm.extraPackages¶
Extra packages available to Emacs. The value must be a function which receives the attrset defined in``emacsPackages`` as the sole argument.
Type: unspecified
Default:
"<function>"Example:
epkgs: [ epkgs.emms epkgs.magit epkgs.proofgeneral ]Declared by:
services.xserver.windowManager.fluxbox.enable¶
Whether to enable fluxbox.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.fvwm.enable¶
Whether to enable Fvwm window manager.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.fvwm.gestures¶
Whether or not to enable libstroke for gesture support
Type: boolean
Default:
falseDeclared by:
services.xserver.windowManager.herbstluftwm.enable¶
Whether to enable herbstluftwm.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.herbstluftwm.configFile¶
Path to the herbstluftwm configuration file. If left at the default value, $XDG_CONFIG_HOME/herbstluftwm/autostart will be used.
Type: null or path
Default:
nullDeclared by:
services.xserver.windowManager.i3.enable¶
Whether to enable i3 window manager.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.i3.package¶
i3 package to use.
Type: package
Default:
"pkgs.i3"Example:
"pkgs.i3-gaps"Declared by:
services.xserver.windowManager.i3.configFile¶
Path to the i3 configuration file. If left at the default value, $HOME/.i3/config will be used.
Type: null or path
Default:
nullDeclared by:
services.xserver.windowManager.i3.extraPackages¶
Extra packages to be installed system wide.
Type: list of packages
Default:
[ *(build of dmenu-4.9)* *(build of i3status-2.13)* *(build of i3lock-2.12)* ]Example:
with pkgs; [ dmenu i3status i3lock ]Declared by:
services.xserver.windowManager.i3.extraSessionCommands¶
Shell commands executed just before i3 is started.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.xserver.windowManager.icewm.enable¶
Whether to enable icewm.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.jwm.enable¶
Whether to enable jwm.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.leftwm.enable¶
Whether to enable leftwm.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.metacity.enable¶
Whether to enable metacity.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.mwm.enable¶
Whether to enable mwm.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.notion.enable¶
Whether to enable notion.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.openbox.enable¶
Whether to enable openbox.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.pekwm.enable¶
Whether to enable pekwm.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.qtile.enable¶
Whether to enable qtile.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.ratpoison.enable¶
Whether to enable ratpoison.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.sawfish.enable¶
Whether to enable sawfish.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.spectrwm.enable¶
Whether to enable spectrwm.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.stumpwm.enable¶
Whether to enable stumpwm.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.twm.enable¶
Whether to enable twm.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.windowlab.enable¶
Whether to enable windowlab.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.windowmaker.enable¶
Whether to enable windowmaker.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.wmii.enable¶
Whether to enable wmii.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.xmonad.enable¶
Whether to enable xmonad.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.windowManager.xmonad.enableContribAndExtras¶
Enable xmonad-{contrib,extras} in Xmonad.
Type: boolean
Default:
falseDeclared by:
services.xserver.windowManager.xmonad.config¶
Configuration from which XMonad gets compiled. If no value is specified, the xmonad config from $HOME/.xmonad is taken. If you use xmonad –recompile, $HOME/.xmonad will be taken as the configuration, but on the next restart of display-manager this config will be reapplied.
Type: null or path or string
Default:
nullExample:
'' import XMonad main = launch defaultConfig { modMask = mod4Mask -- Use Super instead of Alt , terminal = "urxvt" } ''Declared by:
services.xserver.windowManager.xmonad.extraPackages¶
Extra packages available to ghc when rebuilding Xmonad. The value must be a function which receives the attrset defined in
haskellPackagesas the sole argument.Type: unspecified
Default:
"self: \[]"Example:
haskellPackages: [ haskellPackages.xmonad-contrib haskellPackages.monad-logger ]Declared by:
services.xserver.windowManager.xmonad.haskellPackages¶
haskellPackages used to build Xmonad and other packages. This can be used to change the GHC version used to build Xmonad and the packages listed in``extraPackages``.
Type: unspecified
Default:
"pkgs.haskellPackages"Example:
pkgs.haskell.packages.ghc784Declared by:
services.xserver.xautolock.enable¶
Whether to enable xautolock.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.xautolock.enableNotifier¶
Whether to enable the notifier feature of xautolock. This publishes a notification before the autolock.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xserver.xautolock.extraOptions¶
Additional command-line arguments to pass to:command:xautolock.
Type: list of strings
Default: ``[
]``
Example:
[ "-detectsleep" ]Declared by:
services.xserver.xautolock.killer¶
The script to use when nothing has happend for as long as
Type: null or string
Default:
nullExample:
"\\${pkgs.systemd}/bin/systemctl suspend"Declared by:
services.xserver.xautolock.killtime¶
Minutes xautolock waits until it executes the script specified in (Has to be at least 10 minutes)
Type: signed integer
Default:
20Declared by:
services.xserver.xautolock.locker¶
The script to use when automatically locking the computer.
Type: string
Default:
"\\${pkgs.xlockmore}/bin/xlock"Example:
"\\${pkgs.i3lock}/bin/i3lock -i /path/to/img"Declared by:
services.xserver.xautolock.notifier¶
Notification script to be used to warn about the pending autolock.
Type: null or string
Default:
nullExample:
''''${pkgs.libnotify}/bin/notify-send "Locking in 10 seconds"''Declared by:
services.xserver.xautolock.notify¶
Time (in seconds) before the actual lock when the notification about the pending lock should be published.
Type: signed integer
Default:
10Declared by:
services.xserver.xautolock.nowlocker¶
The script to use when manually locking the computer with xautolock -locknow.
Type: null or string
Default:
nullExample:
"\\${pkgs.i3lock}/bin/i3lock -i /path/to/img"Declared by:
services.xserver.xautolock.time¶
Idle time (in minutes) to wait until xautolock locks the computer.
Type: signed integer
Default:
15Declared by:
services.xserver.xkbDir¶
Path used for -xkbdir xserver parameter.
Type: path
Default:
"\\${pkgs.xkeyboard_config}/etc/X11/xkb"Declared by:
services.xserver.xkbModel¶
Keyboard model.
Type: string
Default:
"pc104"Example:
"presario"Declared by:
services.xserver.xkbOptions¶
X keyboard options; layout switching goes here.
Type: strings concatenated with “,”
Default:
"terminate:ctrl_alt_bksp"Example:
"grp:caps_toggle,grp_led:scroll"Declared by:
services.xserver.xkbVariant¶
X keyboard variant.
Type: string
Default:
""Example:
"colemak"Declared by:
services.xserver.xrandrHeads¶
Multiple monitor configuration, just specify a list of XRandR outputs. The individual elements should be either simple strings or an attribute set of output options.
If the element is a string, it is denoting the physical output for a monitor, if it’s an attribute set, you must at least provide the option.
The monitors will be mapped from left to right in the order of the list.
By default, the first monitor will be set as the primary monitor if none of the elements contain an option that has set to
true.Note
Only one monitor is allowed to be primary.
Be careful using this option with multiple graphic adapters or with drivers that have poor support for XRandR, unexpected things might happen with those.
Type: list of submodule or string convertible to its
Default: ``[
]``
Example: ``[ “HDMI-0” { output = “DVI-0”; primary = true; }
{ monitorConfig = ‘’Option “Rotate” “left”’’; output = “DVI-1”; }
]``
Declared by:
services.xserver.xrandrHeads.*.monitorConfig¶
Extra lines to append to the
Monitorsection verbatim. Available options are documented in the MONITOR section inxorg.conf5.Type: strings concatenated with “\n”
Default:
""Example:
'' DisplaySize 408 306 Option "DPMS" "false" ''Declared by:
services.xserver.xrandrHeads.*.output¶
The output name of the monitor, as shown by xrandr1 invoked without arguments.
Type: string
Example:
"DVI-0"Declared by:
services.xserver.xrandrHeads.*.primary¶
Whether this head is treated as the primary monitor,
Type: boolean
Default:
falseDeclared by:
services.xtreemfs.enable¶
Whether to enable XtreemFS.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xtreemfs.dir.enable¶
Whether to enable XtreemFS DIR service.
Type: unspecified
Default:
trueDeclared by:
services.xtreemfs.dir.address¶
If specified, it defines the interface to listen on. If not specified, the service will listen on all interfaces (any).
Type: unspecified
Default:
""Example:
"127.0.0.1"Declared by:
services.xtreemfs.dir.extraConfig¶
Configuration of XtreemFS DIR service. WARNING: configuration is saved as plaintext inside nix store. For more options: http://www.xtreemfs.org/xtfs-guide-1.5.1/index.html
Type: strings concatenated with “\n”
Default:
""Example:
'' # specify whether SSL is required ssl.enabled = true ssl.service_creds.pw = passphrase ssl.service_creds.container = pkcs12 ssl.service_creds = /etc/xos/xtreemfs/truststore/certs/dir.p12 ssl.trusted_certs = /etc/xos/xtreemfs/truststore/certs/trusted.jks ssl.trusted_certs.pw = jks_passphrase ssl.trusted_certs.container = jks ''Declared by:
services.xtreemfs.dir.httpPort¶
Specifies the listen port for the HTTP service that returns the status page.
Type: unspecified
Default:
30638Declared by:
services.xtreemfs.dir.port¶
The port to listen on for incoming connections (TCP).
Type: unspecified
Default:
32638Declared by:
services.xtreemfs.dir.replication.enable¶
Whether to enable XtreemFS DIR replication plugin.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xtreemfs.dir.replication.extraConfig¶
Configuration of XtreemFS DIR replication plugin. WARNING: configuration is saved as plaintext inside nix store. For more options: http://www.xtreemfs.org/xtfs-guide-1.5.1/index.html
Type: strings concatenated with “\n”
Example:
'' # participants of the replication including this replica babudb.repl.participant.0 = 192.168.0.10 babudb.repl.participant.0.port = 35676 babudb.repl.participant.1 = 192.168.0.11 babudb.repl.participant.1.port = 35676 babudb.repl.participant.2 = 192.168.0.12 babudb.repl.participant.2.port = 35676 # number of servers that at least have to be up to date # To have a fault-tolerant system, this value has to be set to the # majority of nodes i.e., if you have three replicas, set this to 2 # Please note that a setup with two nodes provides no fault-tolerance. babudb.repl.sync.n = 2 # specify whether SSL is required babudb.ssl.enabled = true babudb.ssl.protocol = tlsv12 # server credentials for SSL handshakes babudb.ssl.service_creds = /etc/xos/xtreemfs/truststore/certs/osd.p12 babudb.ssl.service_creds.pw = passphrase babudb.ssl.service_creds.container = pkcs12 # trusted certificates for SSL handshakes babudb.ssl.trusted_certs = /etc/xos/xtreemfs/truststore/certs/trusted.jks babudb.ssl.trusted_certs.pw = jks_passphrase babudb.ssl.trusted_certs.container = jks babudb.ssl.authenticationWithoutEncryption = false ''Declared by:
services.xtreemfs.dir.syncMode¶
The sync mode influences how operations are committed to the disk log before the operation is acknowledged to the caller.
-ASYNC mode the writes to the disk log are buffered in memory by the operating system. This is the fastest mode but will lead to data loss in case of a crash, kernel panic or power failure. -SYNC_WRITE_METADATA opens the file with O_SYNC, the system will not buffer any writes. The operation will be acknowledged when data has been safely written to disk. This mode is slow but offers maximum data safety. However, BabuDB cannot influence the disk drive caches, this depends on the OS and hard disk model. -SYNC_WRITE similar to SYNC_WRITE_METADATA but opens file with O_DSYNC which means that only the data is commit to disk. This can lead to some data loss depending on the implementation of the underlying file system. Linux does not implement this mode. -FDATASYNC is similar to SYNC_WRITE but opens the file in asynchronous mode and calls fdatasync() after writing the data to disk. -FSYNC is similar to SYNC_WRITE_METADATA but opens the file in asynchronous mode and calls fsync() after writing the data to disk.
For best throughput use ASYNC, for maximum data safety use FSYNC.
(If xtreemfs.dir.replication.enable is true then FDATASYNC is forced)
Type: unspecified
Default:
"FSYNC"Example:
"FDATASYNC"Declared by:
services.xtreemfs.dir.uuid¶
Must be set to a unique identifier, preferably a UUID according to RFC 4122. UUIDs can be generated with `uuidgen` command, found in the `utillinux` package.
Type: unspecified
Example:
"eacb6bab-f444-4ebf-a06a-3f72d7465e40"Declared by:
services.xtreemfs.homeDir¶
XtreemFS home dir for the xtreemfs user.
Type: unspecified
Default:
"/var/lib/xtreemfs"Declared by:
services.xtreemfs.mrc.enable¶
Whether to enable XtreemFS MRC service.
Type: unspecified
Default:
trueDeclared by:
services.xtreemfs.mrc.address¶
If specified, it defines the interface to listen on. If not specified, the service will listen on all interfaces (any).
Type: unspecified
Default:
""Example:
"127.0.0.1"Declared by:
services.xtreemfs.mrc.extraConfig¶
Configuration of XtreemFS MRC service. WARNING: configuration is saved as plaintext inside nix store. For more options: http://www.xtreemfs.org/xtfs-guide-1.5.1/index.html
Type: strings concatenated with “\n”
Example:
'' osd_check_interval = 300 no_atime = true local_clock_renewal = 0 remote_time_sync = 30000 authentication_provider = org.xtreemfs.common.auth.NullAuthProvider # shared secret between the MRC and all OSDs capability_secret = iNG8UuQJrJ6XVDTe dir_service.host = 192.168.0.10 dir_service.port = 32638 # if replication is enabled dir_service.1.host = 192.168.0.11 dir_service.1.port = 32638 dir_service.2.host = 192.168.0.12 dir_service.2.port = 32638 # specify whether SSL is required ssl.enabled = true ssl.protocol = tlsv12 ssl.service_creds.pw = passphrase ssl.service_creds.container = pkcs12 ssl.service_creds = /etc/xos/xtreemfs/truststore/certs/mrc.p12 ssl.trusted_certs = /etc/xos/xtreemfs/truststore/certs/trusted.jks ssl.trusted_certs.pw = jks_passphrase ssl.trusted_certs.container = jks ''Declared by:
services.xtreemfs.mrc.httpPort¶
Specifies the listen port for the HTTP service that returns the status page.
Type: unspecified
Default:
30636Declared by:
services.xtreemfs.mrc.port¶
The port to listen on for incoming connections (TCP).
Type: unspecified
Default:
32636Declared by:
services.xtreemfs.mrc.replication.enable¶
Whether to enable XtreemFS MRC replication plugin.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.xtreemfs.mrc.replication.extraConfig¶
Configuration of XtreemFS MRC replication plugin. WARNING: configuration is saved as plaintext inside nix store. For more options: http://www.xtreemfs.org/xtfs-guide-1.5.1/index.html
Type: strings concatenated with “\n”
Example:
'' # participants of the replication including this replica babudb.repl.participant.0 = 192.168.0.10 babudb.repl.participant.0.port = 35678 babudb.repl.participant.1 = 192.168.0.11 babudb.repl.participant.1.port = 35678 babudb.repl.participant.2 = 192.168.0.12 babudb.repl.participant.2.port = 35678 # number of servers that at least have to be up to date # To have a fault-tolerant system, this value has to be set to the # majority of nodes i.e., if you have three replicas, set this to 2 # Please note that a setup with two nodes provides no fault-tolerance. babudb.repl.sync.n = 2 # specify whether SSL is required babudb.ssl.enabled = true babudb.ssl.protocol = tlsv12 # server credentials for SSL handshakes babudb.ssl.service_creds = /etc/xos/xtreemfs/truststore/certs/osd.p12 babudb.ssl.service_creds.pw = passphrase babudb.ssl.service_creds.container = pkcs12 # trusted certificates for SSL handshakes babudb.ssl.trusted_certs = /etc/xos/xtreemfs/truststore/certs/trusted.jks babudb.ssl.trusted_certs.pw = jks_passphrase babudb.ssl.trusted_certs.container = jks babudb.ssl.authenticationWithoutEncryption = false ''Declared by:
services.xtreemfs.mrc.syncMode¶
The sync mode influences how operations are committed to the disk log before the operation is acknowledged to the caller.
-ASYNC mode the writes to the disk log are buffered in memory by the operating system. This is the fastest mode but will lead to data loss in case of a crash, kernel panic or power failure. -SYNC_WRITE_METADATA opens the file with O_SYNC, the system will not buffer any writes. The operation will be acknowledged when data has been safely written to disk. This mode is slow but offers maximum data safety. However, BabuDB cannot influence the disk drive caches, this depends on the OS and hard disk model. -SYNC_WRITE similar to SYNC_WRITE_METADATA but opens file with O_DSYNC which means that only the data is commit to disk. This can lead to some data loss depending on the implementation of the underlying file system. Linux does not implement this mode. -FDATASYNC is similar to SYNC_WRITE but opens the file in asynchronous mode and calls fdatasync() after writing the data to disk. -FSYNC is similar to SYNC_WRITE_METADATA but opens the file in asynchronous mode and calls fsync() after writing the data to disk.
For best throughput use ASYNC, for maximum data safety use FSYNC.
(If xtreemfs.mrc.replication.enable is true then FDATASYNC is forced)
Type: unspecified
Default:
"FSYNC"Example:
"FDATASYNC"Declared by:
services.xtreemfs.mrc.uuid¶
Must be set to a unique identifier, preferably a UUID according to RFC 4122. UUIDs can be generated with `uuidgen` command, found in the `utillinux` package.
Type: unspecified
Example:
"eacb6bab-f444-4ebf-a06a-3f72d7465e41"Declared by:
services.xtreemfs.osd.enable¶
Whether to enable XtreemFS OSD service.
Type: unspecified
Default:
trueDeclared by:
services.xtreemfs.osd.address¶
If specified, it defines the interface to listen on. If not specified, the service will listen on all interfaces (any).
Type: unspecified
Default:
""Example:
"127.0.0.1"Declared by:
services.xtreemfs.osd.extraConfig¶
Configuration of XtreemFS OSD service. WARNING: configuration is saved as plaintext inside nix store. For more options: http://www.xtreemfs.org/xtfs-guide-1.5.1/index.html
Type: strings concatenated with “\n”
Example:
'' local_clock_renewal = 0 remote_time_sync = 30000 report_free_space = true capability_secret = iNG8UuQJrJ6XVDTe dir_service.host = 192.168.0.10 dir_service.port = 32638 # if replication is used dir_service.1.host = 192.168.0.11 dir_service.1.port = 32638 dir_service.2.host = 192.168.0.12 dir_service.2.port = 32638 # specify whether SSL is required ssl.enabled = true ssl.service_creds.pw = passphrase ssl.service_creds.container = pkcs12 ssl.service_creds = /etc/xos/xtreemfs/truststore/certs/osd.p12 ssl.trusted_certs = /etc/xos/xtreemfs/truststore/certs/trusted.jks ssl.trusted_certs.pw = jks_passphrase ssl.trusted_certs.container = jks ''Declared by:
services.xtreemfs.osd.httpPort¶
Specifies the listen port for the HTTP service that returns the status page.
Type: unspecified
Default:
30640Declared by:
services.xtreemfs.osd.port¶
The port to listen on for incoming connections (TCP and UDP).
Type: unspecified
Default:
32640Declared by:
services.xtreemfs.osd.uuid¶
Must be set to a unique identifier, preferably a UUID according to RFC 4122. UUIDs can be generated with `uuidgen` command, found in the `utillinux` package.
Type: unspecified
Example:
"eacb6bab-f444-4ebf-a06a-3f72d7465e42"Declared by:
services.yandex-disk.enable¶
Whether to enable Yandex-disk client. See https://disk.yandex.ru/
Type: unspecified
Default:
falseDeclared by:
services.yandex-disk.directory¶
The directory to use for Yandex.Disk storage
Type: unspecified
Default:
"/home/Yandex.Disk"Declared by:
services.yandex-disk.excludes¶
Comma-separated list of directories which are excluded from synchronization.
Type: strings concatenated with “,”
Default:
""Example:
"data,backup"Declared by:
services.yandex-disk.password¶
Your yandex.com password. Warning: it will be world-readable in /nix/store.
Type: string
Default:
""Declared by:
services.yandex-disk.user¶
The user the yandex-disk daemon should run as.
Type: unspecified
Default:
nullDeclared by:
services.yandex-disk.username¶
Your yandex.com login name.
Type: string
Default:
""Declared by:
services.yggdrasil.enable¶
Whether to enable the yggdrasil system service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.yggdrasil.package¶
Yggdrasil package to use.
Type: package
Default:
"pkgs.yggdrasil"Declared by:
services.yggdrasil.config¶
Configuration for yggdrasil, as a Nix attribute set.
Warning: this is stored in the WORLD-READABLE Nix store! Therefore, it is not appropriate for private keys. If you do not specify the keys, yggdrasil will generate a new set each time the service is started, creating a random IPv6 address on the yggdrasil network each time.
If you wish to specify the keys, use. If both and are supplied, they will be combined, with values from taking precedence.
You can use the command nix-shell -p yggdrasil –run “yggdrasil -genconf” to generate default configuration values with documentation.
Type: attribute set
Default: ``{
}``
Example:
{ Listen = [ "tcp://0.0.0.0:xxxxx" ] ; Peers = [ "tcp://aa.bb.cc.dd:eeeee" "tcp://\[aaaa:bbbb:cccc:dddd::eeee]:fffff" ] ; }Declared by:
services.yggdrasil.configFile¶
A file which contains JSON configuration for yggdrasil.
You do not have to supply a complete configuration, as yggdrasil will use default values for anything which is omitted. If the encryption and signing keys are omitted, yggdrasil will generate new ones each time the service is started, resulting in a random IPv6 address on the yggdrasil network each time.
If both this option and are supplied, they will be combined, with values from taking precedence.
You can use the command nix-shell -p yggdrasil –run “yggdrasil -genconf -json” to generate a default JSON configuration.
Type: null or string
Default:
nullExample:
"/run/keys/yggdrasil.conf"Declared by:
services.yggdrasil.denyDhcpcdInterfaces¶
Disable the DHCP client for any interface whose name matches any of the shell glob patterns in this list. Use this option to prevent the DHCP client from broadcasting requests on the yggdrasil network. It is only necessary to do so when yggdrasil is running in TAP mode, because TUN interfaces do not support broadcasting.
Type: list of strings
Default: ``[
]``
Example:
[ "tap*" ]Declared by:
services.yggdrasil.openMulticastPort¶
Whether to open the UDP port used for multicast peer discovery. The NixOS firewall blocks link-local communication, so in order to make local peering work you will also need to set LinkLocalTCPPort in your yggdrasil configuration ( or) to a port number other than 0, and then add that port to.
Type: boolean
Default:
falseDeclared by:
services.ympd.enable¶
Whether to enable ympd, the MPD Web GUI.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.ympd.mpd.host¶
The host where MPD is listening.
Type: string
Default:
"localhost"Example:
"localhost"Declared by:
services.ympd.mpd.port¶
The port where MPD is listening.
Type: signed integer
Default:
6600Example:
6600Declared by:
services.ympd.webPort¶
The port where ympd’s web interface will be available.
Type: string or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
"8080"Example:
"ssl://8080:/path/to/ssl-private-key.pem"Declared by:
services.youtrack.enable¶
Whether to enable YouTrack service.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.youtrack.package¶
Package to use.
Type: package
Default:
"pkgs.youtrack"Declared by:
services.youtrack.address¶
The interface youtrack will listen on.
Type: string
Default:
"127.0.0.1"Declared by:
services.youtrack.baseUrl¶
Base URL for youtrack. Will be auto-detected and stored in database.
Type: null or string
Default:
nullDeclared by:
services.youtrack.extraParams¶
Extra parameters to pass to youtrack. See https://www.jetbrains.com/help/youtrack/standalone/YouTrack-Java-Start-Parameters.html for more information.
Type: attribute set of strings
Default: ``{
}``
Example:
{ jetbrains.youtrack.overrideRootPassword = "tortuga"; }Declared by:
services.youtrack.jvmOpts¶
Extra options to pass to the JVM. See https://www.jetbrains.com/help/youtrack/standalone/Configure-JVM-Options.html for more information.
Type: strings concatenated with ” “
Default:
""Example:
"-XX:MetaspaceSize=250m"Declared by:
services.youtrack.maxMemory¶
Maximum Java heap size
Type: string
Default:
"1g"Declared by:
services.youtrack.maxMetaspaceSize¶
Maximum java Metaspace memory.
Type: string
Default:
"350m"Declared by:
services.youtrack.port¶
The port youtrack will listen on.
Type: signed integer
Default:
8080Declared by:
services.youtrack.statePath¶
Where to keep the youtrack database.
Type: path
Default:
"/var/lib/youtrack"Declared by:
services.youtrack.virtualHost¶
Name of the nginx virtual host to use and setup. If null, do not setup anything.
Type: null or string
Default:
nullDeclared by:
services.zabbixAgent.enable¶
Whether to enable the Zabbix Agent.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.zabbixAgent.package¶
The Zabbix package to use.
Type: package
Default:
"pkgs.zabbix.agent"Declared by:
services.zabbixAgent.extraConfig¶
Configuration that is injected verbatim into the configuration file. Refer to` <https://www.zabbix.com/documentation/current/manual/appendix/config/zabbix_agentd>`_ for details on supported values.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.zabbixAgent.extraPackages¶
Packages to be added to the Zabbix PATH. Typically used to add executables for scripts, but can be anything.
Type: list of packages
Default:
"[ nettools ]"Example:
"[ nettools mysql ]"Declared by:
services.zabbixAgent.listen.ip¶
List of comma delimited IP addresses that the agent should listen on.
Type: string
Default:
"0.0.0.0"Declared by:
services.zabbixAgent.listen.port¶
Agent will listen on this port for connections from the server.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
10050Declared by:
services.zabbixAgent.modules¶
A set of modules to load.
Type: attribute set of packages
Default: ``{
}``
Example:
{ "dummy.so" = pkgs.stdenv.mkDerivation { name = "zabbix-dummy-module-${cfg.package.version}"; src = cfg.package.src; buildInputs = [ cfg.package ]; sourceRoot = "zabbix-${cfg.package.version}/src/modules/dummy"; installPhase = '' mkdir -p $out/lib cp dummy.so $out/lib/ ''; }; }Declared by:
services.zabbixAgent.openFirewall¶
Open ports in the firewall for the Zabbix Agent.
Type: boolean
Default:
falseDeclared by:
services.zabbixAgent.server¶
The IP address or hostname of the Zabbix server to connect to.
Type: string
Declared by:
services.zabbixProxy.enable¶
Whether to enable the Zabbix Proxy.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.zabbixProxy.package¶
The Zabbix package to use.
Type: package
Default:
"pkgs.zabbix.proxy-pgsql"Declared by:
services.zabbixProxy.database.createLocally¶
Whether to create a local database automatically.
Type: boolean
Default:
trueDeclared by:
services.zabbixProxy.database.host¶
Database host address.
Type: string
Default:
"localhost"Declared by:
services.zabbixProxy.database.name¶
Database name.
Type: string
Default:
"zabbix"Declared by:
services.zabbixProxy.database.passwordFile¶
A file containing the password corresponding to.
Type: null or path
Default:
nullExample:
"/run/keys/zabbix-dbpassword"Declared by:
services.zabbixProxy.database.port¶
Database host port.
Type: signed integer
Default:
5432Declared by:
services.zabbixProxy.database.socket¶
Path to the unix socket file to use for authentication.
Type: null or path
Default:
nullExample:
"/run/postgresql"Declared by:
services.zabbixProxy.database.type¶
Database engine to use.
Type: one of “mysql”, “pgsql”, “sqlite”
Default:
"pgsql"Example:
"mysql"Declared by:
services.zabbixProxy.database.user¶
Database user.
Type: string
Default:
"zabbix"Declared by:
services.zabbixProxy.extraConfig¶
Configuration that is injected verbatim into the configuration file. Refer to` <https://www.zabbix.com/documentation/current/manual/appendix/config/zabbix_proxy>`_ for details on supported values.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.zabbixProxy.extraPackages¶
Packages to be added to the Zabbix PATH. Typically used to add executables for scripts, but can be anything.
Type: list of packages
Default:
"[ nettools nmap traceroute ]"Declared by:
services.zabbixProxy.listen.ip¶
List of comma delimited IP addresses that the trapper should listen on. Trapper will listen on all network interfaces if this parameter is missing.
Type: string
Default:
"0.0.0.0"Declared by:
services.zabbixProxy.listen.port¶
Listen port for trapper.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
10051Declared by:
services.zabbixProxy.modules¶
A set of modules to load.
Type: attribute set of packages
Default: ``{
}``
Example:
{ "dummy.so" = pkgs.stdenv.mkDerivation { name = "zabbix-dummy-module-${cfg.package.version}"; src = cfg.package.src; buildInputs = [ cfg.package ]; sourceRoot = "zabbix-${cfg.package.version}/src/modules/dummy"; installPhase = '' mkdir -p $out/lib cp dummy.so $out/lib/ ''; }; }Declared by:
services.zabbixProxy.openFirewall¶
Open ports in the firewall for the Zabbix Proxy.
Type: boolean
Default:
falseDeclared by:
services.zabbixProxy.server¶
The IP address or hostname of the Zabbix server to connect to.
Type: string
Declared by:
services.zabbixServer.enable¶
Whether to enable the Zabbix Server.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.zabbixServer.package¶
The Zabbix package to use.
Type: package
Default:
"pkgs.zabbix.server-pgsql"Declared by:
services.zabbixServer.database.createLocally¶
Whether to create a local database automatically.
Type: boolean
Default:
trueDeclared by:
services.zabbixServer.database.host¶
Database host address.
Type: string
Default:
"localhost"Declared by:
services.zabbixServer.database.name¶
Database name.
Type: string
Default:
"zabbix"Declared by:
services.zabbixServer.database.passwordFile¶
A file containing the password corresponding to.
Type: null or path
Default:
nullExample:
"/run/keys/zabbix-dbpassword"Declared by:
services.zabbixServer.database.port¶
Database host port.
Type: signed integer
Default:
5432Declared by:
services.zabbixServer.database.socket¶
Path to the unix socket file to use for authentication.
Type: null or path
Default:
nullExample:
"/run/postgresql"Declared by:
services.zabbixServer.database.type¶
Database engine to use.
Type: one of “mysql”, “pgsql”
Default:
"pgsql"Example:
"mysql"Declared by:
services.zabbixServer.database.user¶
Database user.
Type: string
Default:
"zabbix"Declared by:
services.zabbixServer.extraConfig¶
Configuration that is injected verbatim into the configuration file. Refer to` <https://www.zabbix.com/documentation/current/manual/appendix/config/zabbix_server>`_ for details on supported values.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.zabbixServer.extraPackages¶
Packages to be added to the Zabbix PATH. Typically used to add executables for scripts, but can be anything.
Type: list of packages
Default:
"[ nettools nmap traceroute ]"Declared by:
services.zabbixServer.listen.ip¶
List of comma delimited IP addresses that the trapper should listen on. Trapper will listen on all network interfaces if this parameter is missing.
Type: string
Default:
"0.0.0.0"Declared by:
services.zabbixServer.listen.port¶
Listen port for trapper.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
10051Declared by:
services.zabbixServer.modules¶
A set of modules to load.
Type: attribute set of packages
Default: ``{
}``
Example:
{ "dummy.so" = pkgs.stdenv.mkDerivation { name = "zabbix-dummy-module-${cfg.package.version}"; src = cfg.package.src; buildInputs = [ cfg.package ]; sourceRoot = "zabbix-${cfg.package.version}/src/modules/dummy"; installPhase = '' mkdir -p $out/lib cp dummy.so $out/lib/ ''; }; }Declared by:
services.zabbixServer.openFirewall¶
Open ports in the firewall for the Zabbix Server.
Type: boolean
Default:
falseDeclared by:
services.zabbixWeb.enable¶
Whether to enable the Zabbix web interface.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.zabbixWeb.package¶
Which Zabbix package to use.
Type: package
Default:
"zabbix.web"Declared by:
services.zabbixWeb.database.host¶
Database host address.
Type: string
Default:
""Declared by:
services.zabbixWeb.database.name¶
Database name.
Type: string
Default:
"zabbix"Declared by:
services.zabbixWeb.database.passwordFile¶
A file containing the password corresponding to.
Type: null or path
Default:
nullExample:
"/run/keys/zabbix-dbpassword"Declared by:
services.zabbixWeb.database.port¶
Database host port.
Type: signed integer
Default:
5432Declared by:
services.zabbixWeb.database.socket¶
Path to the unix socket file to use for authentication.
Type: null or path
Default:
nullExample:
"/run/postgresql"Declared by:
services.zabbixWeb.database.type¶
Database engine to use.
Type: one of “mysql”, “pgsql”, “oracle”
Default:
"pgsql"Example:
"mysql"Declared by:
services.zabbixWeb.database.user¶
Database user.
Type: string
Default:
"zabbix"Declared by:
services.zabbixWeb.poolConfig¶
Options for the Zabbix PHP pool. See the documentation on
php-fpm.conffor details on configuration directives.Type: attribute set of string or signed integer or booleans
Default:
{ pm = "dynamic"; pm.max_children = 32; pm.max_requests = 500; pm.max_spare_servers = 4; pm.min_spare_servers = 2; pm.start_servers = 2; }Declared by:
services.zabbixWeb.server.address¶
The IP address or hostname of the Zabbix server to connect to.
Type: string
Default:
"localhost"Declared by:
services.zabbixWeb.server.port¶
The port of the Zabbix server to connect to.
Type: signed integer
Default:
10051Declared by:
services.zabbixWeb.virtualHost¶
Apache configuration can be done by adapting
services.httpd.virtualHosts.<name>. See services.httpd.virtualHosts for further information.Type: submodule
Example:
{ hostName = "zabbix.example.org"; adminAddr = "webmaster@example.org"; forceSSL = true; enableACME = true; }Declared by:
services.zabbixWeb.virtualHost.enableACME¶
Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through .
Type: boolean
Default:
falseDeclared by:
services.zabbixWeb.virtualHost.enableUserDir¶
Whether to enable serving
~/public_htmlas``/~*username*``.Type: boolean
Default:
falseDeclared by:
services.zabbixWeb.virtualHost.acmeRoot¶
Directory for the acme challenge which is PUBLIC, don’t put certs or keys in here
Type: string
Default:
"/var/lib/acme/acme-challenges"Declared by:
services.zabbixWeb.virtualHost.addSSL¶
Whether to enable HTTPS in addition to plain HTTP. This will set defaults for``listen`` to listen on all interfaces on the respective default ports (80, 443).
Type: boolean
Default:
falseDeclared by:
services.zabbixWeb.virtualHost.adminAddr¶
E-mail address of the server administrator.
Type: null or string
Default:
nullExample:
"admin@example.org"Declared by:
services.zabbixWeb.virtualHost.documentRoot¶
The path of Apache’s document root directory. If left undefined, an empty directory in the Nix store will be used as root.
Type: null or path
Default:
nullExample:
"/data/webserver/docs"Declared by:
services.zabbixWeb.virtualHost.extraConfig¶
These lines go to httpd.conf verbatim. They will go after directories and directory aliases defined by default.
Type: strings concatenated with “\n”
Default:
""Example:
'' <Directory /home> Options FollowSymlinks AllowOverride All </Directory> ''Declared by:
services.zabbixWeb.virtualHost.forceSSL¶
Whether to add a separate nginx server block that permanently redirects (301) all plain HTTP traffic to HTTPS. This will set defaults for``listen`` to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
Type: boolean
Default:
falseDeclared by:
services.zabbixWeb.virtualHost.globalRedirect¶
If set, all requests for this host are redirected permanently to the given URL.
Type: null or string
Default:
nullExample:
"http://newserver.example.org/"Declared by:
services.zabbixWeb.virtualHost.hostName¶
Canonical hostname for the server.
Type: string
Default:
"‹name›"Declared by:
services.zabbixWeb.virtualHost.http2¶
Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. However, if you use the prefork mpm, there will be severe restrictions. Refer to ` <https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config>`_ for details.
Type: boolean
Default:
falseDeclared by:
services.zabbixWeb.virtualHost.listen¶
services.zabbixWeb.virtualHost.listen.*.ip¶
IP to listen on. 0.0.0.0 for IPv4 only, * for all.
Type: string
Default:
"\*"Declared by:
services.zabbixWeb.virtualHost.listen.*.port¶
Port to listen on
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Declared by:
services.zabbixWeb.virtualHost.listen.*.ssl¶
Whether to enable SSL (https) support.
Type: boolean
Default:
falseDeclared by:
services.zabbixWeb.virtualHost.locations¶
Declarative location config. See ` <https://httpd.apache.org/docs/2.4/mod/core.html#location>`_ for details.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ "/" = { proxyPass = "http://localhost:3000"; }; "/foo/bar.png" = { alias = "/home/eelco/some-file.png"; }; };Declared by:
services.zabbixWeb.virtualHost.locations.<name>.alias¶
Alias directory for requests. See ` <https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias>`_.
Type: null or path
Default:
nullExample:
"/your/alias/directory"Declared by:
services.zabbixWeb.virtualHost.locations.<name>.extraConfig¶
These lines go to the end of the location verbatim.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.zabbixWeb.virtualHost.locations.<name>.index¶
Adds DirectoryIndex directive. See ` <https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryindex>`_.
Type: null or string
Default:
nullExample:
"index.php index.html"Declared by:
services.zabbixWeb.virtualHost.locations.<name>.priority¶
Order of this location block in relation to the others in the vhost. The semantics are the same as with `lib.mkOrder`. Smaller values have a greater priority.
Type: signed integer
Default:
1000Declared by:
services.zabbixWeb.virtualHost.locations.<name>.proxyPass¶
Sets up a simple reverse proxy as described by ` <https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html#simple>`_.
Type: null or string
Default:
nullExample:
"http://www.example.org/"Declared by:
services.zabbixWeb.virtualHost.logFormat¶
Log format for Apache’s log files. Possible values are: combined, common, referer, agent.
Type: string
Default:
"common"Example:
"combined"Declared by:
services.zabbixWeb.virtualHost.onlySSL¶
Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for
listento listen on all interfaces on port 443.Type: boolean
Default:
falseDeclared by:
services.zabbixWeb.virtualHost.robotsEntries¶
Specification of pages to be ignored by web crawlers. See ` <http://www.robotstxt.org/>`_ for details.
Type: strings concatenated with “\n”
Default:
""Example:
"Disallow: /foo/"Declared by:
services.zabbixWeb.virtualHost.servedDirs¶
services.zabbixWeb.virtualHost.servedFiles¶
This option provides a simple way to serve individual, static files.
Note
This option has been deprecated and will be removed in a future version of NixOS. You can achieve the same result by making use of the
locations.<name>.aliasoption.Type: list of attribute sets
Default: ``[
]``
Example: ``[
{ file = “/home/eelco/some-file.png”; urlPath = “/foo/bar.png”; }
]``
Declared by:
services.zabbixWeb.virtualHost.serverAliases¶
Additional names of virtual hosts served by this virtual host configuration.
Type: list of strings
Default: ``[
]``
Example:
[ "www.example.org" "www.example.org:8080" "example.org" ]Declared by:
services.zabbixWeb.virtualHost.sslServerCert¶
Path to server SSL certificate.
Type: path
Example:
"/var/host.cert"Declared by:
services.zabbixWeb.virtualHost.sslServerChain¶
Path to server SSL chain file.
Type: null or path
Default:
nullExample:
"/var/ca.pem"Declared by:
services.zabbixWeb.virtualHost.sslServerKey¶
Path to server SSL certificate key.
Type: path
Example:
"/var/host.key"Declared by:
services.zabbixWeb.virtualHost.useACMEHost¶
A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the`rate limit <https://letsencrypt.org/docs/rate-limits/>`_. Alternately, you can generate a certificate through .*Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.*
Type: null or string
Default:
nullDeclared by:
services.zeitgeist.enable¶
Whether to enable zeitgeist.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.zerobin.enable¶
Whether to enable 0bin.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.zerobin.dataDir¶
Path to the 0bin data directory
Type: string
Default:
"/var/lib/zerobin"Declared by:
services.zerobin.extraConfig¶
Extra configuration to be appended to the 0bin config file (see https://0bin.readthedocs.org/en/latest/en/options.html)
Type: strings concatenated with “\n”
Default:
""Example:
'' MENU = ( ('Home', '/'), ) COMPRESSED_STATIC_FILE = True ''Declared by:
services.zerobin.group¶
The group 0bin should run as
Type: string
Default:
"zerobin"Declared by:
services.zerobin.listenAddress¶
The address zerobin should listen to
Type: string
Default:
"localhost"Example:
"127.0.0.1"Declared by:
services.zerobin.listenPort¶
The port zerobin should listen on
Type: signed integer
Default:
8000Example:
1357Declared by:
services.zerobin.user¶
The user 0bin should run as
Type: string
Default:
"zerobin"Declared by:
services.zeronet.enable¶
Whether to enable zeronet.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.zeronet.fileserverPort¶
Zeronet fileserver port.
Type: signed integer
Default:
12261Example:
12261Declared by:
services.zeronet.port¶
Optional zeronet web UI port.
Type: signed integer
Default:
43110Example:
43110Declared by:
services.zeronet.settings¶
zeronet.confconfiguration. Refer to` <https://zeronet.readthedocs.io/en/latest/faq/#is-it-possible-to-use-a-configuration-file>`_ for details on supported values;Type: attribute set of string or signed integer or boolean or list of stringss
Default: ``{
}``
Example:
global.tor = enable;Declared by:
services.zeronet.tor¶
Use TOR for zeronet traffic where possible.
Type: boolean
Default:
falseDeclared by:
services.zeronet.torAlways¶
Use TOR for all zeronet traffic.
Type: boolean
Default:
falseDeclared by:
services.zerotierone.enable¶
Whether to enable ZeroTierOne.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.zerotierone.package¶
ZeroTier One package to use.
Type: package
Default:
"pkgs.zerotierone"Declared by:
services.zerotierone.joinNetworks¶
List of ZeroTier Network IDs to join on startup
Type: list of strings
Default: ``[
]``
Example:
[ "a8a2c3c10c1a68de" ]Declared by:
services.zerotierone.port¶
Network port used by ZeroTier.
Type: signed integer
Default:
9993Example:
9993Declared by:
services.zfs.autoReplication.enable¶
Whether to enable ZFS snapshot replication..
Type: boolean
Default:
falseExample:
trueDeclared by:
services.zfs.autoReplication.followDelete¶
Remove remote snapshots that don’t have a local correspondant.
Type: boolean
Default:
trueDeclared by:
services.zfs.autoReplication.host¶
Remote host where snapshots should be sent.
Type: string
Example:
"example.com"Declared by:
services.zfs.autoReplication.identityFilePath¶
Path to SSH key used to login to host.
Type: path
Example:
"/home/username/.ssh/id_rsa"Declared by:
services.zfs.autoReplication.localFilesystem¶
Local ZFS fileystem from which snapshots should be sent. Defaults to the attribute name.
Type: string
Example:
"pool/file/path"Declared by:
services.zfs.autoReplication.recursive¶
Recursively discover snapshots to send.
Type: boolean
Default:
trueDeclared by:
services.zfs.autoReplication.remoteFilesystem¶
Remote ZFS filesystem where snapshots should be sent.
Type: string
Example:
"pool/file/path"Declared by:
services.zfs.autoReplication.username¶
Username used by SSH to login to remote host.
Type: string
Example:
"username"Declared by:
services.zfs.autoScrub.enable¶
Whether to enable Enables periodic scrubbing of ZFS pools..
Type: boolean
Default:
falseExample:
trueDeclared by:
services.zfs.autoScrub.interval¶
Systemd calendar expression when to scrub ZFS pools. Seesystemd.time7.
Type: string
Default:
"Sun, 02:00"Example:
"daily"Declared by:
services.zfs.autoScrub.pools¶
List of ZFS pools to periodically scrub. If empty, all pools will be scrubbed.
Type: list of strings
Default: ``[
]``
Example:
[ "tank" ]Declared by:
services.zfs.autoSnapshot.enable¶
Enable the (OpenSolaris-compatible) ZFS auto-snapshotting service. Note that you must set the
com.sun:auto-snapshotproperty totrueon all datasets which you wish to auto-snapshot.You can override a child dataset to use, or not use auto-snapshotting by setting its flag with the given interval:
zfs set com.sun:auto-snapshot:weekly=false DATASETType: boolean
Default:
falseDeclared by:
services.zfs.autoSnapshot.daily¶
Number of daily auto-snapshots that you wish to keep.
Type: signed integer
Default:
7Declared by:
services.zfs.autoSnapshot.flags¶
Flags to pass to the zfs-auto-snapshot command.
Run
zfs-auto-snapshot(without any arguments) to see available flags.If it’s not too inconvenient for snapshots to have timestamps in UTC, it is suggested that you append
--utcto the list of default options (see example).Otherwise, snapshot names can cause name conflicts or apparent time reversals due to daylight savings, timezone or other date/time changes.
Type: string
Default:
"-k -p"Example:
"-k -p --utc"Declared by:
services.zfs.autoSnapshot.frequent¶
Number of frequent (15-minute) auto-snapshots that you wish to keep.
Type: signed integer
Default:
4Declared by:
services.zfs.autoSnapshot.hourly¶
Number of hourly auto-snapshots that you wish to keep.
Type: signed integer
Default:
24Declared by:
services.zfs.autoSnapshot.monthly¶
Number of monthly auto-snapshots that you wish to keep.
Type: signed integer
Default:
12Declared by:
services.zfs.autoSnapshot.weekly¶
Number of weekly auto-snapshots that you wish to keep.
Type: signed integer
Default:
4Declared by:
services.zfs.trim.enable¶
Whether to enable periodic TRIM on all ZFS pools.
Type: boolean
Default:
trueExample:
falseDeclared by:
services.zfs.trim.interval¶
How often we run trim. For most desktop and server systems a sufficient trimming frequency is once a week.
The format is described insystemd.time7.
Type: string
Default:
"weekly"Example:
"daily"Declared by:
services.zfs.zed.settings¶
ZFS Event Daemon /etc/zfs/zed.d/zed.rc content
Seezed8 for details on ZED and the scripts in /etc/zfs/zed.d to find the possible variables
Type: attribute set of string or signed integer or boolean or list of stringss
Example:
{ ZED_DEBUG_LOG = "/tmp/zed.debug.log"; ZED_EMAIL_ADDR = [ "root" ]; ZED_EMAIL_PROG = "mail"; ZED_EMAIL_OPTS = "-s '@SUBJECT@' @ADDRESS@"; ZED_NOTIFY_INTERVAL_SECS = 3600; ZED_NOTIFY_VERBOSE = false; ZED_USE_ENCLOSURE_LEDS = true; ZED_SCRUB_AFTER_RESILVER = false; }Declared by:
services.znapzend.enable¶
Whether to enable ZnapZend ZFS backup daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.znapzend.autoCreation¶
Automatically create the destination dataset if it does not exists.
Type: boolean
Default:
falseDeclared by:
services.znapzend.features.compressed¶
Whether to enable compressed feature which adds the options
-Lceto the zfs send command. When this is enabled, make sure that both the sending and receiving pool have the same relevant features enabled. Using-cwill skip unneccessary decompress-compress stages,-Lis for large block support and -e is for embedded data support. seeznapzend1 and zfs8 for more info. .Type: boolean
Default:
falseExample:
trueDeclared by:
services.znapzend.features.recvu¶
Whether to enable recvu feature which uses
-uon the receiving end to keep the destination filesystem unmounted. .Type: boolean
Default:
falseExample:
trueDeclared by:
services.znapzend.logLevel¶
The log level when logging to file. Any of debug, info, warning, err, alert. Default in daemonized form is debug.
Type: one of “debug”, “info”, “warning”, “err”, “alert”
Default:
"debug"Example:
"warning"Declared by:
services.znapzend.logTo¶
Where to log to (syslog::<facility> or <filepath>).
Type: string
Default:
"syslog::daemon"Example:
"/var/log/znapzend.log"Declared by:
services.znapzend.noDestroy¶
Does all changes to the filesystem except destroy.
Type: boolean
Default:
falseDeclared by:
services.znapzend.pure¶
Do not persist any stateful znapzend setups. If this option is enabled, your previously set znapzend setups will be cleared and only the ones defined with this module will be applied.
Type: boolean
Default:
falseDeclared by:
services.znapzend.zetup¶
Znapzend configuration.
Type: list or attribute set of submodules
Default: ``{
}``
Example:
{ "tank/home" = { # Make snapshots of tank/home every hour, keep those for 1 day, # keep every days snapshot for 1 month, etc. plan = "1d=>1h,1m=>1d,1y=>1m"; recursive = true; # Send all those snapshots to john@example.com:rtank/john as well destinations.remote = { host = "john@example.com"; dataset = "rtank/john"; }; }; };Declared by:
services.znapzend.zetup.<name?>.enable¶
Whether to enable this source.
Type: boolean
Default:
trueDeclared by:
services.znapzend.zetup.<name?>.dataset¶
The dataset to use for this source.
Type: string
Example:
"tank/home"Declared by:
services.znapzend.zetup.<name?>.destinations¶
Additional destinations.
Type: list or attribute set of submodules
Default: ``{
}``
Example:
{ local = { dataset = "btank/backup"; presend = "zpool import -N btank"; postsend = "zpool export btank"; }; remote = { host = "john@example.com"; dataset = "tank/john"; }; };Declared by:
services.znapzend.zetup.<name?>.destinations.<name?>.dataset¶
Dataset name to send snapshots to.
Type: string
Example:
"tank/main"Declared by:
services.znapzend.zetup.<name?>.destinations.<name?>.host¶
Host to use for the destination dataset. Can be prefixed with``user@`` to specify the ssh user.
Type: null or string
Default:
nullExample:
"john@example.com"Declared by:
services.znapzend.zetup.<name?>.destinations.<name?>.label¶
Label for this destination. Defaults to the attribute name.
Type: string
Declared by:
services.znapzend.zetup.<name?>.destinations.<name?>.plan¶
The znapzend backup plan to use for the source.
The plan specifies how often to backup and for how long to keep the backups. It consists of a series of retention periodes to interval associations:
retA=>intA,retB=>intB,...Both intervals and retention periods are expressed in standard units of time or multiples of them. You can use both the full name or a shortcut according to the following listing:
second|sec|s, minute|min, hour|h, day|d, week|w, month|mon|m, year|ySee znapzendzetup1 for more info.
Type: string
Example:
"1h=>10min,1d=>1h,1w=>1d,1m=>1w,1y=>1m"Declared by:
services.znapzend.zetup.<name?>.destinations.<name?>.postsend¶
Command to run after sending the snapshot to the destination. Intended to run a remote script via ssh on the destination, e.g. to bring up a backup disk or server or to put a zpool online/offline. See also .
Type: null or string
Default:
nullExample:
"ssh root@bserv zpool export tank"Declared by:
services.znapzend.zetup.<name?>.destinations.<name?>.presend¶
Command to run before sending the snapshot to the destination. Intended to run a remote script via ssh on the destination, e.g. to bring up a backup disk or server or to put a zpool online/offline. See also .
Type: null or string
Default:
nullExample:
"ssh root@bserv zpool import -Nf tank"Declared by:
services.znapzend.zetup.<name?>.mbuffer.enable¶
Whether to use mbuffer.
Type: boolean
Default:
falseDeclared by:
services.znapzend.zetup.<name?>.mbuffer.port¶
Port to use for mbuffer.
If this is null, it will run mbuffer through ssh.
If this is not null, it will run mbuffer directly through TCP, which is not encrypted but faster. In that case the given port needs to be open on the destination host.
Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
nullDeclared by:
services.znapzend.zetup.<name?>.mbuffer.size¶
The size for mbuffer. Supports the units b, k, M, G.
Type: string of the form number{b|k|M|G}
Default:
"1G"Example:
"128M"Declared by:
services.znapzend.zetup.<name?>.plan¶
The znapzend backup plan to use for the source.
The plan specifies how often to backup and for how long to keep the backups. It consists of a series of retention periodes to interval associations:
retA=>intA,retB=>intB,...Both intervals and retention periods are expressed in standard units of time or multiples of them. You can use both the full name or a shortcut according to the following listing:
second|sec|s, minute|min, hour|h, day|d, week|w, month|mon|m, year|ySee znapzendzetup1 for more info.
Type: string
Example:
"1h=>10min,1d=>1h,1w=>1d,1m=>1w,1y=>1m"Declared by:
services.znapzend.zetup.<name?>.postsnap¶
Command to run after snapshots are taken on the source dataset, e.g. for database unlocking. See also .
Type: null or string
Default:
nullExample:
${pkgs.coreutils}/bin/kill `${pkgs.coreutils}/bin/cat /tmp/mariadblock.pid`;${pkgs.coreutils}/bin/rm /tmp/mariadblock.pidDeclared by:
services.znapzend.zetup.<name?>.presnap¶
Command to run before snapshots are taken on the source dataset, e.g. for database locking/flushing. See also.
Type: null or string
Default:
nullExample:
${pkgs.mariadb}/bin/mysql -e "set autocommit=0;flush tables with read lock;\\! ${pkgs.coreutils}/bin/sleep 600" & ${pkgs.coreutils}/bin/echo $! > /tmp/mariadblock.pid ; sleep 10Declared by:
services.znapzend.zetup.<name?>.recursive¶
Whether to do recursive snapshots.
Type: boolean
Default:
falseDeclared by:
services.znapzend.zetup.<name?>.sendDelay¶
Specify delay (in seconds) before sending snaps to the destination. May be useful if you want to control sending time.
Type: signed integer
Default:
0Example:
60Declared by:
services.znapzend.zetup.<name?>.timestampFormat¶
The timestamp format to use for constructing snapshot names. The syntax is
strftime-like. The string must consist of the mandatory%Y %m %d %H %M %S. Optionally- _ . :characters as well as any alphanumeric character are allowed. If suffixed by a``Z``, times will be in UTC.Type: string containing all of the characters %Y, %m, %d, %H, %M, %S
Default:
"%Y-%m-%d-%H%M%S"Example:
"znapzend-%m.%d.%Y-%H%M%SZ"Declared by:
services.znc.enable¶
Whether to enable ZNC.
Type: boolean
Default:
falseExample:
trueDeclared by:
services.znc.confOptions.extraZncConf¶
Extra config to `znc.conf` file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.znc.confOptions.modules¶
A list of modules to include in the `znc.conf` file.
Type: list of strings
Default:
[ "webadmin" "adminlog" ]Example:
[ "partyline" "webadmin" "adminlog" "log" ]Declared by:
services.znc.confOptions.networks¶
IRC networks to connect the user to.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ "freenode" = { server = "chat.freenode.net"; port = 6697; useSSL = true; modules = [ "simple_away" ]; }; };Declared by:
services.znc.confOptions.networks.<name>.channels¶
services.znc.confOptions.networks.<name>.extraConf¶
Extra config for the network. Consider using instead.
Type: strings concatenated with “\n”
Default:
""Example:
'' Encoding = ^UTF-8 FloodBurst = 4 FloodRate = 1.00 IRCConnectEnabled = true Ident = johntron JoinDelay = 0 Nick = johntron ''Declared by:
services.znc.confOptions.networks.<name>.hasBitlbeeControlChannel¶
Whether to add the special Bitlbee operations channel.
Type: boolean
Default:
falseDeclared by:
services.znc.confOptions.networks.<name>.modules¶
ZNC network modules to load.
Type: list of strings
Default:
[ "simple_away" ]Example:
[ simple_away sasl ]Declared by:
services.znc.confOptions.networks.<name>.password¶
IRC server password, such as for a Slack gateway.
Type: string
Default:
""Declared by:
services.znc.confOptions.networks.<name>.port¶
IRC server port.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
6697Declared by:
services.znc.confOptions.networks.<name>.server¶
IRC server address.
Type: string
Example:
"chat.freenode.net"Declared by:
services.znc.confOptions.networks.<name>.useSSL¶
Whether to use SSL to connect to the IRC server.
Type: boolean
Default:
trueDeclared by:
services.znc.confOptions.nick¶
The IRC nick.
Type: string
Default:
"znc-user"Example:
"john"Declared by:
services.znc.confOptions.passBlock¶
Generate with `nix-shell -p znc –command “znc –makepass”`. This is the password used to log in to the ZNC web admin interface. You can also set this through and co.
Type: string
Example:
<Pass password> Method = sha256 Hash = e2ce303c7ea75c571d80d8540a8699b46535be6a085be3414947d638e48d9e93 Salt = l5Xryew4g*!oa(ECfX2o </Pass>Declared by:
services.znc.confOptions.port¶
Specifies the port on which to listen.
Type: signed integer
Default:
5000Declared by:
services.znc.confOptions.uriPrefix¶
An optional URI prefix for the ZNC web interface. Can be used to make ZNC available behind a reverse proxy.
Type: null or string
Default:
nullExample:
"/znc/"Declared by:
services.znc.confOptions.useSSL¶
Indicates whether the ZNC server should use SSL when listening on the specified port. A self-signed certificate will be generated.
Type: boolean
Default:
trueDeclared by:
services.znc.confOptions.userModules¶
A list of user modules to include in the `znc.conf` file.
Type: list of strings
Default:
[ "chansaver" "controlpanel" ]Example:
[ "chansaver" "controlpanel" "fish" "push" ]Declared by:
services.znc.confOptions.userName¶
The user name used to log in to the ZNC web admin interface.
Type: string
Default:
"znc"Example:
"johntron"Declared by:
services.znc.config¶
Configuration for ZNC, see` <https://wiki.znc.in/Configuration>`_ for details. The Nix value declared here will be translated directly to the xml-like format ZNC expects. This is much more flexible than the legacy options under , but also can’t do any type checking.
You can use nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.services.znc.config to view the current value. By default it contains a listener for port 5000 with SSL enabled.
Nix attributes called
extraConfigwill be inserted verbatim into the resulting config file.If is turned on, the option values in will be gracefully be applied to this option.
If you intend to update the configuration through this option, be sure to enable , otherwise none of the changes here will be applied after the initial deploy.
Type: attribute set of znc values (null, atoms (str, int, bool), list of atoms, or attrsets of znc values)s
Default: ``{
}``
Example:
{ LoadModule = [ "webadmin" "adminlog" ]; User.paul = { Admin = true; Nick = "paul"; AltNick = "paul1"; LoadModule = [ "chansaver" "controlpanel" ]; Network.freenode = { Server = "chat.freenode.net +6697"; LoadModule = [ "simple_away" ]; Chan = { "#nixos" = { Detached = false; }; "##linux" = { Disabled = true; }; }; }; Pass.password = { Method = "sha256"; Hash = "e2ce303c7ea75c571d80d8540a8699b46535be6a085be3414947d638e48d9e93"; Salt = "l5Xryew4g*!oa(ECfX2o"; }; }; }Declared by:
services.znc.configFile¶
Configuration file for ZNC. It is recommended to use the option instead.
Setting this option will override any auto-generated config file through the or options.
Type: path
Example:
"~/.znc/configs/znc.conf"Declared by:
services.znc.dataDir¶
The state directory for ZNC. The config and the modules will be linked to from this directory as well.
Type: path
Default:
"/var/lib/znc/"Example:
"/home/john/.znc/"Declared by:
services.znc.extraFlags¶
Extra arguments to use for executing znc.
Type: list of strings
Default: ``[
]``
Example:
[ "--debug" ]Declared by:
services.znc.group¶
Group to own the ZNC process.
Type: string
Default:
"znc"Example:
"users"Declared by:
services.znc.modulePackages¶
A list of global znc module packages to add to znc.
Type: list of packages
Default: ``[
]``
Example:
[ pkgs.zncModules.fish pkgs.zncModules.push ]Declared by:
services.znc.mutable¶
Indicates whether to allow the contents of the``dataDir`` directory to be changed by the user at run-time.
If enabled, modifications to the ZNC configuration after its initial creation are not overwritten by a NixOS rebuild. If disabled, the ZNC configuration is rebuilt on every NixOS rebuild.
If the user wants to manage the ZNC service using the web admin interface, this option should be enabled.
Type: boolean
Default:
trueDeclared by:
services.znc.openFirewall¶
Whether to open ports in the firewall for ZNC. Does work with ports for listeners specified in.
Type: boolean
Default:
falseDeclared by:
services.znc.useLegacyConfig¶
Whether to propagate the legacy options under to the znc config. If this is turned on, the znc config will contain a user with the default name “znc”, global modules “webadmin” and “adminlog” will be enabled by default, and more, all controlled through the options. You can use nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.services.znc.config to view the current value of the config.
In any case, if you need more flexibility, can be used to override/add to all of the legacy options.
Type: boolean
Default:
trueDeclared by:
services.znc.user¶
The name of an existing user account to use to own the ZNC server process. If not specified, a default user will be created.
Type: string
Default:
"znc"Example:
"john"Declared by:
services.zoneminder.enable¶
Whether to enable ZoneMinder
If you intend to run the database locally, you should set `config.services.zoneminder.database.createLocally` to true. Otherwise, when set to `false` (the default), you will have to create the database and database user as well as populate the database yourself. .
Type: boolean
Default:
falseExample:
trueDeclared by:
services.zoneminder.cameras¶
Set this to the number of cameras you expect to support.
Type: signed integer
Default:
1Declared by:
services.zoneminder.database.createLocally¶
Create the database and database user locally.
Type: boolean
Default:
falseDeclared by:
services.zoneminder.database.host¶
Hostname hosting the database.
Type: string
Default:
"localhost"Declared by:
services.zoneminder.database.name¶
Name of database.
Type: string
Default:
"zm"Declared by:
services.zoneminder.database.password¶
Username for accessing the database. Not used if
createLocallyis set.Type: string
Default:
"zmpass"Declared by:
services.zoneminder.database.username¶
Username for accessing the database.
Type: string
Default:
"zmuser"Declared by:
services.zoneminder.extraConfig¶
Additional configuration added verbatim to the configuration file.
Type: strings concatenated with “\n”
Default:
""Declared by:
services.zoneminder.hostname¶
The hostname on which to listen.
Type: string
Default:
"localhost"Declared by:
services.zoneminder.openFirewall¶
Open the firewall port(s).
Type: boolean
Default:
falseDeclared by:
services.zoneminder.port¶
The port on which to listen.
Type: signed integer
Default:
8095Declared by:
services.zoneminder.storageDir¶
ZoneMinder can generate quite a lot of data, so in case you don’t want to use the default /var/lib/zoneminder, you can override the path here.
Type: null or string
Default:
nullExample:
"/storage/tank"Declared by:
services.zoneminder.webserver¶
The webserver to configure for the PHP frontend.
Set it to `none` if you want to configure it yourself. PRs are welcome for support for other web servers.
Type: one of “nginx”, “none”
Default:
"nginx"Declared by:
services.zookeeper.enable¶
Whether to enable Zookeeper.
Type: boolean
Default:
falseDeclared by:
services.zookeeper.package¶
The zookeeper package to use
Type: package
Default:
"pkgs.zookeeper"Declared by:
services.zookeeper.dataDir¶
Data directory for Zookeeper
Type: path
Default:
"/var/lib/zookeeper"Declared by:
services.zookeeper.extraCmdLineOptions¶
Extra command line options for the Zookeeper launcher.
Type: list of strings
Default:
[ "-Dcom.sun.management.jmxremote" "-Dcom.sun.management.jmxremote.local.only=true" ]Example:
[ "-Djava.net.preferIPv4Stack=true" "-Dcom.sun.management.jmxremote" "-Dcom.sun.management.jmxremote.local.only=true" ]Declared by:
services.zookeeper.extraConf¶
Extra configuration for Zookeeper.
Type: strings concatenated with “\n”
Default:
'' initLimit=5 syncLimit=2 tickTime=2000 ''Declared by:
services.zookeeper.id¶
Zookeeper ID.
Type: signed integer
Default:
0Declared by:
services.zookeeper.logging¶
Zookeeper logging configuration.
Type: strings concatenated with “\n”
Default:
'' zookeeper.root.logger=INFO, CONSOLE log4j.rootLogger=INFO, CONSOLE log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout log4j.appender.CONSOLE.layout.ConversionPattern=[myid:%X{myid}] - %-5p [%t:%C{1}@%L] - %m%n ''Declared by:
services.zookeeper.port¶
Zookeeper Client port.
Type: signed integer
Default:
2181Declared by:
services.zookeeper.preferIPv4¶
Add the -Djava.net.preferIPv4Stack=true flag to the Zookeeper server.
Type: boolean
Default:
trueDeclared by:
services.zookeeper.purgeInterval¶
The time interval in hours for which the purge task has to be triggered. Set to a positive integer (1 and above) to enable the auto purging.
Type: signed integer
Default:
1Declared by:
services.zookeeper.servers¶
All Zookeeper Servers.
Type: strings concatenated with “\n”
Default:
""Example:
'' server.0=host0:2888:3888 server.1=host1:2888:3888 server.2=host2:2888:3888 ''Declared by:
services.zope2.instances¶
zope2 instances to be created automaticaly by the system.
Type: attribute set of submodules
Default: ``{
}``
Example:
{ plone01 = { http_address = "127.0.0.1:8080"; extra = '' <zodb_db main> mount-point / cache-size 30000 <blobstorage> blob-dir /var/lib/zope2/plone01/blobstorage <filestorage> path /var/lib/zope2/plone01/filestorage/Data.fs </filestorage> </blobstorage> </zodb_db> ''; }; }Declared by:
services.zope2.instances.<name>.packages¶
The list of packages you want to make available to the zope2 instance.
Type: list of packages
Declared by:
services.zope2.instances.<name>.clientHome¶
Home directory of zope2 instance.
Type: path
Default:
"/var/lib/zope2/‹name›"Declared by:
services.zope2.instances.<name>.extra¶
Extra zope.conf
Type: strings concatenated with “\n”
Default:
'' <zodb_db main> mount-point / cache-size 30000 <blobstorage> blob-dir /var/lib/zope2/‹name›/blobstorage <filestorage> path /var/lib/zope2/‹name›/filestorage/Data.fs </filestorage> </blobstorage> </zodb_db> ''Declared by:
services.zope2.instances.<name>.http_address¶
Give a port and address for the HTTP server.
Type: string
Default:
"localhost:8080"Declared by:
services.zope2.instances.<name>.name¶
The name of the zope2 instance. If undefined, the name of the attribute set will be used.
Type: string
Default:
"‹name›"Declared by:
services.zope2.instances.<name>.threads¶
Specify the number of threads that Zope’s ZServer web server will use to service requests.
Type: signed integer
Default:
2Declared by:
services.zope2.instances.<name>.user¶
The name of the effective user for the Zope process.
Type: string
Default:
"zope2"Declared by:
sound.enable¶
Whether to enable ALSA sound.
Type: boolean
Default:
falseDeclared by:
sound.enableOSSEmulation¶
Whether to enable ALSA OSS emulation (with certain cards sound mixing may not work!).
Type: boolean
Default:
trueDeclared by:
sound.extraConfig¶
Set addition configuration for system-wide alsa.
Type: strings concatenated with “\n”
Default:
""Example:
'' defaults.pcm.!card 3 ''Declared by:
sound.mediaKeys.enable¶
Whether to enable volume and capture control with keyboard media keys.
You want to leave this disabled if you run a desktop environment like KDE, Gnome, Xfce, etc, as those handle such things themselves. You might want to enable this if you run a minimalistic desktop environment or work from bare linux ttys/framebuffers.
Enabling this will turn on .
Type: boolean
Default:
falseDeclared by:
sound.mediaKeys.volumeStep¶
The value by which to increment/decrement volume on media keys.
See amixer(1) for allowed values.
Type: string
Default:
"1"Example:
"1%"Declared by:
swapDevices¶
The swap devices and swap files. These must have been initialised using mkswap. Each element should be an attribute set specifying either the path of the swap device or file (
device) or the label of the swap device (label, see:command:mkswap -L). Using a label is recommended.Type: list of submodules
Default: ``[
]``
Example: ``[
{ device = “/dev/hda7”; }
{ device = “/var/swapfile”; }
{ label = “bigswap”; }
]``
Declared by:
swapDevices.*.device¶
Path of the device or swap file.
Type: string
Example:
"/dev/sda3"Declared by:
swapDevices.*.encrypted.enable¶
The block device is backed by an encrypted one, adds this device as a initrd luks entry.
Type: boolean
Default:
falseDeclared by:
swapDevices.*.encrypted.blkDev¶
Location of the backing encrypted device.
Type: null or string
Default:
nullExample:
"/dev/sda1"Declared by:
swapDevices.*.encrypted.keyFile¶
File system location of keyfile. This unlocks the drive after the root has been mounted to
/mnt-root.Type: null or string
Default:
nullExample:
"/mnt-root/root/.swapkey"Declared by:
swapDevices.*.encrypted.label¶
Label of the unlocked encrypted device. Set
fileSystems.<name?>.deviceto/dev/mapper/<label>to mount the unlocked device.Type: null or string
Default:
nullExample:
"rootfs"Declared by:
swapDevices.*.label¶
Label of the device. Can be used instead of
device.Type: string
Example:
"swap"Declared by:
swapDevices.*.priority¶
Specify the priority of the swap device. Priority is a value between 0 and 32767. Higher numbers indicate higher priority. null lets the kernel choose a priority, which will show up as a negative value.
Type: null or signed integer
Default:
nullExample:
2048Declared by:
swapDevices.*.randomEncryption¶
Encrypt swap device with a random key. This way you won’t have a persistent swap device.
HINT: run “cryptsetup benchmark” to test cipher performance on your machine.
WARNING: Don’t try to hibernate when you have at least one swap partition with this option enabled! We have no way to set the partition into which hibernation image is saved, so if your image ends up on an encrypted one you would lose it!
WARNING #2: Do not use /dev/disk/by-uuid/… or /dev/disk/by-label/… as your swap device when using randomEncryption as the UUIDs and labels will get erased on every boot when the partition is encrypted. Best to use /dev/disk/by-partuuid/…
Type: submodule or boolean convertible to it
Default:
falseExample:
{ cipher = "serpent-xts-plain64"; enable = true; source = "/dev/random"; }Declared by:
swapDevices.*.randomEncryption.enable¶
Encrypt swap device with a random key. This way you won’t have a persistent swap device.
WARNING: Don’t try to hibernate when you have at least one swap partition with this option enabled! We have no way to set the partition into which hibernation image is saved, so if your image ends up on an encrypted one you would lose it!
WARNING #2: Do not use /dev/disk/by-uuid/… or /dev/disk/by-label/… as your swap device when using randomEncryption as the UUIDs and labels will get erased on every boot when the partition is encrypted. Best to use /dev/disk/by-partuuid/…
Type: boolean
Default:
falseDeclared by:
swapDevices.*.randomEncryption.cipher¶
Use specified cipher for randomEncryption.
Hint: Run “cryptsetup benchmark” to see which one is fastest on your machine.
Type: string
Default:
"aes-xts-plain64"Example:
"serpent-xts-plain64"Declared by:
swapDevices.*.randomEncryption.source¶
Define the source of randomness to obtain a random key for encryption.
Type: string
Default:
"/dev/urandom"Example:
"/dev/random"Declared by:
swapDevices.*.size¶
If this option is set, ‘device’ is interpreted as the path of a swapfile that will be created automatically with the indicated size (in megabytes).
Type: null or signed integer
Default:
nullExample:
2048Declared by:
system.activationScripts¶
A set of shell script fragments that are executed when a NixOS system configuration is activated. Examples are updating /etc, creating accounts, and so on. Since these are executed every time you boot the system or run:command:nixos-rebuild, it’s important that they are idempotent and fast.
Type: attribute set of unspecifieds
Default: ``{
}``
Example:
{ stdio = { text = '' # Needed by some programs. ln -sfn /proc/self/fd /dev/fd ln -sfn /proc/self/fd/0 /dev/stdin ln -sfn /proc/self/fd/1 /dev/stdout ln -sfn /proc/self/fd/2 /dev/stderr ''; deps = []; }; }Declared by:
system.autoUpgrade.enable¶
Whether to periodically upgrade NixOS to the latest version. If enabled, a systemd timer will run``nixos-rebuild switch –upgrade`` once a day.
Type: boolean
Default:
falseDeclared by:
system.autoUpgrade.allowReboot¶
Reboot the system into the new generation instead of a switch if the new generation uses a different kernel, kernel modules or initrd than the booted system.
Type: boolean
Default:
falseDeclared by:
system.autoUpgrade.channel¶
The URI of the NixOS channel to use for automatic upgrades. By default, this is the channel set using:command:nix-channel (run
nix-channel --listto see the current value).Type: null or string
Default:
nullExample:
"https://nixos.org/channels/nixos-14.12-small"Declared by:
system.autoUpgrade.dates¶
Specification (in the format described bysystemd.time7) of the time at which the update will occur.
Type: string
Default:
"04:40"Declared by:
system.autoUpgrade.flags¶
Any additional flags passed to nixos-rebuild.
Type: list of strings
Default: ``[
]``
Example:
[ "-I" "stuff=/home/alice/nixos-stuff" "--option" "extra-binary-caches" "http://my-cache.example.org/" ]Declared by:
system.configurationRevision¶
The Git revision of the top-level flake from which this configuration was built.
Type: null or string
Default:
nullDeclared by:
system.copySystemConfiguration¶
If enabled, copies the NixOS configuration file (usually
/etc/nixos/configuration.nix) and links it from the resulting system (getting to/run/current-system/configuration.nix). Note that only this single file is copied, even if it imports others.Type: boolean
Default:
falseDeclared by:
system.extraDependencies¶
A list of packages that should be included in the system closure but not otherwise made available to users. This is primarily used by the installation tests.
Type: list of packages
Default: ``[
]``
Declared by:
system.nixos.codeName¶
The NixOS release code name (e.g.
Emu).Type: string (read only)
Default:
"Nightingale"Declared by:
system.nixos.label¶
NixOS version name to be used in the names of generated outputs and boot labels.
If you ever wanted to influence the labels in your GRUB menu, this is the option for you.
The default is separated by “-” + “-” + NIXOS_LABEL_VERSION environment variable (defaults to the value of).
Can be overriden by setting NIXOS_LABEL.
Useful for not loosing track of configurations built from different nixos branches/revisions, e.g.:
#!/bin/sh today=`date +%Y%m%d` branch=`(cd nixpkgs ; git branch 2>/dev/null | sed -n '/^\\* / { s|^\\* \||; p; }')` revision=`(cd nixpkgs ; git rev-parse HEAD)` export NIXOS_LABEL_VERSION="$today.$branch-${revision:0:7}" nixos-rebuild switchType: string
Declared by:
system.nixos.release¶
The NixOS release (e.g.
16.03).Type: string (read only)
Default:
"20.09"Declared by:
system.nixos.tags¶
Strings to prefix to the default.
Useful for not loosing track of configurations built with different options, e.g.:
{ system.nixos.tags = [ "with-xen" ]; virtualisation.xen.enable = true; }Type: list of strings
Default: ``[
]``
Example:
[ "with-xen" ]Declared by:
system.nssHosts¶
List of host entries to configure in
/etc/nsswitch.conf.Type: list of strings
Default: ``[
]``
Example:
[ "mdns" ]Declared by:
system.replaceRuntimeDependencies¶
List of packages to override without doing a full rebuild. The original derivation and replacement derivation must have the same name length, and ideally should have close-to-identical directory layout.
Type: list of submodules
Default: ``[
]``
Example:
[ ({ original = pkgs.openssl; replacement = pkgs.callPackage /path/to/openssl { }; }) ]Declared by:
system.replaceRuntimeDependencies.*.original¶
The original package to override.
Type: package
Declared by:
system.replaceRuntimeDependencies.*.replacement¶
The replacement package.
Type: package
Declared by:
system.stateVersion¶
Every once in a while, a new NixOS release may change configuration defaults in a way incompatible with stateful data. For instance, if the default version of PostgreSQL changes, the new version will probably be unable to read your existing databases. To prevent such breakage, you should set the value of this option to the NixOS release with which you want to be compatible. The effect is that NixOS will use defaults corresponding to the specified release (such as using an older version of PostgreSQL). It‘s perfectly fine and recommended to leave this value at the release version of the first install of this system. Changing this option will not upgrade your system. In fact it is meant to stay constant exactly when you upgrade your system. You should only bump this option, if you are sure that you can or have migrated all state on your system which is affected by this option.
Type: string
Default:
"20.09"Declared by:
system.userActivationScripts¶
A set of shell script fragments that are executed by a systemd user service when a NixOS system configuration is activated. Examples are rebuilding the .desktop file cache for showing applications in the menu. Since these are executed every time you run:command:nixos-rebuild, it’s important that they are idempotent and fast.
Type: attribute set of unspecifieds
Default: ``{
}``
Example:
{ plasmaSetup = { text = '' ${pkgs.libsForQt5.kservice}/bin/kbuildsycoca5" ''; deps = []; }; }Declared by:
systemd.enableCgroupAccounting¶
Whether to enable cgroup accounting.
Type: boolean
Default:
trueDeclared by:
systemd.enableEmergencyMode¶
Whether to enable emergency mode, which is an:command:sulogin shell started on the console if mounting a filesystem fails. Since some machines (like EC2 instances) have no console of any kind, emergency mode doesn’t make sense, and it’s better to continue with the boot insofar as possible.
Type: boolean
Default:
trueDeclared by:
systemd.package¶
The systemd package.
Type: package
Default:
"pkgs.systemd"Declared by:
systemd.packages¶
Packages providing systemd units and hooks.
Type: list of packages
Default: ``[
]``
Example:
[ pkgs.systemd-cryptsetup-generator ]Declared by:
systemd.additionalUpstreamSystemUnits¶
Additional units shipped with systemd that shall be enabled.
Type: list of strings
Default: ``[
]``
Example:
[ "debug-shell.service" "systemd-quotacheck.service" ]Declared by:
systemd.automounts¶
Definition of systemd automount units. This is a list instead of an attrSet, because systemd mandates the names to be derived from the ‘where’ attribute.
Type: list of submodules
Default: ``[
]``
Declared by:
systemd.automounts.*.enable¶
If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g.
serial-getty@ttyS0) from being started. Note thatenable=truedoes not make a unit start by default at boot; if you want that, see``wantedBy``.Type: boolean
Default:
trueDeclared by:
systemd.automounts.*.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.automounts.*.aliases¶
systemd.automounts.*.automountConfig¶
Each attribute in this set specifies an option in the``[Automount]`` section of the unit. Seesystemd.automount5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ DirectoryMode = "0775"; }Declared by:
systemd.automounts.*.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.automounts.*.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.automounts.*.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.automounts.*.description¶
Description of this unit used in systemd messages and progress indicators.
Type: string
Default:
""Declared by:
systemd.automounts.*.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.automounts.*.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.automounts.*.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.automounts.*.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit. The discussion under
wantedByapplies here as well: inverse.requiressymlinks are established.Type: list of strings
Default: ``[
]``
Declared by:
systemd.automounts.*.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.automounts.*.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.automounts.*.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecifieds
Default: ``[
]``
Declared by:
systemd.automounts.*.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than burst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
systemd.automounts.*.unitConfig¶
Each attribute in this set specifies an option in the``[Unit]`` section of the unit. Seesystemd.unit5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ RequiresMountsFor = "/data"; }Declared by:
systemd.automounts.*.wantedBy¶
Units that want (i.e. depend on) this unit. The standard way to make a unit start by default at boot is to set this option to
[ "multi-user.target" ]. That’s despite the fact that the systemd.unit(5) manpage says this option goes in the[Install]section that controls the behaviour ofsystemctl enable. Since such a process is stateful and thus contrary to the design of NixOS, setting this option instead causes the equivalent inverse.wantssymlink to be present, establishing the same desired relationship in a stateless way.Type: list of strings
Default: ``[
]``
Declared by:
systemd.automounts.*.wants¶
Start the specified units when this unit is started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.automounts.*.where¶
Absolute path of a directory of the mount point. Will be created if it doesn’t exist. (Mandatory)
Type: string
Example:
"/mnt"Declared by:
systemd.coredump.enable¶
Whether core dumps should be processed by:command:systemd-coredump. If disabled, core dumps appear in the current directory of the crashing process.
Type: boolean
Default:
trueDeclared by:
systemd.coredump.extraConfig¶
Extra config options for systemd-coredump. See coredump.conf(5) man page for available options.
Type: strings concatenated with “\n”
Default:
""Example:
"Storage=journal"Declared by:
systemd.ctrlAltDelUnit¶
Target that should be started when Ctrl-Alt-Delete is pressed.
Type: string
Default:
"reboot.target"Example:
"poweroff.target"Declared by:
systemd.defaultUnit¶
Default unit started when the system boots.
Type: string
Default:
"multi-user.target"Declared by:
systemd.extraConfig¶
Extra config options for systemd. See man systemd-system.conf for available options.
Type: strings concatenated with “\n”
Default:
""Example:
"DefaultLimitCORE=infinity"Declared by:
systemd.generators¶
Definition of systemd generators. For each
NAME = VALUEpair of the attrSet, a link is generated from``/etc/systemd/system-generators/NAME`` toVALUE.Type: attribute set of paths
Default: ``{
}``
Example:
{ systemd-gpt-auto-generator = "/dev/null"; }Declared by:
systemd.globalEnvironment¶
Environment variables passed to all systemd units.
Type: attribute set of null or string or path or packages
Default: ``{
}``
Example:
{ TZ = "CET"; }Declared by:
systemd.mounts¶
Definition of systemd mount units. This is a list instead of an attrSet, because systemd mandates the names to be derived from the ‘where’ attribute.
Type: list of submodules
Default: ``[
]``
Declared by:
systemd.mounts.*.enable¶
If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g.
serial-getty@ttyS0) from being started. Note thatenable=truedoes not make a unit start by default at boot; if you want that, see``wantedBy``.Type: boolean
Default:
trueDeclared by:
systemd.mounts.*.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.mounts.*.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.mounts.*.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.mounts.*.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.mounts.*.description¶
Description of this unit used in systemd messages and progress indicators.
Type: string
Default:
""Declared by:
systemd.mounts.*.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.mounts.*.mountConfig¶
Each attribute in this set specifies an option in the``[Mount]`` section of the unit. Seesystemd.mount5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ DirectoryMode = "0775"; }Declared by:
systemd.mounts.*.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.mounts.*.options¶
Options used to mount the file system.
Type: strings concatenated with “,”
Default:
""Example:
"noatime"Declared by:
systemd.mounts.*.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.mounts.*.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit. The discussion under
wantedByapplies here as well: inverse.requiressymlinks are established.Type: list of strings
Default: ``[
]``
Declared by:
systemd.mounts.*.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.mounts.*.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.mounts.*.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecifieds
Default: ``[
]``
Declared by:
systemd.mounts.*.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than burst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
systemd.mounts.*.type¶
File system type.
Type: string
Default:
""Example:
"ext4"Declared by:
systemd.mounts.*.unitConfig¶
Each attribute in this set specifies an option in the``[Unit]`` section of the unit. Seesystemd.unit5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ RequiresMountsFor = "/data"; }Declared by:
systemd.mounts.*.wantedBy¶
Units that want (i.e. depend on) this unit. The standard way to make a unit start by default at boot is to set this option to
[ "multi-user.target" ]. That’s despite the fact that the systemd.unit(5) manpage says this option goes in the[Install]section that controls the behaviour ofsystemctl enable. Since such a process is stateful and thus contrary to the design of NixOS, setting this option instead causes the equivalent inverse.wantssymlink to be present, establishing the same desired relationship in a stateless way.Type: list of strings
Default: ``[
]``
Declared by:
systemd.mounts.*.wants¶
Start the specified units when this unit is started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.mounts.*.what¶
Absolute path of device node, file or other resource. (Mandatory)
Type: string
Example:
"/dev/sda1"Declared by:
systemd.mounts.*.where¶
Absolute path of a directory of the mount point. Will be created if it doesn’t exist. (Mandatory)
Type: string
Example:
"/mnt"Declared by:
systemd.network.enable¶
Whether to enable networkd or not.
Type: boolean
Default:
falseDeclared by:
systemd.network.links¶
Definition of systemd network links.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
systemd.network.links.<name>.enable¶
Whether to manage network configuration using systemd-network.
Type: boolean
Default:
trueDeclared by:
systemd.network.links.<name>.extraConfig¶
Extra configuration append to unit
Type: strings concatenated with “\n”
Default:
""Declared by:
systemd.network.links.<name>.linkConfig¶
Each attribute in this set specifies an option in the``[Link]`` section of the unit. Seesystemd.link5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ MACAddress = "00:ff:ee:aa:cc:dd"; }Declared by:
systemd.network.links.<name>.matchConfig¶
Each attribute in this set specifies an option in the``[Match]`` section of the unit. Seesystemd.link5systemd.netdev5systemd.network5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ Name = "eth0"; }Declared by:
systemd.network.netdevs¶
Definition of systemd network devices.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
systemd.network.netdevs.<name>.enable¶
Whether to manage network configuration using systemd-network.
Type: boolean
Default:
trueDeclared by:
systemd.network.netdevs.<name>.bondConfig¶
Each attribute in this set specifies an option in the``[Bond]`` section of the unit. Seesystemd.netdev5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ Mode = "802.3ad"; }Declared by:
systemd.network.netdevs.<name>.extraConfig¶
Extra configuration append to unit
Type: strings concatenated with “\n”
Default:
""Declared by:
systemd.network.netdevs.<name>.macvlanConfig¶
Each attribute in this set specifies an option in the``[MACVLAN]`` section of the unit. Seesystemd.netdev5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ Mode = "private"; }Declared by:
systemd.network.netdevs.<name>.matchConfig¶
Each attribute in this set specifies an option in the``[Match]`` section of the unit. Seesystemd.link5systemd.netdev5systemd.network5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ Name = "eth0"; }Declared by:
systemd.network.netdevs.<name>.netdevConfig¶
Each attribute in this set specifies an option in the``[Netdev]`` section of the unit. Seesystemd.netdev5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ Kind = "bridge"; Name = "mybridge"; }Declared by:
systemd.network.netdevs.<name>.peerConfig¶
Each attribute in this set specifies an option in the``[Peer]`` section of the unit. Seesystemd.netdev5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ Name = "veth2"; }Declared by:
systemd.network.netdevs.<name>.tapConfig¶
Each attribute in this set specifies an option in the``[Tap]`` section of the unit. Seesystemd.netdev5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ User = "openvpn"; }Declared by:
systemd.network.netdevs.<name>.tunConfig¶
Each attribute in this set specifies an option in the``[Tun]`` section of the unit. Seesystemd.netdev5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ User = "openvpn"; }Declared by:
systemd.network.netdevs.<name>.tunnelConfig¶
Each attribute in this set specifies an option in the``[Tunnel]`` section of the unit. Seesystemd.netdev5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ Remote = "192.168.1.1"; }Declared by:
systemd.network.netdevs.<name>.vlanConfig¶
Each attribute in this set specifies an option in the``[VLAN]`` section of the unit. Seesystemd.netdev5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ Id = "4"; }Declared by:
systemd.network.netdevs.<name>.vrfConfig¶
Each attribute in this set specifies an option in the``[VRF]`` section of the unit. Seesystemd.netdev5 for details. A detailed explanation about how VRFs work can be found in the`kernel docs <https://www.kernel.org/doc/Documentation/networking/vrf.txt>`_.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ Table = 2342; }Declared by:
systemd.network.netdevs.<name>.vxlanConfig¶
Each attribute in this set specifies an option in the``[VXLAN]`` section of the unit. Seesystemd.netdev5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ Id = "4"; }Declared by:
systemd.network.netdevs.<name>.wireguardConfig¶
Each attribute in this set specifies an option in the``[WireGuard]`` section of the unit. Seesystemd.netdev5 for details. Use
PrivateKeyFileinstead of``PrivateKey``: the nix store is world-readable.Type: attribute set of systemd options
Default: ``{
}``
Example:
{ FwMark = 42; ListenPort = 51820; PrivateKeyFile = "/etc/wireguard/secret.key"; }Declared by:
systemd.network.netdevs.<name>.wireguardPeers¶
Each item in this array specifies an option in the``[WireGuardPeer]`` section of the unit. Seesystemd.netdev5 for details. Use
PresharedKeyFileinstead of``PresharedKey``: the nix store is world-readable.Type: list of submodules
Default: ``[
]``
Example: ``[
{ wireguardPeerConfig = { AllowedIPs = [ “10.0.0.1/32” ] ; Endpoint = “192.168.1.1:51820”; PersistentKeepalive = 15; PresharedKeyFile = “/etc/wireguard/psk.key”; PublicKey = “27s0OvaBBdHoJYkH9osZpjpgSOVNw+RaKfboT/Sfq0g=”; } ; }
]``
Declared by:
systemd.network.netdevs.<name>.wireguardPeers.*.wireguardPeerConfig¶
systemd.network.netdevs.<name>.xfrmConfig¶
Each attribute in this set specifies an option in the``[Xfrm]`` section of the unit. Seesystemd.netdev5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ InterfaceId = 1; }Declared by:
systemd.network.networks¶
systemd.network.networks.<name>.enable¶
Whether to manage network configuration using systemd-network.
Type: boolean
Default:
trueDeclared by:
systemd.network.networks.<name>.DHCP¶
Whether to enable DHCP on the interfaces matched.
Type: null or string
Default:
nullDeclared by:
systemd.network.networks.<name>.address¶
A list of addresses to be added to the network section of the unit. See systemd.network5 for details.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.network.networks.<name>.addresses¶
A list of address sections to be added to the unit. Seesystemd.network5 for details.
Type: list of submodules
Default: ``[
]``
Declared by:
systemd.network.networks.<name>.addresses.*.addressConfig¶
Each attribute in this set specifies an option in the``[Address]`` section of the unit. Seesystemd.network5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ Address = "192.168.0.100/24"; }Declared by:
systemd.network.networks.<name>.bond¶
A list of bond interfaces to be added to the network section of the unit. See systemd.network5 for details.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.network.networks.<name>.bridge¶
A list of bridge interfaces to be added to the network section of the unit. See systemd.network5 for details.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.network.networks.<name>.dhcpConfig¶
Each attribute in this set specifies an option in the``[DHCP]`` section of the unit. Seesystemd.network5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ UseDNS = true; UseRoutes = true; }Declared by:
systemd.network.networks.<name>.dhcpServerConfig¶
Each attribute in this set specifies an option in the``[DHCPServer]`` section of the unit. Seesystemd.network5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ EmitDNS = false; PoolOffset = 50; }Declared by:
systemd.network.networks.<name>.dns¶
A list of dns servers to be added to the network section of the unit. See systemd.network5 for details.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.network.networks.<name>.domains¶
A list of domains to pass to the network config.
Type: null or list of strings
Default:
nullDeclared by:
systemd.network.networks.<name>.extraConfig¶
Extra configuration append to unit
Type: strings concatenated with “\n”
Default:
""Declared by:
systemd.network.networks.<name>.gateway¶
A list of gateways to be added to the network section of the unit. See systemd.network5 for details.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.network.networks.<name>.linkConfig¶
Each attribute in this set specifies an option in the``[Link]`` section of the unit. Seesystemd.network5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ Unmanaged = true; }Declared by:
systemd.network.networks.<name>.macvlan¶
A list of macvlan interfaces to be added to the network section of the unit. See systemd.network5 for details.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.network.networks.<name>.matchConfig¶
Each attribute in this set specifies an option in the``[Match]`` section of the unit. Seesystemd.link5systemd.netdev5systemd.network5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ Name = "eth0"; }Declared by:
systemd.network.networks.<name>.name¶
The name of the network interface to match against.
Type: null or string
Default:
nullDeclared by:
systemd.network.networks.<name>.networkConfig¶
Each attribute in this set specifies an option in the``[Network]`` section of the unit. Seesystemd.network5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ Description = "My Network"; }Declared by:
systemd.network.networks.<name>.ntp¶
A list of ntp servers to be added to the network section of the unit. See systemd.network5 for details.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.network.networks.<name>.routes¶
A list of route sections to be added to the unit. Seesystemd.network5 for details.
Type: list of submodules
Default: ``[
]``
Declared by:
systemd.network.networks.<name>.routes.*.routeConfig¶
Each attribute in this set specifies an option in the``[Route]`` section of the unit. Seesystemd.network5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ Gateway = "192.168.0.1"; }Declared by:
systemd.network.networks.<name>.tunnel¶
A list of tunnel interfaces to be added to the network section of the unit. See systemd.network5 for details.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.network.networks.<name>.vlan¶
A list of vlan interfaces to be added to the network section of the unit. See systemd.network5 for details.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.network.networks.<name>.vrf¶
A list of vrf interfaces to be added to the network section of the unit. See systemd.network5 for details.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.network.networks.<name>.vxlan¶
A list of vxlan interfaces to be added to the network section of the unit. See systemd.network5 for details.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.network.networks.<name>.xfrm¶
A list of xfrm interfaces to be added to the network section of the unit. See systemd.network5 for details.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.nspawn¶
Definition of systemd-nspawn configurations.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
systemd.nspawn.<name>.enable¶
If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g.
serial-getty@ttyS0) from being started. Note thatenable=truedoes not make a unit start by default at boot; if you want that, see``wantedBy``.Type: boolean
Default:
trueDeclared by:
systemd.nspawn.<name>.aliases¶
systemd.nspawn.<name>.execConfig¶
Each attribute in this set specifies an option in the``[Exec]`` section of this unit. Seesystemd.nspawn5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ Parameters = "/bin/sh"; }Declared by:
systemd.nspawn.<name>.filesConfig¶
Each attribute in this set specifies an option in the``[Files]`` section of this unit. Seesystemd.nspawn5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ Bind = [ "/home/alice" ] ; }Declared by:
systemd.nspawn.<name>.networkConfig¶
Each attribute in this set specifies an option in the``[Network]`` section of this unit. Seesystemd.nspawn5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ Private = false; }Declared by:
systemd.nspawn.<name>.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit. The discussion under
wantedByapplies here as well: inverse.requiressymlinks are established.Type: list of strings
Default: ``[
]``
Declared by:
systemd.nspawn.<name>.wantedBy¶
Units that want (i.e. depend on) this unit. The standard way to make a unit start by default at boot is to set this option to
[ "multi-user.target" ]. That’s despite the fact that the systemd.unit(5) manpage says this option goes in the[Install]section that controls the behaviour ofsystemctl enable. Since such a process is stateful and thus contrary to the design of NixOS, setting this option instead causes the equivalent inverse.wantssymlink to be present, establishing the same desired relationship in a stateless way.Type: list of strings
Default: ``[
]``
Declared by:
systemd.paths¶
systemd.paths.<name>.enable¶
If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g.
serial-getty@ttyS0) from being started. Note thatenable=truedoes not make a unit start by default at boot; if you want that, see``wantedBy``.Type: boolean
Default:
trueDeclared by:
systemd.paths.<name>.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.paths.<name>.aliases¶
systemd.paths.<name>.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.paths.<name>.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.paths.<name>.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.paths.<name>.description¶
Description of this unit used in systemd messages and progress indicators.
Type: string
Default:
""Declared by:
systemd.paths.<name>.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.paths.<name>.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.paths.<name>.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.paths.<name>.pathConfig¶
Each attribute in this set specifies an option in the``[Path]`` section of the unit. Seesystemd.path5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ PathChanged = "/some/path"; Unit = "changedpath.service"; }Declared by:
systemd.paths.<name>.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit. The discussion under
wantedByapplies here as well: inverse.requiressymlinks are established.Type: list of strings
Default: ``[
]``
Declared by:
systemd.paths.<name>.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.paths.<name>.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.paths.<name>.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecifieds
Default: ``[
]``
Declared by:
systemd.paths.<name>.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than burst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
systemd.paths.<name>.unitConfig¶
Each attribute in this set specifies an option in the``[Unit]`` section of the unit. Seesystemd.unit5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ RequiresMountsFor = "/data"; }Declared by:
systemd.paths.<name>.wantedBy¶
Units that want (i.e. depend on) this unit. The standard way to make a unit start by default at boot is to set this option to
[ "multi-user.target" ]. That’s despite the fact that the systemd.unit(5) manpage says this option goes in the[Install]section that controls the behaviour ofsystemctl enable. Since such a process is stateful and thus contrary to the design of NixOS, setting this option instead causes the equivalent inverse.wantssymlink to be present, establishing the same desired relationship in a stateless way.Type: list of strings
Default: ``[
]``
Declared by:
systemd.paths.<name>.wants¶
Start the specified units when this unit is started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.services¶
Definition of systemd service units.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
systemd.services.<name>.enable¶
If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g.
serial-getty@ttyS0) from being started. Note thatenable=truedoes not make a unit start by default at boot; if you want that, see``wantedBy``.Type: boolean
Default:
trueDeclared by:
systemd.services.<name>.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.services.<name>.aliases¶
systemd.services.<name>.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.services.<name>.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.services.<name>.confinement.enable¶
If set, all the required runtime store paths for this service are bind-mounted into a
tmpfs-based chroot2.Type: boolean
Default:
falseDeclared by:
systemd.services.<name>.confinement.packages¶
Additional packages or strings with context to add to the closure of the chroot. By default, this includes all the packages from the, , , , and options. If you want to have all the dependencies of this systemd unit, you can use.
Note
The store paths listed in are*not* included in the closure as well as paths from other options except those listed above.
Type: list of string or packages
Default: ``[
]``
Declared by:
systemd.services.<name>.confinement.binSh¶
The program to make available as
/bin/shinside the chroot. If this is set tonull, no:file:/bin/sh is provided at all.This is useful for some applications, which for example use thesystem3 library function to execute commands.
Type: null or path
Default:
"config.environment.binsh"Example:
${pkgs.dash}/bin/dashDeclared by:
systemd.services.<name>.confinement.fullUnit¶
Whether to include the full closure of the systemd unit file into the chroot, instead of just the dependencies for the executables.
Warning
While it may be tempting to just enable this option to make things work quickly, please be aware that this might add paths to the closure of the chroot that you didn’t anticipate. It’s better to use to explicitly add additional store paths to the chroot.
Type: boolean
Default:
falseDeclared by:
systemd.services.<name>.confinement.mode¶
The value
full-apivfs(the default) sets up private/dev,/proc,/sysand/tmpfile systems in a separate user name space.If this is set to
chroot-only, only the file system name space is set up along with the call to chroot2.Note
This doesn’t cover network namespaces and is solely for file system level isolation.
Type: one of “full-apivfs”, “chroot-only”
Default:
"full-apivfs"Declared by:
systemd.services.<name>.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.services.<name>.description¶
Description of this unit used in systemd messages and progress indicators.
Type: string
Default:
""Declared by:
systemd.services.<name>.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.services.<name>.environment¶
Environment variables passed to the service’s processes.
Type: attribute set of null or string or path or packages
Default: ``{
}``
Example:
{ LANG = "nl_NL.UTF-8"; PATH = "/foo/bar/bin"; }Declared by:
systemd.services.<name>.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.services.<name>.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.services.<name>.path¶
Packages added to the service’s PATH environment variable. Both the
binandsbinsubdirectories of each package are added.Type: unspecified
Default: ``[
]``
Declared by:
systemd.services.<name>.postStart¶
Shell commands executed after the service’s main process is started.
Type: strings concatenated with “\n”
Default:
""Declared by:
systemd.services.<name>.postStop¶
Shell commands executed after the service’s main process has exited.
Type: strings concatenated with “\n”
Default:
""Declared by:
systemd.services.<name>.preStart¶
Shell commands executed before the service’s main process is started.
Type: strings concatenated with “\n”
Default:
""Declared by:
systemd.services.<name>.preStop¶
Shell commands executed to stop the service.
Type: strings concatenated with “\n”
Default:
""Declared by:
systemd.services.<name>.reload¶
Shell commands executed when the service’s main process is reloaded.
Type: strings concatenated with “\n”
Default:
""Declared by:
systemd.services.<name>.reloadIfChanged¶
Whether the service should be reloaded during a NixOS configuration switch if its definition has changed. If enabled, the value of is ignored.
Type: boolean
Default:
falseDeclared by:
systemd.services.<name>.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit. The discussion under
wantedByapplies here as well: inverse.requiressymlinks are established.Type: list of strings
Default: ``[
]``
Declared by:
systemd.services.<name>.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.services.<name>.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.services.<name>.restartIfChanged¶
Whether the service should be restarted during a NixOS configuration switch if its definition has changed.
Type: boolean
Default:
trueDeclared by:
systemd.services.<name>.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecifieds
Default: ``[
]``
Declared by:
systemd.services.<name>.script¶
Shell commands executed as the service’s main process.
Type: strings concatenated with “\n”
Default:
""Declared by:
systemd.services.<name>.scriptArgs¶
Arguments passed to the main process script.
Type: string
Default:
""Declared by:
systemd.services.<name>.serviceConfig¶
Each attribute in this set specifies an option in the``[Service]`` section of the unit. Seesystemd.service5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ RestartSec = 5; StartLimitInterval = 10; }Declared by:
systemd.services.<name>.startAt¶
Automatically start this unit at the given date/time, which must be in the format described insystemd.time7. This is equivalent to adding a corresponding timer unit with set to the value given here.
Type: string or list of strings
Default: ``[
]``
Example:
"Sun 14:00:00"Declared by:
systemd.services.<name>.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than burst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
systemd.services.<name>.stopIfChanged¶
If set, a changed unit is restarted by calling:command:systemctl stop in the old configuration, then systemctl start in the new one. Otherwise, it is restarted in a single step using:command:systemctl restart in the new configuration. The latter is less correct because it runs the``ExecStop`` commands from the new configuration.
Type: boolean
Default:
trueDeclared by:
systemd.services.<name>.unitConfig¶
Each attribute in this set specifies an option in the``[Unit]`` section of the unit. Seesystemd.unit5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ RequiresMountsFor = "/data"; }Declared by:
systemd.services.<name>.wantedBy¶
Units that want (i.e. depend on) this unit. The standard way to make a unit start by default at boot is to set this option to
[ "multi-user.target" ]. That’s despite the fact that the systemd.unit(5) manpage says this option goes in the[Install]section that controls the behaviour ofsystemctl enable. Since such a process is stateful and thus contrary to the design of NixOS, setting this option instead causes the equivalent inverse.wantssymlink to be present, establishing the same desired relationship in a stateless way.Type: list of strings
Default: ``[
]``
Declared by:
systemd.services.<name>.wants¶
Start the specified units when this unit is started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.shutdown¶
Definition of systemd shutdown executables. For each
NAME = VALUEpair of the attrSet, a link is generated from``/etc/systemd/system-shutdown/NAME`` toVALUE.Type: attribute set of paths
Default: ``{
}``
Declared by:
systemd.sleep.extraConfig¶
Extra config options for systemd sleep state logic. See sleep.conf.d(5) man page for available options.
Type: strings concatenated with “\n”
Default:
""Example:
"HibernateDelaySec=1h"Declared by:
systemd.slices¶
systemd.slices.<name>.enable¶
If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g.
serial-getty@ttyS0) from being started. Note thatenable=truedoes not make a unit start by default at boot; if you want that, see``wantedBy``.Type: boolean
Default:
trueDeclared by:
systemd.slices.<name>.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.slices.<name>.aliases¶
systemd.slices.<name>.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.slices.<name>.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.slices.<name>.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.slices.<name>.description¶
Description of this unit used in systemd messages and progress indicators.
Type: string
Default:
""Declared by:
systemd.slices.<name>.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.slices.<name>.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.slices.<name>.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.slices.<name>.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit. The discussion under
wantedByapplies here as well: inverse.requiressymlinks are established.Type: list of strings
Default: ``[
]``
Declared by:
systemd.slices.<name>.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.slices.<name>.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.slices.<name>.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecifieds
Default: ``[
]``
Declared by:
systemd.slices.<name>.sliceConfig¶
Each attribute in this set specifies an option in the``[Slice]`` section of the unit. Seesystemd.slice5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ MemoryMax = "2G"; }Declared by:
systemd.slices.<name>.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than burst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
systemd.slices.<name>.unitConfig¶
Each attribute in this set specifies an option in the``[Unit]`` section of the unit. Seesystemd.unit5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ RequiresMountsFor = "/data"; }Declared by:
systemd.slices.<name>.wantedBy¶
Units that want (i.e. depend on) this unit. The standard way to make a unit start by default at boot is to set this option to
[ "multi-user.target" ]. That’s despite the fact that the systemd.unit(5) manpage says this option goes in the[Install]section that controls the behaviour ofsystemctl enable. Since such a process is stateful and thus contrary to the design of NixOS, setting this option instead causes the equivalent inverse.wantssymlink to be present, establishing the same desired relationship in a stateless way.Type: list of strings
Default: ``[
]``
Declared by:
systemd.slices.<name>.wants¶
Start the specified units when this unit is started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.sockets¶
systemd.sockets.<name>.enable¶
If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g.
serial-getty@ttyS0) from being started. Note thatenable=truedoes not make a unit start by default at boot; if you want that, see``wantedBy``.Type: boolean
Default:
trueDeclared by:
systemd.sockets.<name>.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.sockets.<name>.aliases¶
systemd.sockets.<name>.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.sockets.<name>.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.sockets.<name>.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.sockets.<name>.description¶
Description of this unit used in systemd messages and progress indicators.
Type: string
Default:
""Declared by:
systemd.sockets.<name>.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.sockets.<name>.listenStreams¶
For each item in this list, a
ListenStreamoption in the[Socket]section will be created.Type: list of strings
Default: ``[
]``
Example:
[ "0.0.0.0:993" "/run/my-socket" ]Declared by:
systemd.sockets.<name>.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.sockets.<name>.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.sockets.<name>.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit. The discussion under
wantedByapplies here as well: inverse.requiressymlinks are established.Type: list of strings
Default: ``[
]``
Declared by:
systemd.sockets.<name>.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.sockets.<name>.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.sockets.<name>.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecifieds
Default: ``[
]``
Declared by:
systemd.sockets.<name>.socketConfig¶
Each attribute in this set specifies an option in the``[Socket]`` section of the unit. Seesystemd.socket5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ ListenStream = "/run/my-socket"; }Declared by:
systemd.sockets.<name>.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than burst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
systemd.sockets.<name>.unitConfig¶
Each attribute in this set specifies an option in the``[Unit]`` section of the unit. Seesystemd.unit5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ RequiresMountsFor = "/data"; }Declared by:
systemd.sockets.<name>.wantedBy¶
Units that want (i.e. depend on) this unit. The standard way to make a unit start by default at boot is to set this option to
[ "multi-user.target" ]. That’s despite the fact that the systemd.unit(5) manpage says this option goes in the[Install]section that controls the behaviour ofsystemctl enable. Since such a process is stateful and thus contrary to the design of NixOS, setting this option instead causes the equivalent inverse.wantssymlink to be present, establishing the same desired relationship in a stateless way.Type: list of strings
Default: ``[
]``
Declared by:
systemd.sockets.<name>.wants¶
Start the specified units when this unit is started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.suppressedSystemUnits¶
A list of units to suppress when generating system systemd configuration directory. This has priority over upstream units, , and. The main purpose of this is to suppress a upstream systemd unit with any modifications made to it by other NixOS modules.
Type: list of strings
Default: ``[
]``
Example:
[ "systemd-backlight@.service" ]Declared by:
systemd.targets¶
systemd.targets.<name>.enable¶
If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g.
serial-getty@ttyS0) from being started. Note thatenable=truedoes not make a unit start by default at boot; if you want that, see``wantedBy``.Type: boolean
Default:
trueDeclared by:
systemd.targets.<name>.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.targets.<name>.aliases¶
systemd.targets.<name>.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.targets.<name>.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.targets.<name>.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.targets.<name>.description¶
Description of this unit used in systemd messages and progress indicators.
Type: string
Default:
""Declared by:
systemd.targets.<name>.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.targets.<name>.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.targets.<name>.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.targets.<name>.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit. The discussion under
wantedByapplies here as well: inverse.requiressymlinks are established.Type: list of strings
Default: ``[
]``
Declared by:
systemd.targets.<name>.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.targets.<name>.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.targets.<name>.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecifieds
Default: ``[
]``
Declared by:
systemd.targets.<name>.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than burst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
systemd.targets.<name>.unitConfig¶
Each attribute in this set specifies an option in the``[Unit]`` section of the unit. Seesystemd.unit5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ RequiresMountsFor = "/data"; }Declared by:
systemd.targets.<name>.wantedBy¶
Units that want (i.e. depend on) this unit. The standard way to make a unit start by default at boot is to set this option to
[ "multi-user.target" ]. That’s despite the fact that the systemd.unit(5) manpage says this option goes in the[Install]section that controls the behaviour ofsystemctl enable. Since such a process is stateful and thus contrary to the design of NixOS, setting this option instead causes the equivalent inverse.wantssymlink to be present, establishing the same desired relationship in a stateless way.Type: list of strings
Default: ``[
]``
Declared by:
systemd.targets.<name>.wants¶
Start the specified units when this unit is started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.timers¶
systemd.timers.<name>.enable¶
If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g.
serial-getty@ttyS0) from being started. Note thatenable=truedoes not make a unit start by default at boot; if you want that, see``wantedBy``.Type: boolean
Default:
trueDeclared by:
systemd.timers.<name>.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.timers.<name>.aliases¶
systemd.timers.<name>.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.timers.<name>.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.timers.<name>.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.timers.<name>.description¶
Description of this unit used in systemd messages and progress indicators.
Type: string
Default:
""Declared by:
systemd.timers.<name>.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.timers.<name>.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.timers.<name>.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.timers.<name>.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit. The discussion under
wantedByapplies here as well: inverse.requiressymlinks are established.Type: list of strings
Default: ``[
]``
Declared by:
systemd.timers.<name>.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.timers.<name>.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.timers.<name>.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecifieds
Default: ``[
]``
Declared by:
systemd.timers.<name>.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than burst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
systemd.timers.<name>.timerConfig¶
Each attribute in this set specifies an option in the``[Timer]`` section of the unit. Seesystemd.timer5 andsystemd.time7 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ OnCalendar = "Sun 14:00:00"; Unit = "foo.service"; }Declared by:
systemd.timers.<name>.unitConfig¶
Each attribute in this set specifies an option in the``[Unit]`` section of the unit. Seesystemd.unit5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ RequiresMountsFor = "/data"; }Declared by:
systemd.timers.<name>.wantedBy¶
Units that want (i.e. depend on) this unit. The standard way to make a unit start by default at boot is to set this option to
[ "multi-user.target" ]. That’s despite the fact that the systemd.unit(5) manpage says this option goes in the[Install]section that controls the behaviour ofsystemctl enable. Since such a process is stateful and thus contrary to the design of NixOS, setting this option instead causes the equivalent inverse.wantssymlink to be present, establishing the same desired relationship in a stateless way.Type: list of strings
Default: ``[
]``
Declared by:
systemd.timers.<name>.wants¶
Start the specified units when this unit is started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.tmpfiles.rules¶
Rules for creating and cleaning up temporary files automatically. Seetmpfiles.d5 for the exact format.
Type: list of strings
Default: ``[
]``
Example:
[ "d /tmp 1777 root root 10d" ]Declared by:
systemd.units¶
systemd.units.<name>.enable¶
If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g.
serial-getty@ttyS0) from being started. Note thatenable=truedoes not make a unit start by default at boot; if you want that, see``wantedBy``.Type: boolean
Default:
trueDeclared by:
systemd.units.<name>.aliases¶
systemd.units.<name>.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit. The discussion under
wantedByapplies here as well: inverse.requiressymlinks are established.Type: list of strings
Default: ``[
]``
Declared by:
systemd.units.<name>.text¶
Text of this systemd unit.
Type: null or string
Default:
nullDeclared by:
systemd.units.<name>.wantedBy¶
Units that want (i.e. depend on) this unit. The standard way to make a unit start by default at boot is to set this option to
[ "multi-user.target" ]. That’s despite the fact that the systemd.unit(5) manpage says this option goes in the[Install]section that controls the behaviour ofsystemctl enable. Since such a process is stateful and thus contrary to the design of NixOS, setting this option instead causes the equivalent inverse.wantssymlink to be present, establishing the same desired relationship in a stateless way.Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.extraConfig¶
Extra config options for systemd user instances. See man systemd-user.conf for available options.
Type: strings concatenated with “\n”
Default:
""Example:
"DefaultCPUAccounting=yes"Declared by:
systemd.user.paths¶
Definition of systemd per-user path units.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
systemd.user.paths.<name>.enable¶
If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g.
serial-getty@ttyS0) from being started. Note thatenable=truedoes not make a unit start by default at boot; if you want that, see``wantedBy``.Type: boolean
Default:
trueDeclared by:
systemd.user.paths.<name>.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.paths.<name>.aliases¶
systemd.user.paths.<name>.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.paths.<name>.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.paths.<name>.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.paths.<name>.description¶
Description of this unit used in systemd messages and progress indicators.
Type: string
Default:
""Declared by:
systemd.user.paths.<name>.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.paths.<name>.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.paths.<name>.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.paths.<name>.pathConfig¶
Each attribute in this set specifies an option in the``[Path]`` section of the unit. Seesystemd.path5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ PathChanged = "/some/path"; Unit = "changedpath.service"; }Declared by:
systemd.user.paths.<name>.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit. The discussion under
wantedByapplies here as well: inverse.requiressymlinks are established.Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.paths.<name>.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.paths.<name>.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.paths.<name>.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecifieds
Default: ``[
]``
Declared by:
systemd.user.paths.<name>.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than burst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
systemd.user.paths.<name>.unitConfig¶
Each attribute in this set specifies an option in the``[Unit]`` section of the unit. Seesystemd.unit5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ RequiresMountsFor = "/data"; }Declared by:
systemd.user.paths.<name>.wantedBy¶
Units that want (i.e. depend on) this unit. The standard way to make a unit start by default at boot is to set this option to
[ "multi-user.target" ]. That’s despite the fact that the systemd.unit(5) manpage says this option goes in the[Install]section that controls the behaviour ofsystemctl enable. Since such a process is stateful and thus contrary to the design of NixOS, setting this option instead causes the equivalent inverse.wantssymlink to be present, establishing the same desired relationship in a stateless way.Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.paths.<name>.wants¶
Start the specified units when this unit is started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.services¶
Definition of systemd per-user service units.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
systemd.user.services.<name>.enable¶
If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g.
serial-getty@ttyS0) from being started. Note thatenable=truedoes not make a unit start by default at boot; if you want that, see``wantedBy``.Type: boolean
Default:
trueDeclared by:
systemd.user.services.<name>.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.services.<name>.aliases¶
systemd.user.services.<name>.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.services.<name>.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.services.<name>.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.services.<name>.description¶
Description of this unit used in systemd messages and progress indicators.
Type: string
Default:
""Declared by:
systemd.user.services.<name>.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.services.<name>.environment¶
Environment variables passed to the service’s processes.
Type: attribute set of null or string or path or packages
Default: ``{
}``
Example:
{ LANG = "nl_NL.UTF-8"; PATH = "/foo/bar/bin"; }Declared by:
systemd.user.services.<name>.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.services.<name>.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.services.<name>.path¶
Packages added to the service’s PATH environment variable. Both the
binandsbinsubdirectories of each package are added.Type: unspecified
Default: ``[
]``
Declared by:
systemd.user.services.<name>.postStart¶
Shell commands executed after the service’s main process is started.
Type: strings concatenated with “\n”
Default:
""Declared by:
systemd.user.services.<name>.postStop¶
Shell commands executed after the service’s main process has exited.
Type: strings concatenated with “\n”
Default:
""Declared by:
systemd.user.services.<name>.preStart¶
Shell commands executed before the service’s main process is started.
Type: strings concatenated with “\n”
Default:
""Declared by:
systemd.user.services.<name>.preStop¶
Shell commands executed to stop the service.
Type: strings concatenated with “\n”
Default:
""Declared by:
systemd.user.services.<name>.reload¶
Shell commands executed when the service’s main process is reloaded.
Type: strings concatenated with “\n”
Default:
""Declared by:
systemd.user.services.<name>.reloadIfChanged¶
Whether the service should be reloaded during a NixOS configuration switch if its definition has changed. If enabled, the value of is ignored.
Type: boolean
Default:
falseDeclared by:
systemd.user.services.<name>.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit. The discussion under
wantedByapplies here as well: inverse.requiressymlinks are established.Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.services.<name>.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.services.<name>.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.services.<name>.restartIfChanged¶
Whether the service should be restarted during a NixOS configuration switch if its definition has changed.
Type: boolean
Default:
trueDeclared by:
systemd.user.services.<name>.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecifieds
Default: ``[
]``
Declared by:
systemd.user.services.<name>.script¶
Shell commands executed as the service’s main process.
Type: strings concatenated with “\n”
Default:
""Declared by:
systemd.user.services.<name>.scriptArgs¶
Arguments passed to the main process script.
Type: string
Default:
""Declared by:
systemd.user.services.<name>.serviceConfig¶
Each attribute in this set specifies an option in the``[Service]`` section of the unit. Seesystemd.service5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ RestartSec = 5; StartLimitInterval = 10; }Declared by:
systemd.user.services.<name>.startAt¶
Automatically start this unit at the given date/time, which must be in the format described insystemd.time7. This is equivalent to adding a corresponding timer unit with set to the value given here.
Type: string or list of strings
Default: ``[
]``
Example:
"Sun 14:00:00"Declared by:
systemd.user.services.<name>.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than burst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
systemd.user.services.<name>.stopIfChanged¶
If set, a changed unit is restarted by calling:command:systemctl stop in the old configuration, then systemctl start in the new one. Otherwise, it is restarted in a single step using:command:systemctl restart in the new configuration. The latter is less correct because it runs the``ExecStop`` commands from the new configuration.
Type: boolean
Default:
trueDeclared by:
systemd.user.services.<name>.unitConfig¶
Each attribute in this set specifies an option in the``[Unit]`` section of the unit. Seesystemd.unit5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ RequiresMountsFor = "/data"; }Declared by:
systemd.user.services.<name>.wantedBy¶
Units that want (i.e. depend on) this unit. The standard way to make a unit start by default at boot is to set this option to
[ "multi-user.target" ]. That’s despite the fact that the systemd.unit(5) manpage says this option goes in the[Install]section that controls the behaviour ofsystemctl enable. Since such a process is stateful and thus contrary to the design of NixOS, setting this option instead causes the equivalent inverse.wantssymlink to be present, establishing the same desired relationship in a stateless way.Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.services.<name>.wants¶
Start the specified units when this unit is started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.slices¶
Definition of systemd per-user slice units.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
systemd.user.slices.<name>.enable¶
If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g.
serial-getty@ttyS0) from being started. Note thatenable=truedoes not make a unit start by default at boot; if you want that, see``wantedBy``.Type: boolean
Default:
trueDeclared by:
systemd.user.slices.<name>.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.slices.<name>.aliases¶
systemd.user.slices.<name>.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.slices.<name>.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.slices.<name>.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.slices.<name>.description¶
Description of this unit used in systemd messages and progress indicators.
Type: string
Default:
""Declared by:
systemd.user.slices.<name>.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.slices.<name>.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.slices.<name>.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.slices.<name>.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit. The discussion under
wantedByapplies here as well: inverse.requiressymlinks are established.Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.slices.<name>.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.slices.<name>.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.slices.<name>.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecifieds
Default: ``[
]``
Declared by:
systemd.user.slices.<name>.sliceConfig¶
Each attribute in this set specifies an option in the``[Slice]`` section of the unit. Seesystemd.slice5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ MemoryMax = "2G"; }Declared by:
systemd.user.slices.<name>.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than burst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
systemd.user.slices.<name>.unitConfig¶
Each attribute in this set specifies an option in the``[Unit]`` section of the unit. Seesystemd.unit5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ RequiresMountsFor = "/data"; }Declared by:
systemd.user.slices.<name>.wantedBy¶
Units that want (i.e. depend on) this unit. The standard way to make a unit start by default at boot is to set this option to
[ "multi-user.target" ]. That’s despite the fact that the systemd.unit(5) manpage says this option goes in the[Install]section that controls the behaviour ofsystemctl enable. Since such a process is stateful and thus contrary to the design of NixOS, setting this option instead causes the equivalent inverse.wantssymlink to be present, establishing the same desired relationship in a stateless way.Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.slices.<name>.wants¶
Start the specified units when this unit is started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.sockets¶
Definition of systemd per-user socket units.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
systemd.user.sockets.<name>.enable¶
If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g.
serial-getty@ttyS0) from being started. Note thatenable=truedoes not make a unit start by default at boot; if you want that, see``wantedBy``.Type: boolean
Default:
trueDeclared by:
systemd.user.sockets.<name>.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.sockets.<name>.aliases¶
systemd.user.sockets.<name>.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.sockets.<name>.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.sockets.<name>.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.sockets.<name>.description¶
Description of this unit used in systemd messages and progress indicators.
Type: string
Default:
""Declared by:
systemd.user.sockets.<name>.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.sockets.<name>.listenStreams¶
For each item in this list, a
ListenStreamoption in the[Socket]section will be created.Type: list of strings
Default: ``[
]``
Example:
[ "0.0.0.0:993" "/run/my-socket" ]Declared by:
systemd.user.sockets.<name>.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.sockets.<name>.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.sockets.<name>.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit. The discussion under
wantedByapplies here as well: inverse.requiressymlinks are established.Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.sockets.<name>.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.sockets.<name>.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.sockets.<name>.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecifieds
Default: ``[
]``
Declared by:
systemd.user.sockets.<name>.socketConfig¶
Each attribute in this set specifies an option in the``[Socket]`` section of the unit. Seesystemd.socket5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ ListenStream = "/run/my-socket"; }Declared by:
systemd.user.sockets.<name>.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than burst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
systemd.user.sockets.<name>.unitConfig¶
Each attribute in this set specifies an option in the``[Unit]`` section of the unit. Seesystemd.unit5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ RequiresMountsFor = "/data"; }Declared by:
systemd.user.sockets.<name>.wantedBy¶
Units that want (i.e. depend on) this unit. The standard way to make a unit start by default at boot is to set this option to
[ "multi-user.target" ]. That’s despite the fact that the systemd.unit(5) manpage says this option goes in the[Install]section that controls the behaviour ofsystemctl enable. Since such a process is stateful and thus contrary to the design of NixOS, setting this option instead causes the equivalent inverse.wantssymlink to be present, establishing the same desired relationship in a stateless way.Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.sockets.<name>.wants¶
Start the specified units when this unit is started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.targets¶
Definition of systemd per-user target units.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
systemd.user.targets.<name>.enable¶
If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g.
serial-getty@ttyS0) from being started. Note thatenable=truedoes not make a unit start by default at boot; if you want that, see``wantedBy``.Type: boolean
Default:
trueDeclared by:
systemd.user.targets.<name>.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.targets.<name>.aliases¶
systemd.user.targets.<name>.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.targets.<name>.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.targets.<name>.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.targets.<name>.description¶
Description of this unit used in systemd messages and progress indicators.
Type: string
Default:
""Declared by:
systemd.user.targets.<name>.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.targets.<name>.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.targets.<name>.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.targets.<name>.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit. The discussion under
wantedByapplies here as well: inverse.requiressymlinks are established.Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.targets.<name>.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.targets.<name>.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.targets.<name>.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecifieds
Default: ``[
]``
Declared by:
systemd.user.targets.<name>.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than burst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
systemd.user.targets.<name>.unitConfig¶
Each attribute in this set specifies an option in the``[Unit]`` section of the unit. Seesystemd.unit5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ RequiresMountsFor = "/data"; }Declared by:
systemd.user.targets.<name>.wantedBy¶
Units that want (i.e. depend on) this unit. The standard way to make a unit start by default at boot is to set this option to
[ "multi-user.target" ]. That’s despite the fact that the systemd.unit(5) manpage says this option goes in the[Install]section that controls the behaviour ofsystemctl enable. Since such a process is stateful and thus contrary to the design of NixOS, setting this option instead causes the equivalent inverse.wantssymlink to be present, establishing the same desired relationship in a stateless way.Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.targets.<name>.wants¶
Start the specified units when this unit is started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.timers¶
Definition of systemd per-user timer units.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
systemd.user.timers.<name>.enable¶
If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g.
serial-getty@ttyS0) from being started. Note thatenable=truedoes not make a unit start by default at boot; if you want that, see``wantedBy``.Type: boolean
Default:
trueDeclared by:
systemd.user.timers.<name>.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.timers.<name>.aliases¶
systemd.user.timers.<name>.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.timers.<name>.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.timers.<name>.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.timers.<name>.description¶
Description of this unit used in systemd messages and progress indicators.
Type: string
Default:
""Declared by:
systemd.user.timers.<name>.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.timers.<name>.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.timers.<name>.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.timers.<name>.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit. The discussion under
wantedByapplies here as well: inverse.requiressymlinks are established.Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.timers.<name>.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.timers.<name>.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.timers.<name>.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecifieds
Default: ``[
]``
Declared by:
systemd.user.timers.<name>.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than burst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
systemd.user.timers.<name>.timerConfig¶
Each attribute in this set specifies an option in the``[Timer]`` section of the unit. Seesystemd.timer5 andsystemd.time7 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ OnCalendar = "Sun 14:00:00"; Unit = "foo.service"; }Declared by:
systemd.user.timers.<name>.unitConfig¶
Each attribute in this set specifies an option in the``[Unit]`` section of the unit. Seesystemd.unit5 for details.
Type: attribute set of systemd options
Default: ``{
}``
Example:
{ RequiresMountsFor = "/data"; }Declared by:
systemd.user.timers.<name>.wantedBy¶
Units that want (i.e. depend on) this unit. The standard way to make a unit start by default at boot is to set this option to
[ "multi-user.target" ]. That’s despite the fact that the systemd.unit(5) manpage says this option goes in the[Install]section that controls the behaviour ofsystemctl enable. Since such a process is stateful and thus contrary to the design of NixOS, setting this option instead causes the equivalent inverse.wantssymlink to be present, establishing the same desired relationship in a stateless way.Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.timers.<name>.wants¶
Start the specified units when this unit is started.
Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.units¶
Definition of systemd per-user units.
Type: attribute set of submodules
Default: ``{
}``
Declared by:
systemd.user.units.<name>.enable¶
If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g.
serial-getty@ttyS0) from being started. Note thatenable=truedoes not make a unit start by default at boot; if you want that, see``wantedBy``.Type: boolean
Default:
trueDeclared by:
systemd.user.units.<name>.aliases¶
systemd.user.units.<name>.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit. The discussion under
wantedByapplies here as well: inverse.requiressymlinks are established.Type: list of strings
Default: ``[
]``
Declared by:
systemd.user.units.<name>.text¶
Text of this systemd unit.
Type: null or string
Default:
nullDeclared by:
systemd.user.units.<name>.wantedBy¶
Units that want (i.e. depend on) this unit. The standard way to make a unit start by default at boot is to set this option to
[ "multi-user.target" ]. That’s despite the fact that the systemd.unit(5) manpage says this option goes in the[Install]section that controls the behaviour ofsystemctl enable. Since such a process is stateful and thus contrary to the design of NixOS, setting this option instead causes the equivalent inverse.wantssymlink to be present, establishing the same desired relationship in a stateless way.Type: list of strings
Default: ``[
]``
Declared by:
time.hardwareClockInLocalTime¶
If set, keep the hardware clock in local time instead of UTC.
Type: boolean
Default:
falseDeclared by:
time.timeZone¶
The time zone used when displaying times and dates. See ` <https://en.wikipedia.org/wiki/List_of_tz_database_time_zones>`_ for a comprehensive list of possible values for this setting.
If null, the timezone will default to UTC and can be set imperatively using timedatectl.
Type: null or string without spaces
Default:
nullExample:
"America/New_York"Declared by:
users.defaultUserShell¶
This option defines the default shell assigned to user accounts. This can be either a full system path or a shell package.
This must not be a store path, since the path is used outside the store (in particular in /etc/passwd).
Type: path or package
Example:
pkgs.zshDeclared by:
users.enforceIdUniqueness¶
Whether to require that no two users/groups share the same uid/gid.
Type: boolean
Default:
trueDeclared by:
users.extraGroups¶
Alias of .
Type: list or attribute set of submodules
Declared by:
users.extraGroups.<name?>.gid¶
The group GID. If the GID is null, a free GID is picked on activation.
Type: null or signed integer
Default:
nullDeclared by:
users.extraGroups.<name?>.members¶
The user names of the group members, added to the``/etc/group`` file.
Type: list of strings
Default: ``[
]``
Declared by:
users.extraGroups.<name?>.name¶
The name of the group. If undefined, the name of the attribute set will be used.
Type: string
Declared by:
users.extraUsers¶
Alias of .
Type: list or attribute set of submodules
Declared by:
users.extraUsers.<name?>.packages¶
The set of packages that should be made available to the user. This is in contrast to , which adds packages to all users.
Type: list of packages
Default: ``[
]``
Example:
[ pkgs.firefox pkgs.thunderbird ]Declared by:
users.extraUsers.<name?>.createHome¶
If true, the home directory will be created automatically. If this option is true and the home directory already exists but is not owned by the user, directory owner and group will be changed to match the user.
Type: boolean
Default:
falseDeclared by:
users.extraUsers.<name?>.cryptHomeLuks¶
Path to encrypted luks device that contains the user’s home directory.
Type: null or string
Default:
nullDeclared by:
users.extraUsers.<name?>.description¶
A short description of the user account, typically the user’s full name. This is actually the “GECOS” or “comment” field in
/etc/passwd.Type: string
Default:
""Example:
"Alice Q. User"Declared by:
users.extraUsers.<name?>.extraGroups¶
users.extraUsers.<name?>.group¶
The user’s primary group.
Type: string
Default:
"nogroup"Declared by:
users.extraUsers.<name?>.hashedPassword¶
Specifies the hashed password for the user. The options , and controls what password is set for the user. overrides both and . overrides . If none of these three options are set, no password is assigned to the user, and the user will not be able to do password logins. If the option is true, the password defined in one of the three options will only be set when the user is created for the first time. After that, you are free to change the password with the ordinary user management commands. If is false, you cannot change user passwords, they will always be set according to the password options.
To generate hashed password install
mkpasswdpackage and runmkpasswd -m sha-512.Type: null or string
Default:
nullDeclared by:
users.extraUsers.<name?>.home¶
The user’s home directory.
Type: path
Default:
"/var/empty"Declared by:
users.extraUsers.<name?>.initialHashedPassword¶
Specifies the initial hashed password for the user, i.e. the hashed password assigned if the user does not already exist. If is true, the password can be changed subsequently using the:command:passwd command. Otherwise, it’s equivalent to setting the option.
To generate hashed password install
mkpasswdpackage and runmkpasswd -m sha-512.Type: null or string
Default:
nullDeclared by:
users.extraUsers.<name?>.initialPassword¶
Specifies the initial password for the user, i.e. the password assigned if the user does not already exist. If is true, the password can be changed subsequently using the:command:passwd command. Otherwise, it’s equivalent to setting the option. The same caveat applies: the password specified here is world-readable in the Nix store, so it should only be used for guest accounts or passwords that will be changed promptly.
Type: null or string
Default:
nullDeclared by:
users.extraUsers.<name?>.isNormalUser¶
Indicates whether this is an account for a “real” user. This automatically sets to``users``, to``true``, to:file:/home/, to
true, and to``false``.Type: boolean
Default:
falseDeclared by:
users.extraUsers.<name?>.isSystemUser¶
Indicates if the user is a system user or not. This option only has an effect if is, in which case it determines whether the user’s UID is allocated in the range for system users (below 500) or in the range for normal users (starting at 1000).
Type: boolean
Default:
falseDeclared by:
users.extraUsers.<name?>.name¶
The name of the user account. If undefined, the name of the attribute set will be used.
Type: string
Declared by:
users.extraUsers.<name?>.openssh.authorizedKeys.keyFiles¶
A list of files each containing one OpenSSH public key that should be added to the user’s authorized keys. The contents of the files are read at build time and added to a file that the SSH daemon reads in addition to the the user’s authorized_keys file. You can combine the``keyFiles`` and
keysoptions.Type: list of paths
Default: ``[
]``
Declared by:
users.extraUsers.<name?>.openssh.authorizedKeys.keys¶
A list of verbatim OpenSSH public keys that should be added to the user’s authorized keys. The keys are added to a file that the SSH daemon reads in addition to the the user’s authorized_keys file. You can combine the
keysand``keyFiles`` options. Warning: If you are usingNixOpsthen don’t use this option since it will replace the key required for deployment via ssh.Type: list of strings
Default: ``[
]``
Declared by:
users.extraUsers.<name?>.password¶
Specifies the (clear text) password for the user. Warning: do not set confidential information here because it is world-readable in the Nix store. This option should only be used for public accounts. The options , and controls what password is set for the user. overrides both and . overrides . If none of these three options are set, no password is assigned to the user, and the user will not be able to do password logins. If the option is true, the password defined in one of the three options will only be set when the user is created for the first time. After that, you are free to change the password with the ordinary user management commands. If is false, you cannot change user passwords, they will always be set according to the password options.
Type: null or string
Default:
nullDeclared by:
users.extraUsers.<name?>.passwordFile¶
The full path to a file that contains the user’s password. The password file is read on each system activation. The file should contain exactly one line, which should be the password in an encrypted form that is suitable for the
chpasswd -ecommand. The options , and controls what password is set for the user. overrides both and . overrides . If none of these three options are set, no password is assigned to the user, and the user will not be able to do password logins. If the option is true, the password defined in one of the three options will only be set when the user is created for the first time. After that, you are free to change the password with the ordinary user management commands. If is false, you cannot change user passwords, they will always be set according to the password options.Type: null or string
Default:
nullDeclared by:
users.extraUsers.<name?>.shell¶
The path to the user’s shell. Can use shell derivations, like
pkgs.bashInteractive. Don’t forget to enable your shell in``programs`` if necessary, like programs.zsh.enable = true;.Type: package or path
Default:
"pkgs.shadow"Example:
pkgs.bashInteractiveDeclared by:
users.extraUsers.<name?>.subGidRanges¶
users.extraUsers.<name?>.subGidRanges.*.count¶
Count of subordinate group ids
Type: signed integer
Default:
1Declared by:
users.extraUsers.<name?>.subGidRanges.*.startGid¶
Start of the range of subordinate group ids that user is allowed to use.
Type: signed integer
Declared by:
users.extraUsers.<name?>.subUidRanges¶
users.extraUsers.<name?>.subUidRanges.*.count¶
Count of subordinate user ids
Type: signed integer
Default:
1Declared by:
users.extraUsers.<name?>.subUidRanges.*.startUid¶
Start of the range of subordinate user ids that user is allowed to use.
Type: signed integer
Declared by:
users.extraUsers.<name?>.uid¶
The account UID. If the UID is null, a free UID is picked on activation.
Type: null or signed integer
Default:
nullDeclared by:
users.extraUsers.<name?>.useDefaultShell¶
If true, the user’s shell will be set to.
Type: boolean
Default:
falseDeclared by:
users.groups¶
users.groups.<name?>.gid¶
The group GID. If the GID is null, a free GID is picked on activation.
Type: null or signed integer
Default:
nullDeclared by:
users.groups.<name?>.members¶
The user names of the group members, added to the``/etc/group`` file.
Type: list of strings
Default: ``[
]``
Declared by:
users.groups.<name?>.name¶
The name of the group. If undefined, the name of the attribute set will be used.
Type: string
Declared by:
users.ldap.enable¶
Whether to enable authentication against an LDAP server.
Type: boolean
Default:
falseDeclared by:
users.ldap.base¶
The distinguished name of the search base.
Type: unspecified
Example:
"dc=example,dc=org"Declared by:
users.ldap.bind.distinguishedName¶
The distinguished name to bind to the LDAP server with. If this is not specified, an anonymous bind will be done.
Type: string
Default:
""Example:
"cn=admin,dc=example,dc=com"Declared by:
users.ldap.bind.passwordFile¶
The path to a file containing the credentials to use when binding to the LDAP server (if not binding anonymously).
Type: string
Default:
"/etc/ldap/bind.password"Declared by:
users.ldap.bind.policy¶
Specifies the policy to use for reconnecting to an unavailable LDAP server. The default is
hard_open, which reconnects if opening the connection to the directory server failed. By contrast,hard_initreconnects if initializing the connection failed. Initializing may not actually contact the directory server, and it is possible that a malformed configuration file will trigger reconnection. If``soft`` is specified, then``nss_ldap`` will return immediately on server failure. All hard reconnect policies block with exponential backoff before retrying.Type: one of “hard_open”, “hard_init”, “soft”
Default:
"hard_open"Declared by:
users.ldap.bind.timeLimit¶
Specifies the time limit (in seconds) to use when connecting to the directory server. This is distinct from the time limit specified in
users.ldap.timeLimitand affects the initial server connection only.Type: signed integer
Default:
30Declared by:
users.ldap.daemon.enable¶
Whether to let the nslcd daemon (nss-pam-ldapd) handle the LDAP lookups for NSS and PAM. This can improve performance, and if you need to bind to the LDAP server with a password, it increases security, since only the nslcd user needs to have access to the bindpw file, not everyone that uses NSS and/or PAM. If this option is enabled, a local nscd user is created automatically, and the nslcd service is started automatically when the network get up.
Type: unspecified
Default:
falseDeclared by:
users.ldap.daemon.extraConfig¶
Extra configuration options that will be added verbatim at the end of the nslcd configuration file (nslcd.conf).
Type: strings concatenated with “\n”
Default:
""Declared by:
users.ldap.daemon.rootpwmoddn¶
The distinguished name to use to bind to the LDAP server when the root user tries to modify a user’s password.
Type: string
Default:
""Example:
"cn=admin,dc=example,dc=com"Declared by:
users.ldap.daemon.rootpwmodpwFile¶
The path to a file containing the credentials with which to bind to the LDAP server if the root user tries to change a user’s password.
Type: string
Default:
""Example:
"/run/keys/nslcd.rootpwmodpw"Declared by:
users.ldap.extraConfig¶
Extra configuration options that will be added verbatim at the end of the ldap configuration file (ldap.conf). If
users.ldap.daemonis enabled, this configuration will not be used. In that case, use``users.ldap.daemon.extraConfig`` instead.Type: strings concatenated with “\n”
Default:
""Declared by:
users.ldap.loginPam¶
Whether to include authentication against LDAP in login PAM
Type: boolean
Default:
trueDeclared by:
users.ldap.nsswitch¶
Whether to include lookup against LDAP in NSS
Type: boolean
Default:
trueDeclared by:
users.ldap.server¶
The URL of the LDAP server.
Type: unspecified
Example:
"ldap://ldap.example.org/"Declared by:
users.ldap.timeLimit¶
Specifies the time limit (in seconds) to use when performing searches. A value of zero (0), which is the default, is to wait indefinitely for searches to be completed.
Type: signed integer
Default:
0Declared by:
users.ldap.useTLS¶
If enabled, use TLS (encryption) over an LDAP (port 389) connection. The alternative is to specify an LDAPS server (port 636) in or to forego security.
Type: unspecified
Default:
falseDeclared by:
users.motd¶
Message of the day shown to users when they log in.
Type: null or strings concatenated with “\n”
Default:
nullExample:
"Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3178."Declared by:
users.mutableUsers¶
If set to
true, you are free to add new users and groups to the system with the ordinaryuseraddand``groupadd`` commands. On system activation, the existing contents of the/etc/passwdand``/etc/group`` files will be merged with the contents generated from theusers.usersand``users.groups`` options. The initial password for a user will be set according tousers.users, but existing passwords will not be changed.Warning
If set to
false, the contents of the user and group files will simply be replaced on system activation. This also holds for the user passwords; all changed passwords will be reset according to the``users.users`` configuration on activation.Type: boolean
Default:
trueDeclared by:
users.users¶
Additional user accounts to be created automatically by the system. This can also be used to set options for root.
Type: list or attribute set of submodules
Default: ``{
}``
Example:
{ alice = { createHome = true; description = "Alice Q. User"; extraGroups = [ "wheel" ] ; group = "users"; home = "/home/alice"; shell = "/bin/sh"; uid = 1234; } ; }Declared by:
users.users.<name?>.packages¶
The set of packages that should be made available to the user. This is in contrast to , which adds packages to all users.
Type: list of packages
Default: ``[
]``
Example:
[ pkgs.firefox pkgs.thunderbird ]Declared by:
users.users.<name?>.createHome¶
If true, the home directory will be created automatically. If this option is true and the home directory already exists but is not owned by the user, directory owner and group will be changed to match the user.
Type: boolean
Default:
falseDeclared by:
users.users.<name?>.cryptHomeLuks¶
Path to encrypted luks device that contains the user’s home directory.
Type: null or string
Default:
nullDeclared by:
users.users.<name?>.description¶
A short description of the user account, typically the user’s full name. This is actually the “GECOS” or “comment” field in
/etc/passwd.Type: string
Default:
""Example:
"Alice Q. User"Declared by:
users.users.<name?>.extraGroups¶
users.users.<name?>.group¶
The user’s primary group.
Type: string
Default:
"nogroup"Declared by:
users.users.<name?>.hashedPassword¶
Specifies the hashed password for the user. The options , and controls what password is set for the user. overrides both and . overrides . If none of these three options are set, no password is assigned to the user, and the user will not be able to do password logins. If the option is true, the password defined in one of the three options will only be set when the user is created for the first time. After that, you are free to change the password with the ordinary user management commands. If is false, you cannot change user passwords, they will always be set according to the password options.
To generate hashed password install
mkpasswdpackage and runmkpasswd -m sha-512.Type: null or string
Default:
nullDeclared by:
users.users.<name?>.home¶
The user’s home directory.
Type: path
Default:
"/var/empty"Declared by:
users.users.<name?>.initialHashedPassword¶
Specifies the initial hashed password for the user, i.e. the hashed password assigned if the user does not already exist. If is true, the password can be changed subsequently using the:command:passwd command. Otherwise, it’s equivalent to setting the option.
To generate hashed password install
mkpasswdpackage and runmkpasswd -m sha-512.Type: null or string
Default:
nullDeclared by:
users.users.<name?>.initialPassword¶
Specifies the initial password for the user, i.e. the password assigned if the user does not already exist. If is true, the password can be changed subsequently using the:command:passwd command. Otherwise, it’s equivalent to setting the option. The same caveat applies: the password specified here is world-readable in the Nix store, so it should only be used for guest accounts or passwords that will be changed promptly.
Type: null or string
Default:
nullDeclared by:
users.users.<name?>.isNormalUser¶
Indicates whether this is an account for a “real” user. This automatically sets to``users``, to``true``, to:file:/home/, to
true, and to``false``.Type: boolean
Default:
falseDeclared by:
users.users.<name?>.isSystemUser¶
Indicates if the user is a system user or not. This option only has an effect if is, in which case it determines whether the user’s UID is allocated in the range for system users (below 500) or in the range for normal users (starting at 1000).
Type: boolean
Default:
falseDeclared by:
users.users.<name?>.name¶
The name of the user account. If undefined, the name of the attribute set will be used.
Type: string
Declared by:
users.users.<name?>.openssh.authorizedKeys.keyFiles¶
A list of files each containing one OpenSSH public key that should be added to the user’s authorized keys. The contents of the files are read at build time and added to a file that the SSH daemon reads in addition to the the user’s authorized_keys file. You can combine the``keyFiles`` and
keysoptions.Type: list of paths
Default: ``[
]``
Declared by:
users.users.<name?>.openssh.authorizedKeys.keys¶
A list of verbatim OpenSSH public keys that should be added to the user’s authorized keys. The keys are added to a file that the SSH daemon reads in addition to the the user’s authorized_keys file. You can combine the
keysand``keyFiles`` options. Warning: If you are usingNixOpsthen don’t use this option since it will replace the key required for deployment via ssh.Type: list of strings
Default: ``[
]``
Declared by:
users.users.<name?>.password¶
Specifies the (clear text) password for the user. Warning: do not set confidential information here because it is world-readable in the Nix store. This option should only be used for public accounts. The options , and controls what password is set for the user. overrides both and . overrides . If none of these three options are set, no password is assigned to the user, and the user will not be able to do password logins. If the option is true, the password defined in one of the three options will only be set when the user is created for the first time. After that, you are free to change the password with the ordinary user management commands. If is false, you cannot change user passwords, they will always be set according to the password options.
Type: null or string
Default:
nullDeclared by:
users.users.<name?>.passwordFile¶
The full path to a file that contains the user’s password. The password file is read on each system activation. The file should contain exactly one line, which should be the password in an encrypted form that is suitable for the
chpasswd -ecommand. The options , and controls what password is set for the user. overrides both and . overrides . If none of these three options are set, no password is assigned to the user, and the user will not be able to do password logins. If the option is true, the password defined in one of the three options will only be set when the user is created for the first time. After that, you are free to change the password with the ordinary user management commands. If is false, you cannot change user passwords, they will always be set according to the password options.Type: null or string
Default:
nullDeclared by:
users.users.<name?>.shell¶
The path to the user’s shell. Can use shell derivations, like
pkgs.bashInteractive. Don’t forget to enable your shell in``programs`` if necessary, like programs.zsh.enable = true;.Type: package or path
Default:
"pkgs.shadow"Example:
pkgs.bashInteractiveDeclared by:
users.users.<name?>.subGidRanges¶
users.users.<name?>.subGidRanges.*.count¶
Count of subordinate group ids
Type: signed integer
Default:
1Declared by:
users.users.<name?>.subGidRanges.*.startGid¶
Start of the range of subordinate group ids that user is allowed to use.
Type: signed integer
Declared by:
users.users.<name?>.subUidRanges¶
users.users.<name?>.subUidRanges.*.count¶
Count of subordinate user ids
Type: signed integer
Default:
1Declared by:
users.users.<name?>.subUidRanges.*.startUid¶
Start of the range of subordinate user ids that user is allowed to use.
Type: signed integer
Declared by:
users.users.<name?>.uid¶
The account UID. If the UID is null, a free UID is picked on activation.
Type: null or signed integer
Default:
nullDeclared by:
users.users.<name?>.useDefaultShell¶
If true, the user’s shell will be set to.
Type: boolean
Default:
falseDeclared by:
virtualisation.anbox.enable¶
Whether to enable Anbox.
Type: boolean
Default:
falseExample:
trueDeclared by:
virtualisation.anbox.extraInit¶
Extra shell commands to be run inside the container image during init.
Type: strings concatenated with “\n”
Default:
""Declared by:
virtualisation.anbox.image¶
Base android image for Anbox.
Type: package
Default:
*(build of android_amd64.img)*Example:
pkgs.anbox.imageDeclared by:
virtualisation.anbox.ipv4.container.address¶
IPv4 Container address.
Type: string
Default:
"192.168.250.2"Declared by:
virtualisation.anbox.ipv4.container.prefixLength¶
Subnet mask of the Container address, specified as the number of bits in the prefix (
24).Type: signed integer
Default:
24Declared by:
virtualisation.anbox.ipv4.dns¶
Container DNS server.
Type: string
Default:
"1.1.1.1"Declared by:
virtualisation.anbox.ipv4.gateway.address¶
IPv4 Host address.
Type: string
Default:
"192.168.250.1"Declared by:
virtualisation.anbox.ipv4.gateway.prefixLength¶
Subnet mask of the Host address, specified as the number of bits in the prefix (
24).Type: signed integer
Default:
24Declared by:
virtualisation.cri-o.enable¶
Whether to enable Container Runtime Interface for OCI (CRI-O).
Type: boolean
Default:
falseExample:
trueDeclared by:
virtualisation.cri-o.logLevel¶
Log level to be used
Type: one of “trace”, “debug”, “info”, “warn”, “error”, “fatal”
Default:
"info"Declared by:
virtualisation.cri-o.pauseCommand¶
Pause command to be executed
Type: string
Default:
"/pause"Declared by:
virtualisation.cri-o.pauseImage¶
Pause image for pod sandboxes to be used
Type: string
Default:
"k8s.gcr.io/pause:3.1"Declared by:
virtualisation.cri-o.registries¶
Registries to be configured for unqualified image pull
Type: list of strings
Default:
[ "docker.io" "quay.io" ]Declared by:
virtualisation.cri-o.storageDriver¶
Storage driver to be used
Type: one of “btrfs”, “overlay”, “vfs”
Default:
"overlay"Declared by:
virtualisation.docker.enable¶
This option enables docker, a daemon that manages linux containers. Users in the “docker” group can interact with the daemon (e.g. to start or stop containers) using the:command:docker command line tool.
Type: boolean
Default:
falseDeclared by:
virtualisation.docker.enableNvidia¶
Enable nvidia-docker wrapper, supporting NVIDIA GPUs inside docker containers.
Type: boolean
Default:
falseDeclared by:
virtualisation.docker.enableOnBoot¶
When enabled dockerd is started on boot. This is required for containers which are created with the``–restart=always`` flag to work. If this option is disabled, docker might be started on demand by socket activation.
Type: boolean
Default:
trueDeclared by:
virtualisation.docker.package¶
Docker package to be used in the module.
Type: package
Default:
*(build of docker-19.03.6)*Example:
*(build of )*Declared by:
virtualisation.docker.autoPrune.enable¶
Whether to periodically prune Docker resources. If enabled, a systemd timer will run
docker system prune -fas specified by thedatesoption.Type: boolean
Default:
falseDeclared by:
virtualisation.docker.autoPrune.dates¶
Specification (in the format described bysystemd.time7) of the time at which the prune will occur.
Type: string
Default:
"weekly"Declared by:
virtualisation.docker.autoPrune.flags¶
Any additional flags passed to docker system prune.
Type: list of strings
Default: ``[
]``
Example:
[ "--all" ]Declared by:
virtualisation.docker.extraOptions¶
The extra command-line options to pass to:command:docker daemon.
Type: strings concatenated with ” “
Default:
""Declared by:
virtualisation.docker.listenOptions¶
A list of unix and tcp docker should listen to. The format follows ListenStream as described in systemd.socket(5).
Type: list of strings
Default:
[ "/run/docker.sock" ]Declared by:
virtualisation.docker.liveRestore¶
Allow dockerd to be restarted without affecting running container. This option is incompatible with docker swarm.
Type: boolean
Default:
trueDeclared by:
virtualisation.docker.logDriver¶
This option determines which Docker log driver to use.
Type: one of “none”, “json-file”, “syslog”, “journald”, “gelf”, “fluentd”, “awslogs”, “splunk”, “etwlogs”, “gcplogs”
Default:
"journald"Declared by:
virtualisation.docker.storageDriver¶
This option determines which Docker storage driver to use. By default it let’s docker automatically choose preferred storage driver.
Type: null or one of “aufs”, “btrfs”, “devicemapper”, “overlay”, “overlay2”, “zfs”
Default:
nullDeclared by:
virtualisation.hypervGuest.enable¶
Whether to enable Hyper-V Guest Support.
Type: boolean
Default:
falseExample:
trueDeclared by:
virtualisation.hypervGuest.videoMode¶
Resolution at which to initialize the video adapter.
Supports screen resolution up to Full HD 1920x1080 with 32 bit color on Windows Server 2012, and 1600x1200 with 16 bit color on Windows Server 2008 R2 or earlier.
Type: string
Default:
"1152x864"Example:
"1024x768"Declared by:
virtualisation.kvmgt.enable¶
Whether to enable KVMGT (iGVT-g) VGPU support. Allows Qemu/KVM guests to share host’s Intel integrated graphics card. Currently only one graphical device can be shared .
Type: boolean
Default:
falseExample:
trueDeclared by:
virtualisation.kvmgt.device¶
PCI ID of graphics card. You can figure it with ls /sys/class/mdev_bus.
Type: string
Default:
"0000:00:02.0"Declared by:
virtualisation.kvmgt.vgpus¶
Virtual GPUs to be used in Qemu. You can find devices via ls /sys/bus/pci/devices/*/mdev_supported_types and find info about device via cat /sys/bus/pci/devices/*/mdev_supported_types/i915-GVTg_V5_4/description
Type: attribute set of submodules
Default: ``{
}``
Example:
{ i915-GVTg_V5_8 = { uuid = "a297db4a-f4c2-11e6-90f6-d3b88d6c9525"; } ; }Declared by:
virtualisation.kvmgt.vgpus.<name>.uuid¶
UUID of VGPU device. You can generate one with libossp_uuid.
Type: string
Declared by:
virtualisation.libvirtd.enable¶
This option enables libvirtd, a daemon that manages virtual machines. Users in the “libvirtd” group can interact with the daemon (e.g. to start or stop VMs) using the:command:virsh command line tool, among others.
Type: boolean
Default:
falseDeclared by:
virtualisation.libvirtd.allowedBridges¶
List of bridge devices that can be used by qemu:///session
Type: list of strings
Default:
[ "virbr0" ]Declared by:
virtualisation.libvirtd.extraConfig¶
Extra contents appended to the libvirtd configuration file, libvirtd.conf.
Type: strings concatenated with “\n”
Default:
""Declared by:
virtualisation.libvirtd.extraOptions¶
Extra command line arguments passed to libvirtd on startup.
Type: list of strings
Default: ``[
]``
Example:
[ "--verbose" ]Declared by:
virtualisation.libvirtd.onBoot¶
Specifies the action to be done to / on the guests when the host boots. The “start” option starts all guests that were running prior to shutdown regardless of their autostart settings. The “ignore” option will not start the formally running guest on boot. However, any guest marked as autostart will still be automatically started by libvirtd.
Type: one of “start”, “ignore”
Default:
"start"Declared by:
virtualisation.libvirtd.onShutdown¶
When shutting down / restarting the host what method should be used to gracefully halt the guests. Setting to “shutdown” will cause an ACPI shutdown of each guest. “suspend” will attempt to save the state of the guests ready to restore on boot.
Type: one of “shutdown”, “suspend”
Default:
"suspend"Declared by:
virtualisation.libvirtd.qemuOvmf¶
Allows libvirtd to take advantage of OVMF when creating new QEMU VMs with UEFI boot.
Type: boolean
Default:
trueDeclared by:
virtualisation.libvirtd.qemuPackage¶
Qemu package to use with libvirt. `pkgs.qemu` can emulate alien architectures (e.g. aarch64 on x86) `pkgs.qemu_kvm` saves disk space allowing to emulate only host architectures.
Type: package
Default:
*(build of qemu-4.2.0)*Declared by:
virtualisation.libvirtd.qemuRunAsRoot¶
If true, libvirtd runs qemu as root. If false, libvirtd runs qemu as unprivileged user qemu-libvirtd. Changing this option to false may cause file permission issues for existing guests. To fix these, manually change ownership of affected files in /var/lib/libvirt/qemu to qemu-libvirtd.
Type: boolean
Default:
trueDeclared by:
virtualisation.libvirtd.qemuVerbatimConfig¶
Contents written to the qemu configuration file, qemu.conf. Make sure to include a proper namespace configuration when supplying custom configuration.
Type: strings concatenated with “\n”
Default:
'' namespaces = [] ''Declared by:
virtualisation.lxc.enable¶
This enables Linux Containers (LXC), which provides tools for creating and managing system or application containers on Linux.
Type: boolean
Default:
falseDeclared by:
virtualisation.lxc.defaultConfig¶
Default config (default.conf) for new containers, i.e. for network config. See lxc.container.conf5.
Type: strings concatenated with “\n”
Default:
""Declared by:
virtualisation.lxc.lxcfs.enable¶
This enables LXCFS, a FUSE filesystem for LXC. To use lxcfs in include the following configuration in your container configuration: virtualisation.lxc.defaultConfig = “lxc.include = ${pkgs.lxcfs}/share/lxc/config/common.conf.d/00-lxcfs.conf”;
Type: boolean
Default:
falseDeclared by:
virtualisation.lxc.systemConfig¶
This is the system-wide LXC config. Seelxc.system.conf5.
Type: strings concatenated with “\n”
Default:
""Declared by:
virtualisation.lxc.usernetConfig¶
This is the config file for managing unprivileged user network administration access in LXC. See lxc-usernet5.
Type: strings concatenated with “\n”
Default:
""Declared by:
virtualisation.lxd.enable¶
This option enables lxd, a daemon that manages containers. Users in the “lxd” group can interact with the daemon (e.g. to start or stop containers) using the:command:lxc command line tool, among others.
Type: boolean
Default:
falseDeclared by:
virtualisation.lxd.package¶
The LXD package to use.
Type: package
Default:
"pkgs.lxd"Declared by:
virtualisation.lxd.lxcPackage¶
The LXC package to use with LXD (required for AppArmor profiles).
Type: package
Default:
"pkgs.lxc"Declared by:
virtualisation.lxd.recommendedSysctlSettings¶
enables various settings to avoid common pitfalls when running containers requiring many file operations. Fixes errors like “Too many open files” or “neighbour: ndisc_cache: neighbor table overflow!”. See https://lxd.readthedocs.io/en/latest/production-setup/ for details.
Type: boolean
Default:
falseDeclared by:
virtualisation.lxd.zfsPackage¶
The ZFS package to use with LXD.
Type: package
Default:
"pkgs.zfs"Declared by:
virtualisation.lxd.zfsSupport¶
Enables lxd to use zfs as a storage for containers.
This option is enabled by default if a zfs pool is configured with nixos.
Type: boolean
Default:
falseDeclared by:
virtualisation.rkt.enable¶
Whether to enable rkt metadata service.
Type: boolean
Default:
falseExample:
trueDeclared by:
virtualisation.rkt.gc.automatic¶
Automatically run the garbage collector at a specific time.
Type: boolean
Default:
trueDeclared by:
virtualisation.rkt.gc.dates¶
Specification (in the format described bysystemd.time7) of the time at which the garbage collector will run.
Type: string
Default:
"03:15"Declared by:
virtualisation.rkt.gc.options¶
Options given to
rkt gcwhen the garbage collector is run automatically.Type: string
Default:
"--grace-period=24h"Declared by:
virtualisation.virtualbox.guest.enable¶
Whether to enable the VirtualBox service and other guest additions.
Type: boolean
Default:
falseDeclared by:
virtualisation.virtualbox.guest.x11¶
Whether to enable x11 graphics
Type: boolean
Default:
trueDeclared by:
virtualisation.virtualbox.host.enable¶
Whether to enable VirtualBox.
Note
In order to pass USB devices from the host to the guests, the user needs to be in the
vboxusersgroup.Type: boolean
Default:
falseExample:
trueDeclared by:
virtualisation.virtualbox.host.enableExtensionPack¶
Whether to install the Oracle Extension Pack for VirtualBox.
Important
You must set
nixpkgs.config.allowUnfree = truein order to use this. This requires you accept the VirtualBox PUEL.Type: boolean
Default:
falseExample:
trueDeclared by:
virtualisation.virtualbox.host.enableHardening¶
Enable hardened VirtualBox, which ensures that only the binaries in the system path get access to the devices exposed by the kernel modules instead of all users in the vboxusers group.
Important
Disabling this can put your system’s security at risk, as local users in the vboxusers group can tamper with the VirtualBox device files.
Type: boolean
Default:
trueDeclared by:
virtualisation.virtualbox.host.package¶
Which VirtualBox package to use.
Type: package
Default:
"pkgs.virtualbox"Declared by:
virtualisation.virtualbox.host.addNetworkInterface¶
Automatically set up a vboxnet0 host-only network interface.
Type: boolean
Default:
trueDeclared by:
virtualisation.virtualbox.host.headless¶
Use VirtualBox installation without GUI and Qt dependency. Useful to enable on servers and when virtual machines are controlled only via SSH.
Type: boolean
Default:
falseDeclared by:
virtualisation.vmware.guest.enable¶
Whether to enable VMWare Guest Support.
Type: boolean
Default:
falseExample:
trueDeclared by:
virtualisation.vmware.guest.headless¶
Whether to disable X11-related features.
Type: boolean
Default:
falseDeclared by:
virtualisation.vswitch.enable¶
Whether to enable Open vSwitch. A configuration daemon (ovs-server) will be started.
Type: boolean
Default:
falseDeclared by:
virtualisation.vswitch.package¶
Open vSwitch package to use.
Type: package
Default:
"pkgs.openvswitch"Declared by:
virtualisation.vswitch.ipsec¶
Whether to start racoon service for openvswitch. Supported only if openvswitch version is less than 2.6.0. Use
virtualisation.vswitch.package = pkgs.openvswitch-ltsfor a version that supports ipsec over GRE.Type: boolean
Default:
falseDeclared by:
virtualisation.vswitch.resetOnStart¶
Whether to reset the Open vSwitch configuration database to a default configuration on every start of the systemd
ovsdb.service.Type: boolean
Default:
falseDeclared by:
virtualisation.xen.enable¶
Setting this option enables the Xen hypervisor, a virtualisation technology that allows multiple virtual machines, known as domains, to run concurrently on the physical machine. NixOS runs as the privileged Domain 0. This option requires a reboot to take effect.
Type: boolean
Default:
falseDeclared by:
virtualisation.xen.package¶
The package used for Xen binary.
Type: package
Default:
"pkgs.xen"Example:
pkgs.xen-lightRelated packages:
pkgs.xen (xen-4.8.5): Xen hypervisor and related components (vanilla).Vanilla version of Xen. Uses forks of Qemu and Seabios bundled with Xen. This gives vanilla experince, but wastes space and build time: typical NixOS setup that runs lots of VMs will build three different versions of Qemu when using this (two forks and upstream). Includes: * firmware/etherboot/ipxe.git: Xen's fork of iPXE. * firmware/seabios-dir-remote: Xen's fork of Seabios. * qemu-xen: Xen's fork of upstream Qemu. * qemu-xen-traditional: Xen's fork of upstream Qemu that uses old device model. * xen-libhvm-dir-remote: Helper library for reading ACPI and SMBIOS firmware values from the host system for use with the HVM guest firmware pass-through feature in Xen.
pkgs.xen-light (xen-4.8.5): Xen hypervisor and related components (light).Slimmed-down version of Xen without `qemu-traditional` (you don't need it if you don't know what it is). Use with `qemu_xen-light` from nixpkgs. Includes: * firmware/etherboot/ipxe.git: Xen's fork of iPXE. * xen-libhvm-dir-remote: Helper library for reading ACPI and SMBIOS firmware values from the host system for use with the HVM guest firmware pass-through feature in Xen.Declared by:
virtualisation.xen.package-qemu¶
The package with qemu binaries for dom0 qemu and xendomains.
Type: package
Default:
"pkgs.xen"Example:
pkgs.qemu_xen-lightRelated packages:
pkgs.xen (xen-4.8.5): Xen hypervisor and related components (vanilla).Vanilla version of Xen. Uses forks of Qemu and Seabios bundled with Xen. This gives vanilla experince, but wastes space and build time: typical NixOS setup that runs lots of VMs will build three different versions of Qemu when using this (two forks and upstream). Includes: * firmware/etherboot/ipxe.git: Xen's fork of iPXE. * firmware/seabios-dir-remote: Xen's fork of Seabios. * qemu-xen: Xen's fork of upstream Qemu. * qemu-xen-traditional: Xen's fork of upstream Qemu that uses old device model. * xen-libhvm-dir-remote: Helper library for reading ACPI and SMBIOS firmware values from the host system for use with the HVM guest firmware pass-through feature in Xen.
pkgs.qemu_xen-light (qemu-xen-host-cpu-only-4.2.0): A generic and open source machine emulator and virtualizer.For use with pkgs.xen-light.
Declared by:
virtualisation.xen.bootParams¶
Parameters passed to the Xen hypervisor at boot time.
Type: unspecified
Default:
""Declared by:
virtualisation.xen.bridge.address¶
IPv4 address of the bridge.
Type: string
Default:
"172.16.0.1"Declared by:
virtualisation.xen.bridge.forwardDns¶
If set to
true, the DNS queries from the hosts connected to the bridge will be forwarded to the DNS servers specified in /etc/resolv.conf .Type: unspecified
Default:
falseDeclared by:
virtualisation.xen.bridge.name¶
Name of bridge the Xen domUs connect to.
Type: unspecified
Default:
"xenbr0"Declared by:
virtualisation.xen.bridge.prefixLength¶
Subnet mask of the bridge interface, specified as the number of bits in the prefix (
24). A DHCP server will provide IP addresses for the whole, remaining subnet.Type: signed integer
Default:
16Declared by:
virtualisation.xen.domain0MemorySize¶
Amount of memory (in MiB) allocated to Domain 0 on boot. If set to 0, all memory is assigned to Domain 0.
Type: unspecified
Default:
0Example:
512Declared by:
virtualisation.xen.domains.extraConfig¶
Options defined here will override the defaults for xendomains. The default options can be seen in the file included from /etc/default/xendomains.
Type: strings concatenated with “\n”
Default:
""Declared by:
virtualisation.xen.stored¶
Xen Store daemon to use. Defaults to oxenstored of the xen package.
Type: path
Declared by:
virtualisation.xen.trace¶
Enable Xen tracing.
Type: unspecified
Default:
falseDeclared by:
xdg.autostart.enable¶
Whether to install files to support the XDG Autostart specification.
Type: boolean
Default:
trueDeclared by:
xdg.icons.enable¶
Whether to install files to support the`XDG Icon Theme specification <https://specifications.freedesktop.org/icon-theme-spec/icon-theme-spec-latest.html>`_.
Type: boolean
Default:
trueDeclared by:
xdg.mime.enable¶
Whether to install files to support the`XDG Shared MIME-info specification <https://specifications.freedesktop.org/shared-mime-info-spec/shared-mime-info-spec-latest.html>`_ and the`XDG MIME Applications specification <https://specifications.freedesktop.org/mime-apps-spec/mime-apps-spec-latest.html>`_.
Type: boolean
Default:
trueDeclared by:
xdg.portal.enable¶
xdg.portal.extraPortals¶
List of additional portals to add to path. Portals allow interaction with system, like choosing files or taking screenshots. At minimum, a desktop portal implementation should be listed. GNOME and KDE already adds xdg-desktop-portal-gtk; andxdg-desktop-portal-kde respectively. On other desktop environments you probably want to add them yourself.
Type: list of packages
Default: ``[
]``
Declared by:
xdg.portal.gtkUsePortal¶
Sets environment variable
GTK_USE_PORTALto1. This is needed for packages ran outside Flatpak to respect and use XDG Desktop Portals. For example, you’d need to set this for non-flatpak Firefox to use native filechoosers. Defaults tofalseto respect its opt-in nature.Type: boolean
Default:
falseDeclared by:
xdg.sounds.enable¶
Whether to install files to support the`XDG Sound Theme specification <https://www.freedesktop.org/wiki/Specifications/sound-theme-spec/>`_.
Type: boolean
Default:
trueDeclared by:
zramSwap.enable¶
Enable in-memory compressed devices and swap space provided by the zram kernel module. See https://www.kernel.org/doc/Documentation/blockdev/zram.txt.
Type: boolean
Default:
falseDeclared by:
zramSwap.algorithm¶
Compression algorithm.
lzohas good compression, but is slow.lz4has bad compression, but is fast.``zstd`` is both good compression and fast, but requires newer kernel. You can check what other algorithms are supported by your zram device withcat /sys/class/block/zram*/comp_algorithmType: one of “lzo”, “lz4”, “zstd” or string
Default:
"lzo"Example:
"lz4"Declared by:
zramSwap.memoryPercent¶
Maximum amount of memory that can be used by the zram swap devices (as a percentage of your total memory). Defaults to 1/2 of your total RAM. Run
zramctlto check how good memory is compressed.Type: signed integer
Default:
50Declared by:
zramSwap.numDevices¶
Number of zram devices to create. See also``zramSwap.swapDevices``
Type: signed integer
Default:
1Declared by:
zramSwap.priority¶
Priority of the zram swap devices. It should be a number higher than the priority of your disk-based swap devices (so that the system will fill the zram swap devices before falling back to disk swap).
Type: signed integer
Default:
5Declared by:
zramSwap.swapDevices¶
Number of zram devices to be used as swap. Must be``<= zramSwap.numDevices``. Default is same as
zramSwap.numDevices, recommended is 1.Type: null or signed integer
Default:
nullExample:
1Declared by: