Table of Contents

Preface
1. Installing NixOS
1.1. Obtaining NixOS
1.2. Installation
1.2.1. UEFI Installation
1.2.2. Booting from a USB stick
1.3. Changing the configuration
1.4. Upgrading NixOS
2. Configuring NixOS
2.1. Configuration syntax
2.1.1. The basics
2.1.2. Abstractions
2.1.3. Modularity
2.1.4. Syntax summary
2.2. Package management
2.2.1. Declarative package management
2.2.1.1. Customising packages
2.2.1.2. Adding custom packages
2.2.2. Ad hoc package management
2.3. User management
2.4. File systems
2.4.1. LUKS-encrypted file systems
2.5. X Window System
2.5.1. NVIDIA graphics cards
2.5.2. Touchpads
2.6. Networking
2.6.1. Secure shell access
2.6.2. IPv4 configuration
2.6.3. IPv6 configuration
2.6.4. Firewall
2.6.5. Wireless networks
2.6.6. Ad-hoc configuration
2.7. Linux kernel
3. Running NixOS
3.1. Service management
3.2. Rebooting and shutting down
3.3. User sessions
3.4. Control groups
3.5. Logging
3.6. Cleaning up the Nix store
4. Troubleshooting
4.1. Boot problems
4.2. Maintenance mode
4.3. Rolling back configuration changes
4.4. Nix store corruption
4.5. Nix network issues
5. Containers
5.1. Imperative container management
5.2. Declarative container specification
5.3. Networking
6. Development
6.1. Getting the sources
6.2. Writing NixOS modules
6.2.1. Option declarations
6.2.2. Option definitions
6.2.3. Important options
6.3. Building specific parts of NixOS
6.4. Building your own NixOS CD
6.5. Testing the installer
6.6. NixOS tests
A. Release notes
A.1. Release 14.04 (“Baboon”, 2014/04/30)
A.2. Release 13.10 (“Aardvark”, 2013/10/31)
B. Configuration options

This manual describes how to install, use and extend NixOS, a Linux distribution based on the purely functional package management system Nix.

If you encounter problems, please report them on the nix-dev@lists.science.uu.nl mailing list or on the #nixos channel on Freenode. Bugs should be reported in NixOS’ GitHub issue tracker.

1.1. Obtaining NixOS

NixOS ISO images can be downloaded from the NixOS homepage. These can be burned onto a CD. It is also possible to copy them onto a USB stick and install NixOS from there. For details, see the NixOS Wiki.

As an alternative to installing NixOS yourself, you can get a running NixOS system through several other means:

  • Using virtual appliances in Open Virtualization Format (OVF) that can be imported into VirtualBox. These are available from the NixOS homepage.

  • Using AMIs for Amazon’s EC2. To find one for your region and instance type, please refer to the list of most recent AMIs.

  • Using NixOps, the NixOS-based cloud deployment tool, which allows you to provision VirtualBox and EC2 NixOS instances from declarative specifications. Check out the NixOps homepage for details.

1.2. Installation

  1. Boot from the CD.

  2. The CD contains a basic NixOS installation. (It also contains Memtest86+, useful if you want to test new hardware.) When it’s finished booting, it should have detected most of your hardware and brought up networking (check ifconfig). Networking is necessary for the installer, since it will download lots of stuff (such as source tarballs or Nixpkgs channel binaries). It’s best if you have a DHCP server on your network. Otherwise configure networking manually using ifconfig.

  3. The NixOS manual is available on virtual console 8 (press Alt+F8 to access).

  4. Login as root and the empty password.

  5. If you downloaded the graphical ISO image, you can run start display-manager to start KDE.

  6. The NixOS installer doesn’t do any partitioning or formatting yet, so you need to that yourself. Use the following commands:

    • For partitioning: fdisk.

    • For initialising Ext4 partitions: mkfs.ext4. It is recommended that you assign a unique symbolic label to the file system using the option -L label, since this makes the file system configuration independent from device changes. For example:

      $ mkfs.ext4 -L nixos /dev/sda1

    • For creating swap partitions: mkswap. Again it’s recommended to assign a label to the swap partition: -L label.

    • For creating LVM volumes, the LVM commands, e.g.,

      $ pvcreate /dev/sda1 /dev/sdb1
      $ vgcreate MyVolGroup /dev/sda1 /dev/sdb1
      $ lvcreate --size 2G --name bigdisk MyVolGroup
      $ lvcreate --size 1G --name smalldisk MyVolGroup

    • For creating software RAID devices, use mdadm.

  7. Mount the target file system on which NixOS should be installed on /mnt, e.g.

    $ mount /dev/disk/by-label/nixos /mnt
    

  8. If your machine has a limited amount of memory, you may want to activate swap devices now (swapon device). The installer (or rather, the build actions that it may spawn) may need quite a bit of RAM, depending on your configuration.

  9. You now need to create a file /mnt/etc/nixos/configuration.nix that specifies the intended configuration of the system. This is because NixOS has a declarative configuration model: you create or edit a description of the desired configuration of your system, and then NixOS takes care of making it happen. The syntax of the NixOS configuration file is described in Section 2.1, “Configuration syntax”, while a list of available configuration options appears in Appendix B, Configuration options. A minimal example is shown in Example 1.2, “NixOS configuration”.

    The command nixos-generate-config can generate an initial configuration file for you:

    $ nixos-generate-config --root /mnt

    You should then edit /mnt/etc/nixos/configuration.nix to suit your needs:

    $ nano /mnt/etc/nixos/configuration.nix
    

    The vim text editor is also available.

    You must set the option boot.loader.grub.device to specify on which disk the GRUB boot loader is to be installed. Without it, NixOS cannot boot.

    Another critical option is fileSystems, specifying the file systems that need to be mounted by NixOS. However, you typically don’t need to set it yourself, because nixos-generate-config sets it automatically in /mnt/etc/nixos/hardware-configuration.nix from your currently mounted file systems. (The configuration file hardware-configuration.nix is included from configuration.nix and will be overwritten by future invocations of nixos-generate-config; thus, you generally should not modify it.)

    Note: Depending on your hardware configuration or type of file system, you may need to set the option boot.initrd.kernelModules to include the kernel modules that are necessary for mounting the root file system, otherwise the installed system will not be able to boot. (If this happens, boot from the CD again, mount the target file system on /mnt, fix /mnt/etc/nixos/configuration.nix and rerun nixos-install.) In most cases, nixos-generate-config will figure out the required modules.

    Examples of real-world NixOS configuration files can be found at https://nixos.org/repos/nix/configurations/trunk/.

  10. Do the installation:

    $ nixos-install

    Cross fingers. If this fails due to a temporary problem (such as a network issue while downloading binaries from the NixOS binary cache), you can just re-run nixos-install. Otherwise, fix your configuration.nix and then re-run nixos-install.

  11. If everything went well:

    $ reboot

  12. You should now be able to boot into the installed NixOS. The GRUB boot menu shows a list of available configurations (initially just one). Every time you change the NixOS configuration (see Section 1.3, “Changing the configuration”), a new item appears in the menu. This allows you to easily roll back to another configuration if something goes wrong.

    You should log in and change the root password with passwd.

    You’ll probably want to create some user accounts as well, which can be done with useradd:

    $ useradd -c 'Eelco Dolstra' -m eelco
    $ passwd eelco

    You may also want to install some software. For instance,

    $ nix-env -qa \*

    shows what packages are available, and

    $ nix-env -i w3m

    install the w3m browser.

To summarise, Example 1.1, “Commands for installing NixOS on /dev/sda shows a typical sequence of commands for installing NixOS on an empty hard drive (here /dev/sda). Example 1.2, “NixOS configuration” shows a corresponding configuration Nix expression.

Example 1.1. Commands for installing NixOS on /dev/sda

$ fdisk /dev/sda # (or whatever device you want to install on)
$ mkfs.ext4 -L nixos /dev/sda1
$ mkswap -L swap /dev/sda2
$ swapon /dev/sda2
$ mount /dev/disk/by-label/nixos /mnt
$ nixos-generate-config --root /mnt
$ nano /mnt/etc/nixos/configuration.nix
$ nixos-install
$ reboot


Example 1.2. NixOS configuration

{ config, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];

  boot.loader.grub.device = "/dev/sda";

  # Note: setting fileSystems is generally not
  # necessary, since nixos-generate-config figures them out
  # automatically in hardware-configuration.nix.
  #fileSystems."/".device = "/dev/disk/by-label/nixos";

  # Enable the OpenSSH server.
  services.sshd.enable = true;
}


1.2.1. UEFI Installation

NixOS can also be installed on UEFI systems. The procedure is by and large the same as a BIOS installation, with the following changes:

  • You should boot the live CD in UEFI mode (consult your specific hardware's documentation for instructions).

  • Instead of fdisk, you should use gdisk to partition your disks. You will need to have a separate partition for /boot with partition code EF00, and it should be formatted as a vfat filesystem.

  • You must set boot.loader.gummiboot.enable to true. nixos-generate-config should do this automatically for new configurations when booted in UEFI mode.

  • You may want to look at the options starting with boot.loader.efi and boot.loader.gummiboot as well.

  • To see console messages during early boot, add "fbcon" to your boot.initrd.kernelModules.

1.2.2. Booting from a USB stick

For systems withoua CD drive, the NixOS livecd can be booted from a usb stick. For non-UEFI installations, unetbootin will work. For UEFI installations, you should mount the ISO, copy its contents verbatim to your drive, then either:

  • Change the label of the disk partition to the label of the ISO (visible with the blkid command), or

  • Edit loader/entries/nixos-livecd.conf on the drive and change the root= field in the options line to point to your drive (see the documentation on root= in the kernel documentation for more details).

1.3. Changing the configuration

The file /etc/nixos/configuration.nix contains the current configuration of your machine. Whenever you’ve changed something to that file, you should do

$ nixos-rebuild switch

to build the new configuration, make it the default configuration for booting, and try to realise the configuration in the running system (e.g., by restarting system services).

Warning: These commands must be executed as root, so you should either run them from a root shell or by prefixing them with sudo -i.

You can also do

$ nixos-rebuild test

to build the configuration and switch the running system to it, but without making it the boot default. So if (say) the configuration locks up your machine, you can just reboot to get back to a working configuration.

There is also

$ nixos-rebuild boot

to build the configuration and make it the boot default, but not switch to it now (so it will only take effect after the next reboot).

You can make your configuration show up in a different submenu of the GRUB 2 boot screen by giving it a different profile name, e.g.

$ nixos-rebuild switch -p test 

which causes the new configuration (and previous ones created using -p test) to show up in the GRUB submenu “NixOS - Profile 'test'”. This can be useful to separate test configurations from “stable” configurations.

Finally, you can do

$ nixos-rebuild build

to build the configuration but nothing more. This is useful to see whether everything compiles cleanly.

If you have a machine that supports hardware virtualisation, you can also test the new configuration in a sandbox by building and running a QEMU virtual machine that contains the desired configuration. Just do

$ nixos-rebuild build-vm
$ ./result/bin/run-*-vm

The VM does not have any data from your host system, so your existing user accounts and home directories will not be available. You can forward ports on the host to the guest. For instance, the following will forward host port 2222 to guest port 22 (SSH):

$ QEMU_NET_OPTS="hostfwd=tcp::2222-:22" ./result/bin/run-*-vm

allowing you to log in via SSH (assuming you have set the appropriate passwords or SSH authorized keys):

$ ssh -p 2222 localhost

1.4. Upgrading NixOS

The best way to keep your NixOS installation up to date is to use one of the NixOS channels. A channel is a Nix mechanism for distributing Nix expressions and associated binaries. The NixOS channels are updated automatically from NixOS’s Git repository after certain tests have passed and all packages have been built. These channels are:

  • Stable channels, such as nixos-14.04. These only get conservative bug fixes and package upgrades. For instance, a channel update may cause the Linux kernel on your system to be upgraded from 3.4.66 to 3.4.67 (a minor bug fix), but not from 3.4.x to 3.11.x (a major change that has the potential to break things). Stable channels are generally maintained until the next stable branch is created.

  • The unstable channel, nixos-unstable. This corresponds to NixOS’s main development branch, and may thus see radical changes between channel updates. It’s not recommended for production systems.

To see what channels are available, go to http://nixos.org/channels. (Note that the URIs of the various channels redirect to a directory that contains the channel’s latest version and includes ISO images and VirtualBox appliances.)

When you first install NixOS, you’re automatically subscribed to the NixOS channel that corresponds to your installation source. For instance, if you installed from a 14.04 ISO, you will be subscribed to the nixos-14.04 channel. To see which NixOS channel you’re subscribed to, run the following as root:

$ nix-channel --list | grep nixos
nixos https://nixos.org/channels/nixos-unstable

To switch to a different NixOS channel, do

$ nix-channel --add http://nixos.org/channels/channel-name nixos

(Be sure to include the nixos parameter at the end.) For instance, to use the NixOS 14.04 stable channel:

$ nix-channel --add http://nixos.org/channels/nixos-14.04 nixos

But it you want to live on the bleeding edge:

$ nix-channel --add http://nixos.org/channels/nixos-unstable nixos

You can then upgrade NixOS to the latest version in your chosen channel by running

$ nixos-rebuild switch --upgrade

which is equivalent to the more verbose nix-channel --update nixos; nixos-rebuild switch.

Warning: It is generally safe to switch back and forth between channels. The only exception is that a newer NixOS may also have a newer Nix version, which may involve an upgrade of Nix’s database schema. This cannot be undone easily, so in that case you will not be able to go back to your original channel.

This chapter describes how to configure various aspects of a NixOS machine through the configuration file /etc/nixos/configuration.nix. As described in Section 1.3, “Changing the configuration”, changes to this file only take effect after you run nixos-rebuild.

2.1. Configuration syntax

2.1.1. The basics

The NixOS configuration file /etc/nixos/configuration.nix is actually a Nix expression, which is the Nix package manager’s purely functional language for describing how to build packages and configurations. This means you have all the expressive power of that language at your disposal, including the ability to abstract over common patterns, which is very useful when managing complex systems. The syntax and semantics of the Nix language are fully described in the Nix manual, but here we give a short overview of the most important constructs useful in NixOS configuration files.

The NixOS configuration file generally looks like this:

{ config, pkgs, ... }:

{ option definitions
}

The first line ({ config, pkgs, ... }:) denotes that this is actually a function that takes at least the two arguments config and pkgs. (These are explained later.) The function returns a set of option definitions ({ ... }). These definitions have the form name = value, where name is the name of an option and value is its value. For example,

{ config, pkgs, ... }:

{ services.httpd.enable = true;
  services.httpd.adminAddr = "alice@example.org";
  services.httpd.documentRoot = "/webroot";
}

defines a configuration with three option definitions that together enable the Apache HTTP Server with /webroot as the document root.

Sets can be nested, and in fact dots in option names are shorthand for defining a set containing another set. For instance, services.httpd.enable defines a set named services that contains a set named httpd, which in turn contains an option definition named enable with value true. This means that the example above can also be written as:

{ config, pkgs, ... }:

{ services = {
    httpd = {
      enable = true;
      adminAddr = "alice@example.org";
      documentRoot = "/webroot";
    };
  };
}

which may be more convenient if you have lots of option definitions that share the same prefix (such as services.httpd).

NixOS checks your option definitions for correctness. For instance, if you try to define an option that doesn’t exist (that is, doesn’t have a corresponding option declaration), nixos-rebuild will give an error like:

The option `services.httpd.enabl' defined in `/etc/nixos/configuration.nix' does not exist.

Likewise, values in option definitions must have a correct type. For instance, services.httpd.enable must be a Boolean (true or false). Trying to give it a value of another type, such as a string, will cause an error:

The option value `services.httpd.enable' in `/etc/nixos/configuration.nix' is not a boolean.

Options have various types of values. The most important are:

Strings

Strings are enclosed in double quotes, e.g.

networking.hostName = "dexter";

Special characters can be escaped by prefixing them with a backslash (e.g. \").

Multi-line strings can be enclosed in double single quotes, e.g.

networking.extraHosts =
  ''
    127.0.0.2 other-localhost
    10.0.0.1 server
  '';

The main difference is that preceding whitespace is automatically stripped from each line, and that characters like " and \ are not special (making it more convenient for including things like shell code).

Booleans

These can be true or false, e.g.

networking.firewall.enable = true;
networking.firewall.allowPing = false;

Integers

For example,

boot.kernel.sysctl."net.ipv4.tcp_keepalive_time" = 60;

(Note that here the attribute name net.ipv4.tcp_keepalive_time is enclosed in quotes to prevent it from being interpreted as a set named net containing a set named ipv4, and so on. This is because it’s not a NixOS option but the literal name of a Linux kernel setting.)

Sets

Sets were introduced above. They are name/value pairs enclosed in braces, as in the option definition

fileSystems."/boot" =
  { device = "/dev/sda1";
    fsType = "ext4";
    options = "rw,data=ordered,relatime";
  };

Lists

The important thing to note about lists is that list elements are separated by whitespace, like this:

boot.kernelModules = [ "fuse" "kvm-intel" "coretemp" ];

List elements can be any other type, e.g. sets:

swapDevices = [ { device = "/dev/disk/by-label/swap"; } ];

Packages

Usually, the packages you need are already part of the Nix Packages collection, which is a set that can be accessed through the function argument pkgs. Typical uses:

environment.systemPackages =
  [ pkgs.thunderbird
    pkgs.emacs
  ];

postgresql.package = pkgs.postgresql90;

The latter option definition changes the default PostgreSQL package used by NixOS’s PostgreSQL service to 9.0. For more information on packages, including how to add new ones, see Section 2.2.1.2, “Adding custom packages”.

2.1.2. Abstractions

If you find yourself repeating yourself over and over, it’s time to abstract. Take, for instance, this Apache HTTP Server configuration:

{
  services.httpd.virtualHosts =
    [ { hostName = "example.org";
        documentRoot = "/webroot";
        adminAddr = "alice@example.org";
        enableUserDir = true;
      }
      { hostName = "example.org";
        documentRoot = "/webroot";
        adminAddr = "alice@example.org";
        enableUserDir = true;
        enableSSL = true;
        sslServerCert = "/root/ssl-example-org.crt";
        sslServerKey = "/root/ssl-example-org.key";
      }
    ];
}

It defines two virtual hosts with nearly identical configuration; the only difference is that the second one has SSL enabled. To prevent this duplication, we can use a let:

let
  exampleOrgCommon =
    { hostName = "example.org";
      documentRoot = "/webroot";
      adminAddr = "alice@example.org";
      enableUserDir = true;
    };
in
{
  services.httpd.virtualHosts =
    [ exampleOrgCommon
      (exampleOrgCommon // {
        enableSSL = true;
        sslServerCert = "/root/ssl-example-org.crt";
        sslServerKey = "/root/ssl-example-org.key";
      })
    ];
}

The let exampleOrgCommon = ... defines a variable named exampleOrgCommon. The // operator merges two attribute sets, so the configuration of the second virtual host is the set exampleOrgCommon extended with the SSL options.

You can write a let wherever an expression is allowed. Thus, you also could have written:

{
  services.httpd.virtualHosts =
    let exampleOrgCommon = ...; in
    [ exampleOrgCommon
      (exampleOrgCommon // { ... })
    ];
}

but not { let exampleOrgCommon = ...; in ...; } since attributes (as opposed to attribute values) are not expressions.

Functions provide another method of abstraction. For instance, suppose that we want to generate lots of different virtual hosts, all with identical configuration except for the host name. This can be done as follows:

{
  services.httpd.virtualHosts =
    let
      makeVirtualHost = name:
        { hostName = name;
          documentRoot = "/webroot";
          adminAddr = "alice@example.org";
        };
    in
      [ (makeVirtualHost "example.org")
        (makeVirtualHost "example.com")
        (makeVirtualHost "example.gov")
        (makeVirtualHost "example.nl")
      ];
}

Here, makeVirtualHost is a function that takes a single argument name and returns the configuration for a virtual host. That function is then called for several names to produce the list of virtual host configurations.

We can further improve on this by using the function map, which applies another function to every element in a list:

{
  services.httpd.virtualHosts =
    let
      makeVirtualHost = ...;
    in map makeVirtualHost
      [ "example.org" "example.com" "example.gov" "example.nl" ];
}

(The function map is called a higher-order function because it takes another function as an argument.)

What if you need more than one argument, for instance, if we want to use a different documentRoot for each virtual host? Then we can make makeVirtualHost a function that takes a set as its argument, like this:

{
  services.httpd.virtualHosts =
    let
      makeVirtualHost = { name, root }:
        { hostName = name;
          documentRoot = root;
          adminAddr = "alice@example.org";
        };
    in map makeVirtualHost
      [ { name = "example.org"; root = "/sites/example.org"; }
        { name = "example.com"; root = "/sites/example.com"; }
        { name = "example.gov"; root = "/sites/example.gov"; }
        { name = "example.nl"; root = "/sites/example.nl"; }
      ];
}

But in this case (where every root is a subdirectory of /sites named after the virtual host), it would have been shorter to define makeVirtualHost as

makeVirtualHost = name:
  { hostName = name;
    documentRoot = "/sites/${name}";
    adminAddr = "alice@example.org";
  };

Here, the construct ${...} allows the result of an expression to be spliced into a string.

2.1.3. Modularity

The NixOS configuration mechanism is modular. If your configuration.nix becomes too big, you can split it into multiple files. Likewise, if you have multiple NixOS configurations (e.g. for different computers) with some commonality, you can move the common configuration into a shared file.

Modules have exactly the same syntax as configuration.nix. In fact, configuration.nix is itself a module. You can use other modules by including them from configuration.nix, e.g.:

{ config, pkgs, ... }:

{ imports = [ ./vpn.nix ./kde.nix ];
  services.httpd.enable = true;
  environment.systemPackages = [ pkgs.emacs ];
  ...
}

Here, we include two modules from the same directory, vpn.nix and kde.nix. The latter might look like this:

{ config, pkgs, ... }:

{ services.xserver.enable = true;
  services.xserver.displayManager.kdm.enable = true;
  services.xserver.desktopManager.kde4.enable = true;
  environment.systemPackages = [ pkgs.kde4.kscreensaver ];
}

Note that both configuration.nix and kde.nix define the option environment.systemPackages. When multiple modules define an option, NixOS will try to merge the definitions. In the case of environment.systemPackages, that’s easy: the lists of packages can simply be concatenated. The value in configuration.nix is merged last, so for list-type options, it will appear at the end of the merged list. If you want it to appear first, you can use mkBefore:

boot.kernelModules = mkBefore [ "kvm-intel" ];

This causes the kvm-intel kernel module to be loaded before any other kernel modules.

For other types of options, a merge may not be possible. For instance, if two modules define services.httpd.adminAddr, nixos-rebuild will give an error:

The unique option `services.httpd.adminAddr' is defined multiple times, in `/etc/nixos/httpd.nix' and `/etc/nixos/configuration.nix'.

When that happens, it’s possible to force one definition take precedence over the others:

services.httpd.adminAddr = pkgs.lib.mkForce "bob@example.org";

When using multiple modules, you may need to access configuration values defined in other modules. This is what the config function argument is for: it contains the complete, merged system configuration. That is, config is the result of combining the configurations returned by every module[1]. For example, here is a module that adds some packages to environment.systemPackages only if services.xserver.enable is set to true somewhere else:

{ config, pkgs, ... }:

{ environment.systemPackages =
    if config.services.xserver.enable then
      [ pkgs.firefox
        pkgs.thunderbird
      ]
    else
      [ ];
}

With multiple modules, it may not be obvious what the final value of a configuration option is. The command nixos-option allows you to find out:

$ nixos-option services.xserver.enable
true

$ nixos-option boot.kernelModules
[ "tun" "ipv6" "loop" ... ]

Interactive exploration of the configuration is possible using nix-repl, a read-eval-print loop for Nix expressions. It’s not installed by default; run nix-env -i nix-repl to get it. A typical use:

$ nix-repl '<nixos>'

nix-repl> config.networking.hostName
"mandark"

nix-repl> map (x: x.hostName) config.services.httpd.virtualHosts
[ "example.org" "example.gov" ]

2.1.4. Syntax summary

Below is a summary of the most important syntactic constructs in the Nix expression language. It’s not complete. In particular, there are many other built-in functions. See the Nix manual for the rest.

ExampleDescription
Basic values
"Hello world"A string
"${pkgs.bash}/bin/sh"A string containing an expression (expands to "/nix/store/hash-bash-version/bin/sh")
true, falseBooleans
123An integer
./foo.pngA path (relative to the containing Nix expression)
Compound values
{ x = 1; y = 2; }An set with attributes names x and y
{ foo.bar = 1; }A nested set, equivalent to { foo = { bar = 1; }; }
rec { x = "bla"; y = x + "bar"; }A recursive set, equivalent to { x = "foo"; y = "foobar"; }
[ "foo" "bar" ]A list with two elements
Operators
"foo" + "bar"String concatenation
1 + 2Integer addition
"foo" == "f" + "oo"Equality test (evaluates to true)
"foo" != "bar"Inequality test (evaluates to true)
!trueBoolean negation
{ x = 1; y = 2; }.xAttribute selection (evaluates to 1)
{ x = 1; y = 2; }.z or 3Attribute selection with default (evaluates to 3)
{ x = 1; y = 2; } // { z = 3; }Merge two sets (attributes in the right-hand set taking precedence)
Control structures
if 1 + 1 == 2 then "yes!" else "no!"Conditional expression
assert 1 + 1 == 2; "yes!"Assertion check (evaluates to "yes!")
let x = "foo"; y = "bar"; in x + yVariable definition
with pkgs.lib; head [ 1 2 3 ]Add all attributes from the given set to the scope (evaluates to 1)
Functions (lambdas)
x: x + 1A function that expects an integer and returns it increased by 1
(x: x + 1) 100A function call (evaluates to 101)
let inc = x: x + 1; in inc (inc (inc 100))A function bound to a variable and subsequently called by name (evaluates to 103)
{ x, y }: x + yA function that expects a set with required attributes x and y and concatenates them
{ x, y ? "bar" }: x + yA function that expects a set with required attribute x and optional y, using "bar" as default value for y
{ x, y, ... }: x + yA function that expects a set with required attributes x and y and ignores any other attributes
{ x, y } @ args: x + yA function that expects a set with required attributes x and y, and binds the whole set to args
Built-in functions
import ./foo.nixLoad and return Nix expression in given file
map (x: x + x) [ 1 2 3 ]Apply a function to every element of a list (evaluates to [ 2 4 6 ])

2.2. Package management

This section describes how to add additional packages to your system. NixOS has two distinct styles of package management:

  • Declarative, where you declare what packages you want in your configuration.nix. Every time you run nixos-rebuild, NixOS will ensure that you get a consistent set of binaries corresponding to your specification.

  • Ad hoc, where you install, upgrade and uninstall packages via the nix-env command. This style allows mixing packages from different Nixpkgs versions. It’s the only choice for non-root users.

The next two sections describe these two styles.

2.2.1. Declarative package management

With declarative package management, you specify which packages you want on your system by setting the option environment.systemPackages. For instance, adding the following line to configuration.nix enables the Mozilla Thunderbird email application:

environment.systemPackages = [ pkgs.thunderbird ];

The effect of this specification is that the Thunderbird package from Nixpkgs will be built or downloaded as part of the system when you run nixos-rebuild switch.

You can get a list of the available packages as follows:

$ nix-env -qaP '*' --description
nixos.pkgs.firefox   firefox-23.0   Mozilla Firefox - the browser, reloaded
...

The first column in the output is the attribute name, such as nixos.pkgs.thunderbird. (The nixos prefix allows distinguishing between different channels that you might have.)

To “uninstall” a package, simply remove it from environment.systemPackages and run nixos-rebuild switch.

2.2.1.1. Customising packages

Some packages in Nixpkgs have options to enable or disable optional functionality or change other aspects of the package. For instance, the Firefox wrapper package (which provides Firefox with a set of plugins such as the Adobe Flash player) has an option to enable the Google Talk plugin. It can be set in configuration.nix as follows: nixpkgs.config.firefox.enableGoogleTalkPlugin = true;

Warning: Unfortunately, Nixpkgs currently lacks a way to query available configuration options.

Apart from high-level options, it’s possible to tweak a package in almost arbitrary ways, such as changing or disabling dependencies of a package. For instance, the Emacs package in Nixpkgs by default has a dependency on GTK+ 2. If you want to build it against GTK+ 3, you can specify that as follows:

environment.systemPackages = [ (pkgs.emacs.override { gtk = pkgs.gtk3; }) ];

The function override performs the call to the Nix function that produces Emacs, with the original arguments amended by the set of arguments specified by you. So here the function argument gtk gets the value pkgs.gtk3, causing Emacs to depend on GTK+ 3. (The parentheses are necessary because in Nix, function application binds more weakly than list construction, so without them, environment.systemPackages would be a list with two elements.)

Even greater customisation is possible using the function overrideDerivation. While the override mechanism above overrides the arguments of a package function, overrideDerivation allows changing the result of the function. This permits changing any aspect of the package, such as the source code. For instance, if you want to override the source code of Emacs, you can say:

environment.systemPackages =
  [ (pkgs.lib.overrideDerivation pkgs.emacs (attrs: {
      name = "emacs-25.0-pre";
      src = /path/to/my/emacs/tree;
    }))
  ];

Here, overrideDerivation takes the Nix derivation specified by pkgs.emacs and produces a new derivation in which the original’s name and src attribute have been replaced by the given values. The original attributes are accessible via attrs.

The overrides shown above are not global. They do not affect the original package; other packages in Nixpkgs continue to depend on the original rather than the customised package. This means that if another package in your system depends on the original package, you end up with two instances of the package. If you want to have everything depend on your customised instance, you can apply a global override as follows:

nixpkgs.config.packageOverrides = pkgs:
  { emacs = pkgs.emacs.override { gtk = pkgs.gtk3; };
  };

The effect of this definition is essentially equivalent to modifying the emacs attribute in the Nixpkgs source tree. Any package in Nixpkgs that depends on emacs will be passed your customised instance. (However, the value pkgs.emacs in nixpkgs.config.packageOverrides refers to the original rather than overriden instance, to prevent an infinite recursion.)

2.2.1.2. Adding custom packages

It’s possible that a package you need is not available in NixOS. In that case, you can do two things. First, you can clone the Nixpkgs repository, add the package to your clone, and (optionally) submit a patch or pull request to have it accepted into the main Nixpkgs repository. This is described in detail in the Nixpkgs manual. In short, you clone Nixpkgs:

$ git clone git://github.com/NixOS/nixpkgs.git
$ cd nixpkgs

Then you write and test the package as described in the Nixpkgs manual. Finally, you add it to environment.systemPackages, e.g.

environment.systemPackages = [ pkgs.my-package ];

and you run nixos-rebuild, specifying your own Nixpkgs tree:

$ nixos-rebuild switch -I nixpkgs=/path/to/my/nixpkgs

The second possibility is to add the package outside of the Nixpkgs tree. For instance, here is how you specify a build of the GNU Hello package directly in configuration.nix:

environment.systemPackages =
  let
    my-hello = with pkgs; stdenv.mkDerivation rec {
      name = "hello-2.8";
      src = fetchurl {
        url = "mirror://gnu/hello/${name}.tar.gz";
        sha256 = "0wqd8sjmxfskrflaxywc7gqw7sfawrfvdxd9skxawzfgyy0pzdz6";
      };
    };
  in
  [ my-hello ];

Of course, you can also move the definition of my-hello into a separate Nix expression, e.g.

environment.systemPackages = [ (import ./my-hello.nix) ];

where my-hello.nix contains:

with import <nixpkgs> {}; # bring all of Nixpkgs into scope

stdenv.mkDerivation rec {
  name = "hello-2.8";
  src = fetchurl {
    url = "mirror://gnu/hello/${name}.tar.gz";
    sha256 = "0wqd8sjmxfskrflaxywc7gqw7sfawrfvdxd9skxawzfgyy0pzdz6";
  };
}

This allows testing the package easily:

$ nix-build my-hello.nix
$ ./result/bin/hello
Hello, world!

2.2.2. Ad hoc package management

With the command nix-env, you can install and uninstall packages from the command line. For instance, to install Mozilla Thunderbird:

$ nix-env -iA nixos.pkgs.thunderbird

If you invoke this as root, the package is installed in the Nix profile /nix/var/nix/profiles/default and visible to all users of the system; otherwise, the package ends up in /nix/var/nix/profiles/per-user/username/profile and is not visible to other users. The -A flag specifies the package by its attribute name; without it, the package is installed by matching against its package name (e.g. thunderbird). The latter is slower because it requires matching against all available Nix packages, and is ambiguous if there are multiple matching packages.

Packages come from the NixOS channel. You typically upgrade a package by updating to the latest version of the NixOS channel:

$ nix-channel --update nixos

and then running nix-env -i again. Other packages in the profile are not affected; this is the crucial difference with the declarative style of package management, where running nixos-rebuild switch causes all packages to be updated to their current versions in the NixOS channel. You can however upgrade all packages for which there is a newer version by doing:

$ nix-env -u '*'

A package can be uninstalled using the -e flag:

$ nix-env -e thunderbird

Finally, you can roll back an undesirable nix-env action:

$ nix-env --rollback

nix-env has many more flags. For details, see the nix-env(1) manpage or the Nix manual.

2.3. User management

NixOS supports both declarative and imperative styles of user management. In the declarative style, users are specified in configuration.nix. For instance, the following states that a user account named alice shall exist:

users.extraUsers.alice =
  { createHome = true;
    home = "/home/alice";
    description = "Alice Foobar";
    extraGroups = [ "wheel" ];
    useDefaultShell = true;
    openssh.authorizedKeys.keys = [ "ssh-dss AAAAB3Nza... alice@foobar" ];
  };

Note that alice is a member of the wheel group, which allows her to use sudo to execute commands as root. Also note the SSH public key that allows remote logins with the corresponding private key. Users created in this way do not have a password by default, so they cannot log in via mechanisms that require a password. However, you can use the passwd program to set a password, which is retained across invocations of nixos-rebuild.

A user ID (uid) is assigned automatically. You can also specify a uid manually by adding

    uid = 1000;

to the user specification.

Groups can be specified similarly. The following states that a group named students shall exist:

users.extraGroups.students.gid = 1000;

As with users, the group ID (gid) is optional and will be assigned automatically if it’s missing.

Warning: Currently declarative user management is not perfect: nixos-rebuild does not know how to realise certain configuration changes. This includes removing a user or group, and removing group membership from a user.

In the imperative style, users and groups are managed by commands such as useradd, groupmod and so on. For instance, to create a user account named alice:

$ useradd -m alice

The flag -m causes the creation of a home directory for the new user, which is generally what you want. The user does not have an initial password and therefore cannot log in. A password can be set using the passwd utility:

$ passwd alice
Enter new UNIX password: ***
Retype new UNIX password: ***

A user can be deleted using userdel:

$ userdel -r alice

The flag -r deletes the user’s home directory. Accounts can be modified using usermod. Unix groups can be managed using groupadd, groupmod and groupdel.

2.4. File systems

You can define file systems using the fileSystems configuration option. For instance, the following definition causes NixOS to mount the Ext4 file system on device /dev/disk/by-label/data onto the mount point /data:

fileSystems."/data" =
  { device = "/dev/disk/by-label/data";
    fsType = "ext4";
  };

Mount points are created automatically if they don’t already exist. For device, it’s best to use the topology-independent device aliases in /dev/disk/by-label and /dev/disk/by-uuid, as these don’t change if the topology changes (e.g. if a disk is moved to another IDE controller).

You can usually omit the file system type (fsType), since mount can usually detect the type and load the necessary kernel module automatically. However, if the file system is needed at early boot (in the initial ramdisk) and is not ext2, ext3 or ext4, then it’s best to specify fsType to ensure that the kernel module is available.

2.4.1. LUKS-encrypted file systems

NixOS supports file systems that are encrypted using LUKS (Linux Unified Key Setup). For example, here is how you create an encrypted Ext4 file system on the device /dev/sda2:

$ cryptsetup luksFormat /dev/sda2

WARNING!
========
This will overwrite data on /dev/sda2 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: ***
Verify passphrase: ***

$ cryptsetup luksOpen /dev/sda2 crypted
Enter passphrase for /dev/sda2: ***

$ mkfs.ext4 /dev/mapper/crypted

To ensure that this file system is automatically mounted at boot time as /, add the following to configuration.nix:

boot.initrd.luks.devices = [ { device = "/dev/sda2"; name = "crypted"; } ];
fileSystems."/".device = "/dev/mapper/crypted";

2.5. X Window System

The X Window System (X11) provides the basis of NixOS’ graphical user interface. It can be enabled as follows:

services.xserver.enable = true;

The X server will automatically detect and use the appropriate video driver from a set of X.org drivers (such as vesa and intel). You can also specify a driver manually, e.g.

services.xserver.videoDrivers = [ "r128" ];

to enable X.org’s xf86-video-r128 driver.

You also need to enable at least one desktop or window manager. Otherwise, you can only log into a plain undecorated xterm window. Thus you should pick one or more of the following lines:

services.xserver.desktopManager.kde4.enable = true;
services.xserver.desktopManager.xfce.enable = true;
services.xserver.windowManager.xmonad.enable = true;
services.xserver.windowManager.twm.enable = true;
services.xserver.windowManager.icewm.enable = true;

NixOS’s default display manager (the program that provides a graphical login prompt and manages the X server) is SLiM. You can select KDE’s kdm instead:

services.xserver.displayManager.kdm.enable = true;

The X server is started automatically at boot time. If you don’t want this to happen, you can set:

services.xserver.autorun = false;

The X server can then be started manually:

$ systemctl start display-manager.service

2.5.1. NVIDIA graphics cards

NVIDIA provides a proprietary driver for its graphics cards that has better 3D performance than the X.org drivers. It is not enabled by default because it’s not free software. You can enable it as follows:

services.xserver.videoDrivers = [ "nvidia" ];

You may need to reboot after enabling this driver to prevent a clash with other kernel modules.

On 64-bit systems, if you want full acceleration for 32-bit programs such as Wine, you should also set the following:

services.xserver.driSupport32Bit = true;

2.5.2. Touchpads

Support for Synaptics touchpads (found in many laptops such as the Dell Latitude series) can be enabled as follows:

services.xserver.synaptics.enable = true;

The driver has many options (see Appendix B, Configuration options). For instance, the following enables two-finger scrolling:

services.xserver.synaptics.twoFingerScroll = true;

2.6. Networking

2.6.1. Secure shell access

Secure shell (SSH) access to your machine can be enabled by setting:

services.openssh.enable = true;

By default, root logins using a password are disallowed. They can be disabled entirely by setting services.openssh.permitRootLogin to "no".

You can declaratively specify authorised RSA/DSA public keys for a user as follows:

users.extraUsers.alice.openssh.authorizedKeys.keys =
  [ "ssh-dss AAAAB3NzaC1kc3MAAACBAPIkGWVEt4..." ];

2.6.2. IPv4 configuration

By default, NixOS uses DHCP (specifically, dhcpcd) to automatically configure network interfaces. However, you can configure an interface manually as follows:

networking.interfaces.eth0 = { ipAddress = "192.168.1.2"; prefixLength = 24; };

(The network prefix can also be specified using the option subnetMask, e.g. "255.255.255.0", but this is deprecated.) Typically you’ll also want to set a default gateway and set of name servers:

networking.defaultGateway = "192.168.1.1";
networking.nameservers = [ "8.8.8.8" ];

Note: Statically configured interfaces are set up by the systemd service interface-name-cfg.service. The default gateway and name server configuration is performed by network-setup.service.

The host name is set using networking.hostName:

networking.hostName = "cartman";

The default host name is nixos. Set it to the empty string ("") to allow the DHCP server to provide the host name.

2.6.3. IPv6 configuration

IPv6 is enabled by default. Stateless address autoconfiguration is used to automatically assign IPv6 addresses to all interfaces. You can disable IPv6 support globally by setting:

networking.enableIPv6 = false;

2.6.4. Firewall

NixOS has a simple stateful firewall that blocks incoming connections and other unexpected packets. The firewall applies to both IPv4 and IPv6 traffic. It is enabled by default. It can be disabled as follows:

networking.firewall.enable = false;

If the firewall is enabled, you can open specific TCP ports to the outside world:

networking.firewall.allowedTCPPorts = [ 80 443 ];

Note that TCP port 22 (ssh) is opened automatically if the SSH daemon is enabled (services.openssh.enable = true). UDP ports can be opened through networking.firewall.allowedUDPPorts. Also of interest is

networking.firewall.allowPing = true;

to allow the machine to respond to ping requests. (ICMPv6 pings are always allowed.)

2.6.5. Wireless networks

NixOS will start wpa_supplicant for you if you enable this setting:

networking.wireless.enable = true;

NixOS currently does not generate wpa_supplicant's configuration file, /etc/wpa_supplicant.conf. You should edit this file yourself to define wireless networks, WPA keys and so on (see wpa_supplicant.conf(5)).

If you are using WPA2 the wpa_passphrase tool might be useful to generate the wpa_supplicant.conf.

$ wpa_passphrase ESSID PSK > /etc/wpa_supplicant.conf

After you have edited the wpa_supplicant.conf, you need to restart the wpa_supplicant service.

$ systemctl restart wpa_supplicant.service

2.6.6. Ad-hoc configuration

You can use networking.localCommands to specify shell commands to be run at the end of network-setup.service. This is useful for doing network configuration not covered by the existing NixOS modules. For instance, to statically configure an IPv6 address:

networking.localCommands =
  ''
    ip -6 addr add 2001:610:685:1::1/64 dev eth0
  '';

2.7. Linux kernel

You can override the Linux kernel and associated packages using the option boot.kernelPackages. For instance, this selects the Linux 3.10 kernel:

boot.kernelPackages = pkgs.linuxPackages_3_10;

Note that this not only replaces the kernel, but also packages that are specific to the kernel version, such as the NVIDIA video drivers. This ensures that driver packages are consistent with the kernel.

The default Linux kernel configuration should be fine for most users. You can see the configuration of your current kernel in /run/booted-system/kernel-modules/config. If you want to change the kernel configuration, you can use the packageOverrides feature (see Section 2.2.1.1, “Customising packages”). For instance, to enable support for the kernel debugger KGDB:

nixpkgs.config.packageOverrides = pkgs:
  { linux_3_4 = pkgs.linux_3_4.override {
      extraConfig =
        ''
          KGDB y
        '';
    };
  };

extraConfig takes a list of Linux kernel configuration options, one per line. The name of the option should not include the prefix CONFIG_. The option value is typically y, n or m (to build something as a kernel module).

Kernel modules for hardware devices are generally loaded automatically by udev. You can force a module to be loaded via boot.kernelModules, e.g.

boot.kernelModules = [ "fuse" "kvm-intel" "coretemp" ];

If the module is required early during the boot (e.g. to mount the root file system), you can use boot.initrd.extraKernelModules:

boot.initrd.extraKernelModules = [ "cifs" ];

This causes the specified modules and their dependencies to be added to the initial ramdark.

Kernel runtime parameters can be set through boot.kernel.sysctl, e.g.

boot.kernel.sysctl."net.ipv4.tcp_keepalive_time" = 120;

sets the kernel’s TCP keepalive time to 120 seconds. To see the available parameters, run sysctl -a.




[1] If you’re wondering how it’s possible that the (indirect) result of a function is passed as an input to that same function: that’s because Nix is a “lazy” language — it only computes values when they are needed. This works as long as no individual configuration value depends on itself.

This chapter describes various aspects of managing a running NixOS system, such as how to use the systemd service manager.

3.1. Service management

In NixOS, all system services are started and monitored using the systemd program. Systemd is the “init” process of the system (i.e. PID 1), the parent of all other processes. It manages a set of so-called “units”, which can be things like system services (programs), but also mount points, swap files, devices, targets (groups of units) and more. Units can have complex dependencies; for instance, one unit can require that another unit must be successfully started before the first unit can be started. When the system boots, it starts a unit named default.target; the dependencies of this unit cause all system services to be started, file systems to be mounted, swap files to be activated, and so on.

The command systemctl is the main way to interact with systemd. Without any arguments, it shows the status of active units:

$ systemctl
-.mount          loaded active mounted   /
swapfile.swap    loaded active active    /swapfile
sshd.service     loaded active running   SSH Daemon
graphical.target loaded active active    Graphical Interface
...

You can ask for detailed status information about a unit, for instance, the PostgreSQL database service:

$ systemctl status postgresql.service
postgresql.service - PostgreSQL Server
          Loaded: loaded (/nix/store/pn3q73mvh75gsrl8w7fdlfk3fq5qm5mw-unit/postgresql.service)
          Active: active (running) since Mon, 2013-01-07 15:55:57 CET; 9h ago
        Main PID: 2390 (postgres)
          CGroup: name=systemd:/system/postgresql.service
                  ├─2390 postgres
                  ├─2418 postgres: writer process
                  ├─2419 postgres: wal writer process
                  ├─2420 postgres: autovacuum launcher process
                  ├─2421 postgres: stats collector process
                  └─2498 postgres: zabbix zabbix [local] idle

Jan 07 15:55:55 hagbard postgres[2394]: [1-1] LOG:  database system was shut down at 2013-01-07 15:55:05 CET
Jan 07 15:55:57 hagbard postgres[2390]: [1-1] LOG:  database system is ready to accept connections
Jan 07 15:55:57 hagbard postgres[2420]: [1-1] LOG:  autovacuum launcher started
Jan 07 15:55:57 hagbard systemd[1]: Started PostgreSQL Server.

Note that this shows the status of the unit (active and running), all the processes belonging to the service, as well as the most recent log messages from the service.

Units can be stopped, started or restarted:

$ systemctl stop postgresql.service
$ systemctl start postgresql.service
$ systemctl restart postgresql.service

These operations are synchronous: they wait until the service has finished starting or stopping (or has failed). Starting a unit will cause the dependencies of that unit to be started as well (if necessary).

3.2. Rebooting and shutting down

The system can be shut down (and automatically powered off) by doing:

$ shutdown

This is equivalent to running systemctl poweroff.

To reboot the system, run

$ reboot

which is equivalent to systemctl reboot. Alternatively, you can quickly reboot the system using kexec, which bypasses the BIOS by directly loading the new kernel into memory:

$ systemctl kexec

The machine can be suspended to RAM (if supported) using systemctl suspend, and suspended to disk using systemctl hibernate.

These commands can be run by any user who is logged in locally, i.e. on a virtual console or in X11; otherwise, the user is asked for authentication.

3.3. User sessions

Systemd keeps track of all users who are logged into the system (e.g. on a virtual console or remotely via SSH). The command loginctl allows querying and manipulating user sessions. For instance, to list all user sessions:

$ loginctl
   SESSION        UID USER             SEAT
        c1        500 eelco            seat0
        c3          0 root             seat0
        c4        500 alice

This shows that two users are logged in locally, while another is logged in remotely. (“Seats” are essentially the combinations of displays and input devices attached to the system; usually, there is only one seat.) To get information about a session:

$ loginctl session-status c3
c3 - root (0)
           Since: Tue, 2013-01-08 01:17:56 CET; 4min 42s ago
          Leader: 2536 (login)
            Seat: seat0; vc3
             TTY: /dev/tty3
         Service: login; type tty; class user
           State: online
          CGroup: name=systemd:/user/root/c3
                  ├─ 2536 /nix/store/10mn4xip9n7y9bxqwnsx7xwx2v2g34xn-shadow-4.1.5.1/bin/login --
                  ├─10339 -bash
                  └─10355 w3m nixos.org

This shows that the user is logged in on virtual console 3. It also lists the processes belonging to this session. Since systemd keeps track of this, you can terminate a session in a way that ensures that all the session’s processes are gone:

$ loginctl terminate-session c3

3.4. Control groups

To keep track of the processes in a running system, systemd uses control groups (cgroups). A control group is a set of processes used to allocate resources such as CPU, memory or I/O bandwidth. There can be multiple control group hierarchies, allowing each kind of resource to be managed independently.

The command systemd-cgls lists all control groups in the systemd hierarchy, which is what systemd uses to keep track of the processes belonging to each service or user session:

$ systemd-cgls
├─user
│ └─eelco
│   └─c1
│     ├─ 2567 -:0
│     ├─ 2682 kdeinit4: kdeinit4 Running...
│     ├─ ...
│     └─10851 sh -c less -R
└─system
  ├─httpd.service
  │ ├─2444 httpd -f /nix/store/3pyacby5cpr55a03qwbnndizpciwq161-httpd.conf -DNO_DETACH
  │ └─...
  ├─dhcpcd.service
  │ └─2376 dhcpcd --config /nix/store/f8dif8dsi2yaa70n03xir8r653776ka6-dhcpcd.conf
  └─ ...

Similarly, systemd-cgls cpu shows the cgroups in the CPU hierarchy, which allows per-cgroup CPU scheduling priorities. By default, every systemd service gets its own CPU cgroup, while all user sessions are in the top-level CPU cgroup. This ensures, for instance, that a thousand run-away processes in the httpd.service cgroup cannot starve the CPU for one process in the postgresql.service cgroup. (By contrast, it they were in the same cgroup, then the PostgreSQL process would get 1/1001 of the cgroup’s CPU time.) You can limit a service’s CPU share in configuration.nix:

systemd.services.httpd.serviceConfig.CPUShares = 512;

By default, every cgroup has 1024 CPU shares, so this will halve the CPU allocation of the httpd.service cgroup.

There also is a memory hierarchy that controls memory allocation limits; by default, all processes are in the top-level cgroup, so any service or session can exhaust all available memory. Per-cgroup memory limits can be specified in configuration.nix; for instance, to limit httpd.service to 512 MiB of RAM (excluding swap) and 640 MiB of RAM (including swap):

systemd.services.httpd.serviceConfig.MemoryLimit = "512M";
systemd.services.httpd.serviceConfig.ControlGroupAttribute = [ "memory.memsw.limit_in_bytes 640M" ];

The command systemd-cgtop shows a continuously updated list of all cgroups with their CPU and memory usage.

3.5. Logging

System-wide logging is provided by systemd’s journal, which subsumes traditional logging daemons such as syslogd and klogd. Log entries are kept in binary files in /var/log/journal/. The command journalctl allows you to see the contents of the journal. For example,

$ journalctl -b

shows all journal entries since the last reboot. (The output of journalctl is piped into less by default.) You can use various options and match operators to restrict output to messages of interest. For instance, to get all messages from PostgreSQL:

$ journalctl -u postgresql.service
-- Logs begin at Mon, 2013-01-07 13:28:01 CET, end at Tue, 2013-01-08 01:09:57 CET. --
...
Jan 07 15:44:14 hagbard postgres[2681]: [2-1] LOG:  database system is shut down
-- Reboot --
Jan 07 15:45:10 hagbard postgres[2532]: [1-1] LOG:  database system was shut down at 2013-01-07 15:44:14 CET
Jan 07 15:45:13 hagbard postgres[2500]: [1-1] LOG:  database system is ready to accept connections

Or to get all messages since the last reboot that have at least a “critical” severity level:

$ journalctl -b -p crit
Dec 17 21:08:06 mandark sudo[3673]: pam_unix(sudo:auth): auth could not identify password for [alice]
Dec 29 01:30:22 mandark kernel[6131]: [1053513.909444] CPU6: Core temperature above threshold, cpu clock throttled (total events = 1)

The system journal is readable by root and by users in the wheel and systemd-journal groups. All users have a private journal that can be read using journalctl.

3.6. Cleaning up the Nix store

Nix has a purely functional model, meaning that packages are never upgraded in place. Instead new versions of packages end up in a different location in the Nix store (/nix/store). You should periodically run Nix’s garbage collector to remove old, unreferenced packages. This is easy:

$ nix-collect-garbage

Alternatively, you can use a systemd unit that does the same in the background:

$ systemctl start nix-gc.service

You can tell NixOS in configuration.nix to run this unit automatically at certain points in time, for instance, every night at 03:15:

nix.gc.automatic = true;
nix.gc.dates = "03:15";

The commands above do not remove garbage collector roots, such as old system configurations. Thus they do not remove the ability to roll back to previous configurations. The following command deletes old roots, removing the ability to roll back to them:

$ nix-collect-garbage -d

You can also do this for specific profiles, e.g.

$ nix-env -p /nix/var/nix/profiles/per-user/eelco/profile --delete-generations old

Note that NixOS system configurations are stored in the profile /nix/var/nix/profiles/system.

Another way to reclaim disk space (often as much as 40% of the size of the Nix store) is to run Nix’s store optimiser, which seeks out identical files in the store and replaces them with hard links to a single copy.

$ nix-store --optimise

Since this command needs to read the entire Nix store, it can take quite a while to finish.

4.1. Boot problems

If NixOS fails to boot, there are a number of kernel command line parameters that may help you to identify or fix the issue. You can add these parameters in the GRUB boot menu by pressing “e” to modify the selected boot entry and editing the line starting with linux. The following are some useful kernel command line parameters that are recognised by the NixOS boot scripts or by systemd:

boot.shell_on_fail

Start a root shell if something goes wrong in stage 1 of the boot process (the initial ramdisk). This is disabled by default because there is no authentication for the root shell.

boot.debug1

Start an interactive shell in stage 1 before anything useful has been done. That is, no modules have been loaded and no file systems have been mounted, except for /proc and /sys.

boot.trace

Print every shell command executed by the stage 1 and 2 boot scripts.

single

Boot into rescue mode (a.k.a. single user mode). This will cause systemd to start nothing but the unit rescue.target, which runs sulogin to prompt for the root password and start a root login shell. Exiting the shell causes the system to continue with the normal boot process.

systemd.log_level=debug systemd.log_target=console

Make systemd very verbose and send log messages to the console instead of the journal.

For more parameters recognised by systemd, see systemd(1).

If no login prompts or X11 login screens appear (e.g. due to hanging dependencies), you can press Alt+ArrowUp. If you’re lucky, this will start rescue mode (described above). (Also note that since most units have a 90-second timeout before systemd gives up on them, the agetty login prompts should appear eventually unless something is very wrong.)

4.2. Maintenance mode

You can enter rescue mode by running:

$ systemctl rescue

This will eventually give you a single-user root shell. Systemd will stop (almost) all system services. To get out of maintenance mode, just exit from the rescue shell.

4.3. Rolling back configuration changes

After running nixos-rebuild to switch to a new configuration, you may find that the new configuration doesn’t work very well. In that case, there are several ways to return to a previous configuration.

First, the GRUB boot manager allows you to boot into any previous configuration that hasn’t been garbage-collected. These configurations can be found under the GRUB submenu “NixOS - All configurations”. This is especially useful if the new configuration fails to boot. After the system has booted, you can make the selected configuration the default for subsequent boots:

$ /run/current-system/bin/switch-to-configuration boot

Second, you can switch to the previous configuration in a running system:

$ nixos-rebuild switch --rollback

This is equivalent to running:

$ /nix/var/nix/profiles/system-N-link/bin/switch-to-configuration switch

where N is the number of the NixOS system configuration. To get a list of the available configurations, do:

$ ls -l /nix/var/nix/profiles/system-*-link
...
lrwxrwxrwx 1 root root 78 Aug 12 13:54 /nix/var/nix/profiles/system-268-link -> /nix/store/202b...-nixos-13.07pre4932_5a676e4-4be1055

4.4. Nix store corruption

After a system crash, it’s possible for files in the Nix store to become corrupted. (For instance, the Ext4 file system has the tendency to replace un-synced files with zero bytes.) NixOS tries hard to prevent this from happening: it performs a sync before switching to a new configuration, and Nix’s database is fully transactional. If corruption still occurs, you may be able to fix it automatically.

If the corruption is in a path in the closure of the NixOS system configuration, you can fix it by doing

$ nixos-rebuild switch --repair

This will cause Nix to check every path in the closure, and if its cryptographic hash differs from the hash recorded in Nix’s database, the path is rebuilt or redownloaded.

You can also scan the entire Nix store for corrupt paths:

$ nix-store --verify --check-contents --repair

Any corrupt paths will be redownloaded if they’re available in a binary cache; otherwise, they cannot be repaired.

4.5. Nix network issues

Nix uses a so-called binary cache to optimise building a package from source into downloading it as a pre-built binary. That is, whenever a command like nixos-rebuild needs a path in the Nix store, Nix will try to download that path from the Internet rather than build it from source. The default binary cache is http://cache.nixos.org/. If this cache is unreachable, Nix operations may take a long time due to HTTP connection timeouts. You can disable the use of the binary cache by adding --option use-binary-caches false, e.g.

$ nixos-rebuild switch --option use-binary-caches false

If you have an alternative binary cache at your disposal, you can use it instead:

$ nixos-rebuild switch --option binary-caches http://my-cache.example.org/

NixOS allows you to easily run other NixOS instances as containers. Containers are a light-weight approach to virtualisation that runs software in the container at the same speed as in the host system. NixOS containers share the Nix store of the host, making container creation very efficient.

Warning: Currently, NixOS containers are not perfectly isolated from the host system. This means that a user with root access to the container can do things that affect the host. So you should not give container root access to untrusted users.

NixOS containers can be created in two ways: imperatively, using the command nixos-container, and declaratively, by specifying them in your configuration.nix. The declarative approach implies that containers get upgraded along with your host system when you run nixos-rebuild, which is often not what you want. By contrast, in the imperative approach, containers are configured and updated independently from the host system.

5.1. Imperative container management

We’ll cover imperative container management using nixos-container first. You create a container with identifier foo as follows:

$ nixos-container create foo

This creates the container’s root directory in /var/lib/containers/foo and a small configuration file in /etc/containers/foo.conf. It also builds the container’s initial system configuration and stores it in /nix/var/nix/profiles/per-container/foo/system. You can modify the initial configuration of the container on the command line. For instance, to create a container that has sshd running, with the given public key for root:

$ nixos-container create foo --config 'services.openssh.enable = true; \
  users.extraUsers.root.openssh.authorizedKeys.keys = ["ssh-dss AAAAB3N…"];'

Creating a container does not start it. To start the container, run:

$ nixos-container start foo

This command will return as soon as the container has booted and has reached multi-user.target. On the host, the container runs within a systemd unit called container@container-name.service. Thus, if something went wrong, you can get status info using systemctl:

$ systemctl status container@foo

If the container has started succesfully, you can log in as root using the root-login operation:

$ nixos-container root-login foo
[root@foo:~]#

Note that only root on the host can do this (since there is no authentication). You can also get a regular login prompt using the login operation, which is available to all users on the host:

$ nixos-container login foo
foo login: alice
Password: ***

With nixos-container run, you can execute arbitrary commands in the container:

$ nixos-container run foo -- uname -a
Linux foo 3.4.82 #1-NixOS SMP Thu Mar 20 14:44:05 UTC 2014 x86_64 GNU/Linux

There are several ways to change the configuration of the container. First, on the host, you can edit /var/lib/container/name/etc/nixos/configuration.nix, and run

$ nixos-container update foo

This will build and activate the new configuration. You can also specify a new configuration on the command line:

$ nixos-container update foo --config 'services.httpd.enable = true; \
  services.httpd.adminAddr = "foo@example.org";'

$ curl http://$(nixos-container show-ip foo)/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">…

However, note that this will overwrite the container’s /etc/nixos/configuration.nix.

Alternatively, you can change the configuration from within the container itself by running nixos-rebuild switch inside the container. Note that the container by default does not have a copy of the NixOS channel, so you should run nix-channel --update first.

Containers can be stopped and started using nixos-container stop and nixos-container start, respectively, or by using systemctl on the container’s service unit. To destroy a container, including its file system, do

$ nixos-container destroy foo

5.2. Declarative container specification

You can also specify containers and their configuration in the host’s configuration.nix. For example, the following specifies that there shall be a container named database running PostgreSQL:

containers.database =
  { config =
      { config, pkgs, ... }:
      { services.postgresql.enable = true;
        services.postgresql.package = pkgs.postgresql92;
      };
  };

If you run nixos-rebuild switch, the container will be built and started. If the container was already running, it will be updated in place, without rebooting.

By default, declarative containers share the network namespace of the host, meaning that they can listen on (privileged) ports. However, they cannot change the network configuration. You can give a container its own network as follows:

containers.database =
  { privateNetwork = true;
    hostAddress = "192.168.100.10";
    localAddress = "192.168.100.11";
  };

This gives the container a private virtual Ethernet interface with IP address 192.168.100.11, which is hooked up to a virtual Ethernet interface on the host with IP address 192.168.100.10. (See the next section for details on container networking.)

To disable the container, just remove it from configuration.nix and run nixos-rebuild switch. Note that this will not delete the root directory of the container in /var/lib/containers.

5.3. Networking

When you create a container using nixos-container create, it gets it own private IPv4 address in the range 10.233.0.0/16. You can get the container’s IPv4 address as follows:

$ nixos-container show-ip foo
10.233.4.2

$ ping -c1 10.233.4.2
64 bytes from 10.233.4.2: icmp_seq=1 ttl=64 time=0.106 ms

Networking is implemented using a pair of virtual Ethernet devices. The network interface in the container is called eth0, while the matching interface in the host is called c-container-name (e.g., c-foo). The container has its own network namespace and the CAP_NET_ADMIN capability, so it can perform arbitrary network configuration such as setting up firewall rules, without affecting or having access to the host’s network.

By default, containers cannot talk to the outside network. If you want that, you should set up Network Address Translation (NAT) rules on the host to rewrite container traffic to use your external IP address. This can be accomplished using the following configuration on the host:

networking.nat.enable = true;
networking.nat.internalInterfaces = ["c-+"];
networking.nat.externalInterface = "eth0";

where eth0 should be replaced with the desired external interface. Note that c-+ is a wildcard that matches all container interfaces.

This chapter describes how you can modify and extend NixOS.

6.1. Getting the sources

By default, NixOS’s nixos-rebuild command uses the NixOS and Nixpkgs sources provided by the nixos-unstable channel (kept in /nix/var/nix/profiles/per-user/root/channels/nixos). To modify NixOS, however, you should check out the latest sources from Git. This is done using the following command:

$ nixos-checkout /my/sources

or

$ mkdir -p /my/sources
$ cd /my/sources
$ nix-env -i git
$ git clone git://github.com/NixOS/nixpkgs.git

This will check out the latest NixOS sources to /my/sources/nixpkgs/nixos and the Nixpkgs sources to /my/sources/nixpkgs. (The NixOS source tree lives in a subdirectory of the Nixpkgs repository.)

It’s often inconvenient to develop directly on the master branch, since if somebody has just committed (say) a change to GCC, then the binary cache may not have caught up yet and you’ll have to rebuild everything from source. So you may want to create a local branch based on your current NixOS version:

$ nixos-version
14.04.273.ea1952b (Baboon)

$ git checkout -b local ea1952b

Or, to base your local branch on the latest version available in the NixOS channel:

$ curl -sI http://nixos.org/channels/nixos-unstable/ | grep Location
Location: http://releases.nixos.org/nixos/unstable/nixos-14.10pre43986.acaf4a6/

$ git checkout -b local acaf4a6

You can then use git rebase to sync your local branch with the upstream branch, and use git cherry-pick to copy commits from your local branch to the upstream branch.

If you want to rebuild your system using your (modified) sources, you need to tell nixos-rebuild about them using the -I flag:

$ nixos-rebuild switch -I nixpkgs=/my/sources/nixpkgs

If you want nix-env to use the expressions in /my/sources, use nix-env -f /my/sources/nixpkgs, or change the default by adding a symlink in ~/.nix-defexpr:

$ ln -s /my/sources/nixpkgs ~/.nix-defexpr/nixpkgs

You may want to delete the symlink ~/.nix-defexpr/channels_root to prevent root’s NixOS channel from clashing with your own tree.

6.2. Writing NixOS modules

NixOS has a modular system for declarative configuration. This system combines multiple modules to produce the full system configuration. One of the modules that constitute the configuration is /etc/nixos/configuration.nix. Most of the others live in the nixos/modules subdirectory of the Nixpkgs tree.

Each NixOS module is a file that handles one logical aspect of the configuration, such as a specific kind of hardware, a service, or network settings. A module configuration does not have to handle everything from scratch; it can use the functionality provided by other modules for its implementation. Thus a module can declare options that can be used by other modules, and conversely can define options provided by other modules in its own implementation. For example, the module pam.nix declares the option security.pam.services that allows other modules (e.g. sshd.nix) to define PAM services; and it defines the option environment.etc (declared by etc.nix) to cause files to be created in /etc/pam.d.

In Section 2.1, “Configuration syntax”, we saw the following structure of NixOS modules:

{ config, pkgs, ... }:

{ option definitions
}

This is actually an abbreviated form of module that only defines options, but does not declare any. The structure of full NixOS modules is shown in Example 6.1, “Structure of NixOS modules”.

Example 6.1. Structure of NixOS modules

{ config, pkgs, ... }: 1

{
  imports =
    [ paths of other modules 2
    ];

  options = {
    option declarations 3
  };

  config = {
    option definitions 4
  };
}


The meaning of each part is as follows.

1

This line makes the current Nix expression a function. The variable pkgs contains Nixpkgs, while config contains the full system configuration. This line can be omitted if there is no reference to pkgs and config inside the module.

2

This list enumerates the paths to other NixOS modules that should be included in the evaluation of the system configuration. A default set of modules is defined in the file modules/module-list.nix. These don't need to be added in the import list.

3

The attribute options is a nested set of option declarations (described below).

4

The attribute config is a nested set of option definitions (also described below).

Example 6.2, “NixOS module for the “locate” service” shows a module that handles the regular update of the “locate” database, an index of all files in the file system. This module declares two options that can be defined by other modules (typically the user’s configuration.nix): services.locate.enable (whether the database should be updated) and services.locate.period (when the update should be done). It implements its functionality by defining two options declared by other modules: systemd.services (the set of all systemd services) and services.cron.systemCronJobs (the list of commands to be executed periodically by cron).

Example 6.2. NixOS module for the “locate” service

{ config, lib, pkgs, ... }:

with lib;

let locatedb = "/var/cache/locatedb"; in

{
  options = {

    services.locate = {

      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          If enabled, NixOS will periodically update the database of
          files used by the locate command.
        '';
      };

      period = mkOption {
        type = types.str;
        default = "15 02 * * *";
        description = ''
          This option defines (in the format used by cron) when the
          locate database is updated.  The default is to update at
          02:15 at night every day.
        '';
      };

    };

  };

  config = {

    systemd.services.update-locatedb =
      { description = "Update Locate Database";
        path  = [ pkgs.su ];
        script =
          ''
            mkdir -m 0755 -p $(dirname ${locatedb})
            exec updatedb --localuser=nobody --output=${locatedb} --prunepaths='/tmp /var/tmp /media /run'
          '';
      };

    services.cron.systemCronJobs = optional config.services.locate.enable
      "${config.services.locate.period} root ${config.systemd.package}/bin/systemctl start update-locatedb.service";

  };
}


6.2.1. Option declarations

An option declaration specifies the name, type and description of a NixOS configuration option. It is illegal to define an option that hasn’t been declared in any module. A option declaration generally looks like this:

options = {
  name = mkOption {
    type = type specification;
    default = default value;
    example = example value;
    description = "Description for use in the NixOS manual.";
  };
};

The function mkOption accepts the following arguments.

type

The type of the option (see below). It may be omitted, but that’s not advisable since it may lead to errors that are hard to diagnose.

default

The default value used if no value is defined by any module. A default is not required; in that case, if the option value is ever used, an error will be thrown.

example

An example value that will be shown in the NixOS manual.

description

A textual description of the option, in DocBook format, that will be included in the NixOS manual.

Here is a non-exhaustive list of option types:

types.bool

A Boolean.

types.int

An integer.

types.str

A string.

types.lines

A string. If there are multiple definitions, they are concatenated, with newline characters in between.

types.path

A path, defined as anything that, when coerced to a string, starts with a slash. This includes derivations.

types.listOf t

A list of elements of type t (e.g., types.listOf types.str is a list of strings). Multiple definitions are concatenated together.

types.attrsOf t

A set of elements of type t (e.g., types.attrsOf types.int is a set of name/value pairs, the values being integers).

types.nullOr t

Either the value null or something of type t.

You can also create new types using the function mkOptionType. See lib/types.nix in Nixpkgs for details.

6.2.2. Option definitions

Option definitions are generally straight-forward bindings of values to option names, like

config = {
  services.httpd.enable = true;
};

However, sometimes you need to wrap an option definition or set of option definitions in a property to achieve certain effects:

Delaying conditionals

If a set of option definitions is conditional on the value of another option, you may need to use mkIf. Consider, for instance:

config = if config.services.httpd.enable then {
  environment.systemPackages = [ ... ];
  ...
} else {};

This definition will cause Nix to fail with an “infinite recursion” error. Why? Because the value of config.services.httpd.enable depends on the value being constructed here. After all, you could also write the clearly circular and contradictory:

config = if config.services.httpd.enable then {
  services.httpd.enable = false;
} else {
  services.httpd.enable = true;
};

The solution is to write:

config = mkIf config.services.httpd.enable {
  environment.systemPackages = [ ... ];
  ...
};

The special function mkIf causes the evaluation of the conditional to be “pushed down” into the individual definitions, as if you had written:

config = {
  environment.systemPackages = if config.services.httpd.enable then [ ... ] else [];
  ...
};

Setting priorities

A module can override the definitions of an option in other modules by setting a priority. All option definitions that do not have the lowest priority value are discarded. By default, option definitions have priority 1000. You can specify an explicit priority by using mkOverride, e.g.

services.openssh.enable = mkOverride 10 false;

This definition causes all other definitions with priorities above 10 to be discarded. The function mkForce is equal to mkOverride 50.

Merging configurations

In conjunction with mkIf, it is sometimes useful for a module to return multiple sets of option definitions, to be merged together as if they were declared in separate modules. This can be done using mkMerge:

config = mkMerge
  [ # Unconditional stuff.
    { environment.systemPackages = [ ... ];
    }
    # Conditional stuff.
    (mkIf config.services.bla.enable {
      environment.systemPackages = [ ... ];
    })
  ];

6.2.3. Important options

NixOS has many options, but some are of particular importance to module writers.

environment.etc

This set defines files in /etc. A typical use is:

environment.etc."os-release".text =
  ''
    NAME=NixOS
    ...
  '';

which causes a file named /etc/os-release to be created with the given contents.

system.activationScripts

A set of shell script fragments that must be executed whenever the configuration is activated (i.e., at boot time, or after running nixos-rebuild switch). For instance,

system.activationScripts.media =
  ''
    mkdir -m 0755 -p /media
  '';

causes the directory /media to be created. Activation scripts must be idempotent. They should not start background processes such as daemons; use systemd.services for that.

systemd.services

This is the set of systemd services. Example:

systemd.services.dhcpcd =
  { description = "DHCP Client";
    wantedBy = [ "multi-user.target" ];
    after = [ "systemd-udev-settle.service" ];
    path = [ dhcpcd pkgs.nettools pkgs.openresolv ];
    serviceConfig =
      { Type = "forking";
        PIDFile = "/run/dhcpcd.pid";
        ExecStart = "${dhcpcd}/sbin/dhcpcd --config ${dhcpcdConf}";
        Restart = "always";
      };
  };

which creates the systemd unit dhcpcd.service. The option wantedBy determined which other units pull this one in; multi-user.target is the default target of the system, so dhcpcd.service will always be started. The option serviceConfig.ExecStart provides the main command for the service; it’s also possible to provide pre-start actions, stop scripts, and so on.

users.extraUsers, users.extraGroups

If your service requires special UIDs or GIDs, you can define them with these options. See Section 2.3, “User management” for details.

6.3. Building specific parts of NixOS

With the command nix-build, you can build specific parts of your NixOS configuration. This is done as follows:

$ cd /path/to/nixpkgs/nixos
$ nix-build -A config.option

where option is a NixOS option with type “derivation” (i.e. something that can be built). Attributes of interest include:

system.build.toplevel

The top-level option that builds the entire NixOS system. Everything else in your configuration is indirectly pulled in by this option. This is what nixos-rebuild builds and what /run/current-system points to afterwards.

A shortcut to build this is:

$ nix-build -A system

system.build.manual.manual

The NixOS manual.

system.build.etc

A tree of symlinks that form the static parts of /etc.

system.build.initialRamdisk, system.build.kernel

The initial ramdisk and kernel of the system. This allows a quick way to test whether the kernel and the initial ramdisk boot correctly, by using QEMU’s -kernel and -initrd options:

$ nix-build -A config.system.build.initialRamdisk -o initrd
$ nix-build -A config.system.build.kernel -o kernel
$ qemu-system-x86_64 -kernel ./kernel/bzImage -initrd ./initrd/initrd -hda /dev/null

system.build.nixos-rebuild, system.build.nixos-install, system.build.nixos-generate-config

These build the corresponding NixOS commands.

systemd.units.unit-name.unit

This builds the unit with the specified name. Note that since unit names contain dots (e.g. httpd.service), you need to put them between quotes, like this:

$ nix-build -A 'config.systemd.units."httpd.service".unit'

You can also test individual units, without rebuilding the whole system, by putting them in /run/systemd/system:

$ cp $(nix-build -A 'config.systemd.units."httpd.service".unit')/httpd.service \
    /run/systemd/system/tmp-httpd.service
$ systemctl daemon-reload
$ systemctl start tmp-httpd.service

Note that the unit must not have the same name as any unit in /etc/systemd/system since those take precedence over /run/systemd/system. That’s why the unit is installed as tmp-httpd.service here.

6.4. Building your own NixOS CD

Building a NixOS CD is as easy as configuring your own computer. The idea is to use another module which will replace your configuration.nix to configure the system that would be installed on the CD.

Default CD/DVD configurations are available inside nixos/modules/installer/cd-dvd. To build them you have to set NIXOS_CONFIG before running nix-build to build the ISO.

$ nix-build -A config.system.build.isoImage -I nixos-config=modules/installer/cd-dvd/installation-cd-minimal.nix

Before burning your CD/DVD, you can check the content of the image by mounting anywhere like suggested by the following command:

$ mount -o loop -t iso9660 ./result/iso/cd.iso /mnt/iso

6.5. Testing the installer

Building, burning, and booting from an installation CD is rather tedious, so here is a quick way to see if the installer works properly:

$ nix-build -A config.system.build.nixos-install
$ dd if=/dev/zero of=diskimage seek=2G count=0 bs=1
$ yes | mke2fs -j diskimage
$ mount -o loop diskimage /mnt
$ ./result/bin/nixos-install

6.6. NixOS tests

When you add some feature to NixOS, you should write a test for it. NixOS tests are kept in the directory nixos/tests, and are executed (using Nix) by a testing framework that automatically starts one or more virtual machines containing the NixOS system(s) required for the test.

Writing tests

A NixOS test is a Nix expression that has the following structure:

import ./make-test.nix {

  # Either the configuration of a single machine:
  machine =
    { config, pkgs, ... }:
    { configuration…
    };

  # Or a set of machines:
  nodes =
    { machine1 =
        { config, pkgs, ... }: {  };
      machine2 =
        { config, pkgs, ... }: {  };
      …
    };

  testScript =
    ''
      Perl code…
    '';
}

The attribute testScript is a bit of Perl code that executes the test (described below). During the test, it will start one or more virtual machines, the configuration of which is described by the attribute machine (if you need only one machine in your test) or by the attribute nodes (if you need multiple machines). For instance, login.nix only needs a single machine to test whether users can log in on the virtual console, whether device ownership is correctly maintained when switching between consoles, and so on. On the other hand, nfs.nix, which tests NFS client and server functionality in the Linux kernel (including whether locks are maintained across server crashes), requires three machines: a server and two clients.

There are a few special NixOS configuration options for test VMs:

virtualisation.memorySize

The memory of the VM in megabytes.

virtualisation.vlans

The virtual networks to which the VM is connected. See nat.nix for an example.

virtualisation.writableStore

By default, the Nix store in the VM is not writable. If you enable this option, a writable union file system is mounted on top of the Nix store to make it appear writable. This is necessary for tests that run Nix operations that modify the store.

For more options, see the module qemu-vm.nix.

The test script is a sequence of Perl statements that perform various actions, such as starting VMs, executing commands in the VMs, and so on. Each virtual machine is represented as an object stored in the variable $name, where name is the identifier of the machine (which is just machine if you didn’t specify multiple machines using the nodes attribute). For instance, the following starts the machine, waits until it has finished booting, then executes a command and checks that the output is more-or-less correct:

$machine->start;
$machine->waitForUnit("default.target");
$machine->succeed("uname") =~ /Linux/;

The first line is actually unnecessary; machines are implicitly started when you first execute an action on them (such as waitForUnit or succeed). If you have multiple machines, you can speed up the test by starting them in parallel:

startAll;

The following methods are available on machine objects:

start

Start the virtual machine. This method is asynchronous — it does not wait for the machine to finish booting.

shutdown

Shut down the machine, waiting for the VM to exit.

crash

Simulate a sudden power failure, by telling the VM to exit immediately.

block

Simulate unplugging the Ethernet cable that connects the machine to the other machines.

unblock

Undo the effect of block.

screenshot

Take a picture of the display of the virtual machine, in PNG format. The screenshot is linked from the HTML log.

sendMonitorCommand

Send a command to the QEMU monitor. This is rarely used, but allows doing stuff such as attaching virtual USB disks to a running machine.

sendKeys

Simulate pressing keys on the virtual keyboard, e.g., sendKeys("ctrl-alt-delete").

sendChars

Simulate typing a sequence of characters on the virtual keyboard, e.g., sendKeys("foobar\n") will type the string foobar followed by the Enter key.

execute

Execute a shell command, returning a list (status, stdout).

succeed

Execute a shell command, raising an exception if the exit status is not zero, otherwise returning the standard output.

fail

Like succeed, but raising an exception if the command returns a zero status.

waitUntilSucceeds

Repeat a shell command with 1-second intervals until it succeeds.

waitUntilFails

Repeat a shell command with 1-second intervals until it fails.

waitForUnit

Wait until the specified systemd unit has reached the “active” state.

waitForFile

Wait until the specified file exists.

waitForOpenPort

Wait until a process is listening on the given TCP port (on localhost, at least).

waitForClosedPort

Wait until nobody is listening on the given TCP port.

waitForX

Wait until the X11 server is accepting connections.

waitForWindow

Wait until an X11 window has appeared whose name matches the given regular expression, e.g., waitForWindow(qr/Terminal/).

Running tests

You can run tests using nix-build. For example, to run the test login.nix, you just do:

$ nix-build '<nixpkgs/nixos/tests/login.nix>'

or, if you don’t want to rely on NIX_PATH:

$ cd /my/nixpkgs/nixos/tests
$ nix-build login.nix
…
running the VM test script
machine: QEMU running (pid 8841)
…
6 out of 6 tests succeeded

After building/downloading all required dependencies, this will perform a build that starts a QEMU/KVM virtual machine containing a NixOS system. The virtual machine mounts the Nix store of the host; this makes VM creation very fast, as no disk image needs to be created. Afterwards, you can view a pretty-printed log of the test:

$ firefox result/log.html

It is also possible to run the test environment interactively, allowing you to experiment with the VMs. For example:

$ nix-build login.nix -A driver
$ ./result/bin/nixos-run-vms

The script nixos-run-vms starts the virtual machines defined by test. The root file system of the VMs is created on the fly and kept across VM restarts in ./hostname.qcow2.

Finally, the test itself can be run interactively. This is particularly useful when developing or debugging a test:

$ nix-build tests/ -A nfs.driver
$ ./result/bin/nixos-test-driver
starting VDE switch for network 1
>

You can then take any Perl statement, e.g.

> startAll
> $machine->succeed("touch /tmp/foo")

The function testScript executes the entire test script and drops you back into the test driver command line upon its completion. This allows you to inspect the state of the VMs after the test (e.g. to debug the test script).

A.1. Release 14.04 (“Baboon”, 2014/04/30)

This is the second stable release branch of NixOS. In addition to numerous new and upgraded packages and modules, this release has the following highlights:

  • Installation on UEFI systems is now supported. See Section 1.2.1, “UEFI Installation” for details.

  • Systemd has been updated to version 212, which has numerous improvements. NixOS now automatically starts systemd user instances when you log in. You can define global user units through the systemd.unit.* options.

  • NixOS is now based on Glibc 2.19 and GCC 4.8.

  • The default Linux kernel has been updated to 3.12.

  • KDE has been updated to 4.12.

  • GNOME 3.10 experimental support has been added.

  • Nix has been updated to 1.7 (details).

  • NixOS now supports fully declarative management of users and groups. If you set users.mutableUsers to false, then the contents of /etc/passwd and /etc/group will be congruent to your NixOS configuration. For instance, if you remove a user from users.extraUsers and run nixos-rebuild, the user account will cease to exist. Also, imperative commands for managing users and groups, such as useradd, are no longer available. If users.mutableUsers is true (the default), then behaviour is unchanged from NixOS 13.10.

  • NixOS now has basic container support, meaning you can easily run a NixOS instance as a container in a NixOS host system. These containers are suitable for testing and experimentation but not production use, since they’re not fully isolated from the host. See Chapter 5, Containers for details.

  • Systemd units provided by packages can now be overridden from the NixOS configuration. For instance, if a package foo provides systemd units, you can say:

    systemd.packages = [ pkgs.foo ];
    

    to enable those units. You can then set or override unit options in the usual way, e.g.

    systemd.services.foo.wantedBy = [ "multi-user.target" ];
    systemd.services.foo.serviceConfig.MemoryLimit = "512M";
    

When upgrading from a previous release, please be aware of the following incompatible changes:

  • Nixpkgs no longer exposes unfree packages by default. If your NixOS configuration requires unfree packages from Nixpkgs, you need to enable support for them explicitly by setting:

    nixpkgs.config.allowUnfree = true;
    

    Otherwise, you get an error message such as:

    error: package ‘nvidia-x11-331.49-3.12.17’ in ‘…/nvidia-x11/default.nix:56’
      has an unfree license, refusing to evaluate
    

  • The Adobe Flash player is no longer enabled by default in the Firefox and Chromium wrappers. To enable it, you must set:

    nixpkgs.config.allowUnfree = true;
    nixpkgs.config.firefox.enableAdobeFlash = true; # for Firefox
    nixpkgs.config.chromium.enableAdobeFlash = true; # for Chromium
    

  • The firewall is now enabled by default. If you don’t want this, you need to disable it explicitly:

    networking.firewall.enable = false;
    

  • The option boot.loader.grub.memtest86 has been renamed to boot.loader.grub.memtest86.enable.

  • The mysql55 service has been merged into the mysql service, which no longer sets a default for the option services.mysql.package.

  • Package variants are now differentiated by suffixing the name, rather than the version. For instance, sqlite-3.8.4.3-interactive is now called sqlite-interactive-3.8.4.3. This ensures that nix-env -i sqlite is unambiguous, and that nix-env -u won’t “upgrade” sqlite to sqlite-interactive or vice versa. Notably, this change affects the Firefox wrapper (which provides plugins), as it is now called firefox-wrapper. So when using nix-env, you should do nix-env -e firefox; nix-env -i firefox-wrapper if you want to keep using the wrapper. This change does not affect declarative package management, since attribute names like pkgs.firefoxWrapper were already unambiguous.

  • The symlink /etc/ca-bundle.crt is gone. Programs should instead use the environment variable OPENSSL_X509_CERT_FILE (which points to /etc/ssl/certs/ca-bundle.crt).

A.2. Release 13.10 (“Aardvark”, 2013/10/31)

This is the first stable release branch of NixOS.

boot.blacklistedKernelModules

List of names of kernel modules that should not be loaded automatically by the hardware probing code.

Default: [ ]

Example: [ "cirrusfb" "i2c_piix4" ]

Declared by:

<nixpkgs/nixos/modules/system/boot/modprobe.nix>
boot.cleanTmpDir

Whether to delete all files in /tmp during boot.

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-2.nix>
boot.consoleLogLevel

The kernel console log level. Only log messages with a priority numerically less than this will appear on the console.

Default: 4

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.crashDump.enable

If enabled, NixOS will set up a kernel that will boot on crash, and leave the user to a stage1 debug1devices interactive shell to be able to save the crashed kernel dump. It also activates the NMI watchdog.

Default: false

Declared by:

<nixpkgs/nixos/modules/misc/crashdump.nix>
boot.crashDump.kernelPackages

This will override the boot.kernelPackages, and will add some kernel configuration parameters for the crash dump to work.

Default: "pkgs.linuxPackages"

Example: "pkgs.linuxPackages_2_6_25"

Declared by:

<nixpkgs/nixos/modules/misc/crashdump.nix>
boot.crashDump.kernelParams

Parameters that will be passed to the kernel kexec-ed on crash.

Default: [ "debug1devices" ]

Declared by:

<nixpkgs/nixos/modules/misc/crashdump.nix>
boot.devShmSize

Size limit for the /dev/shm tmpfs. Look at mount(8), tmpfs size option, for the accepted syntax.

Default: "50%"

Example: "256m"

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-2.nix>
boot.devSize

Size limit for the /dev tmpfs. Look at mount(8), tmpfs size option, for the accepted syntax.

Default: "5%"

Example: "32m"

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-2.nix>
boot.extraModprobeConfig

Any additional configuration to be appended to the generated modprobe.conf. This is typically used to specify module options. See modprobe.conf(5) for details.

Default: ""

Example:

''
options parport_pc io=0x378 irq=7 dma=1
''

Declared by:

<nixpkgs/nixos/modules/system/boot/modprobe.nix>
boot.extraModulePackages

A list of additional packages supplying kernel modules.

Default: [ ]

Example:

[ pkgs.linuxPackages.nvidia_x11 ]

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.extraTTYs

Tty (virtual console) devices, in addition to the consoles on which mingetty and syslogd run, that must be initialised. Only useful if you have some program that you want to run on some fixed console. For example, the NixOS installation CD opens the manual in a web browser on console 7, so it sets boot.extraTTYs to ["tty7"].

Default: [ ]

Example: [ "tty8" "tty9" ]

Declared by:

<nixpkgs/nixos/modules/tasks/kbd.nix>
boot.hardwareScan

Whether to try to load kernel modules for all detected hardware. Usually this does a good job of providing you with the modules you need, but sometimes it can crash the system or cause other nasty effects.

Default: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/udev.nix>
boot.initrd.availableKernelModules

The set of kernel modules in the initial ramdisk used during the boot process. This set must include all modules necessary for mounting the root device. That is, it should include modules for the physical device (e.g., SCSI drivers) and for the file system (e.g., ext3). The set specified here is automatically closed under the module dependency relation, i.e., all dependencies of the modules list here are included automatically. The modules listed here are available in the initrd, but are only loaded on demand (e.g., the ext3 module is loaded automatically when an ext3 filesystem is mounted, and modules for PCI devices are loaded when they match the PCI ID of a device in your system). To force a module to be loaded, include it in boot.initrd.kernelModules.

Default: [ ]

Example: [ "sata_nv" "ext3" ]

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.initrd.checkJournalingFS

Whether to run fsck on journaling filesystems such as ext3.

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
boot.initrd.kernelModules

List of modules that are always loaded by the initrd.

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.initrd.luks.cryptoModules

A list of cryptographic kernel modules needed to decrypt the root device(s). The default includes all common modules.

Default: [ "aes" "aes_generic" "blowfish" "twofish" "serpent" "cbc" "xts" "lrw" "sha1" "sha256" "sha512" "aes_x86_64" ]

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices

The list of devices that should be decrypted using LUKS before trying to mount the root partition. This works for both LVM-over-LUKS and LUKS-over-LVM setups. The devices are decrypted to the device mapper names defined. Make sure that initrd has the crypto modules needed for decryption.

Default: [ ]

Example: [ { device = "/dev/sda3"; name = "luksroot"; preLVM = true; } ]

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.*.allowDiscards

Whether to allow TRIM requests to the underlying device. This option has security implications, please read the LUKS documentation before activating in.

Default: false

boot.initrd.luks.devices.*.device

Path of the underlying block device.

Example: "/dev/sda2"

boot.initrd.luks.devices.*.keyFile

The name of the file (can be a raw device or a partition) that should be used as the decryption key for the encrypted device. If not specified, you will be prompted for a passphrase instead.

Default: null

Example: "/dev/sdb1"

boot.initrd.luks.devices.*.keyFileSize

The size of the key file. Use this if only the beginning of the key file should be used as a key (often the case if a raw device or partition is used as key file). If not specified, the whole keyFile will be used decryption, instead of just the first keyFileSize bytes.

Default: null

Example: 4096

boot.initrd.luks.devices.*.name

Named to be used for the generated device in /dev/mapper.

Example: "luksroot"

boot.initrd.luks.devices.*.preLVM

Whether the luksOpen will be attempted before LVM scan or after it.

Default: true

boot.initrd.luks.devices.*.yubikey

The options to use for this LUKS device in Yubikey-PBA. If null (the default), Yubikey-PBA will be disabled for this device.

Default: null

boot.initrd.luks.devices.*.yubikey.gracePeriod

Time in seconds to wait before attempting to find the Yubikey

Default: 2

boot.initrd.luks.devices.*.yubikey.iterationStep

How much the iteration count for PBKDF2 is increased at each successful authentication

Default: 0

boot.initrd.luks.devices.*.yubikey.keyLength

Length of the LUKS slot key derived with PBKDF2 in byte

Default: 64

boot.initrd.luks.devices.*.yubikey.ramfsMountPoint

Path where the ramfs used to update the LUKS key will be mounted in stage-1

Default: "/crypt-ramfs"

boot.initrd.luks.devices.*.yubikey.saltLength

Length of the new salt in byte (64 is the effective maximum)

Default: 16

boot.initrd.luks.devices.*.yubikey.slot

Which slot on the Yubikey to challenge

Default: 2

boot.initrd.luks.devices.*.yubikey.storage

Options related to the storing the salt

boot.initrd.luks.devices.*.yubikey.storage.device

An unencrypted device that will temporarily be mounted in stage-1. Must contain the current salt to create the challenge for this LUKS device.

Default:

boot.initrd.luks.devices.*.yubikey.storage.fsType

The filesystem of the unencrypted device

Default: "vfat"

boot.initrd.luks.devices.*.yubikey.storage.mountPoint

Path where the unencrypted device will be mounted in stage-1

Default: "/crypt-storage"

boot.initrd.luks.devices.*.yubikey.storage.path

Absolute path of the salt on the unencrypted device with that device's root directory as "/".

Default: "/crypt-storage/default"

boot.initrd.luks.devices.*.yubikey.twoFactor

Whether to use a passphrase and a Yubikey (true), or only a Yubikey (false)

Default: true

boot.initrd.luks.mitigateDMAAttacks

Unless enabled, encryption keys can be easily recovered by an attacker with physical access to any machine with PCMCIA, ExpressCard, ThunderBolt or FireWire port. More information: http://en.wikipedia.org/wiki/DMA_attack This option blacklists FireWire drivers, but doesn't remove them. You can manually load the drivers if you need to use a FireWire device, but don't forget to unload them!

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.yubikeySupport

Enables support for authenticating with a Yubikey on LUKS devices. See the NixOS wiki for information on how to properly setup a LUKS device and a Yubikey to work with this feature.

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.mdadmConf

Contents of /etc/mdadm.conf in stage 1.

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
boot.initrd.postDeviceCommands

Shell commands to be executed immediately after stage 1 of the boot has loaded kernel modules and created device nodes in /dev.

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
boot.initrd.postMountCommands

Shell commands to be executed immediately after the stage 1 filesystems have been mounted.

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
boot.initrd.preLVMCommands

Shell commands to be executed immediately before LVM discovery.

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
boot.initrd.supportedFilesystems

Names of supported filesystem types in the initial ramdisk.

Default: [ ]

Example: [ "btrfs" ]

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
boot.isContainer

Whether this NixOS machine is a lightweight container running in another NixOS system.

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/containers.nix>
boot.kernel.sysctl

Runtime parameters of the Linux kernel, as set by sysctl(8). Note that sysctl parameters names must be enclosed in quotes (e.g. "vm.swappiness" instead of vm.swappiness). The value of each parameter may be a string, integer, boolean, or null (signifying the option will not appear at all).

Default: { }

Example: { net.ipv4.tcp_syncookies = false; vm.swappiness = 60; }

Declared by:

<nixpkgs/nixos/modules/config/sysctl.nix>
boot.kernelModules

The set of kernel modules to be loaded in the second stage of the boot process. Note that modules that are needed to mount the root file system should be added to boot.initrd.availableKernelModules or boot.initrd.kernelModules.

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.kernelPackages

This option allows you to override the Linux kernel used by NixOS. Since things like external kernel module packages are tied to the kernel you're using, it also overrides those. This option is a function that takes Nixpkgs as an argument (as a convenience), and returns an attribute set containing at the very least an attribute kernel. Additional attributes may be needed depending on your configuration. For instance, if you use the NVIDIA X driver, then it also needs to contain an attribute nvidia_x11.

Default: "pkgs.linuxPackages"

Example:

pkgs.linuxPackages_2_6_25

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.kernelParams

Parameters added to the kernel command line.

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.loader.efi.canTouchEfiVariables

Whether or not the installation process should modify efi boot variables.

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/efi.nix>
boot.loader.efi.efiSysMountPoint

Where the EFI System Partition is mounted.

Default: "/boot"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/efi.nix>
boot.loader.generationsDir.copyKernels

Whether copy the necessary boot files into /boot, so /nix/store is not needed by the boot loader.

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/generations-dir/generations-dir.nix>
boot.loader.generationsDir.enable

Whether to create symlinks to the system generations under /boot. When enabled, /boot/default/kernel, /boot/default/initrd, etc., are updated to point to the current generation's kernel image, initial RAM disk, and other bootstrap files. This optional is not necessary with boot loaders such as GNU GRUB for which the menu is updated to point to the latest bootstrap files. However, it is needed for U-Boot on platforms where the boot command line is stored in flash memory rather than in a menu file.

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/generations-dir/generations-dir.nix>
boot.loader.grub.configurationLimit

Maximum of configurations in boot menu. GRUB has problems when there are too many entries.

Default: 100

Example: 120

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.configurationName

GRUB entry name instead of default.

Default: ""

Example: "Stable 2.6.21"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.copyKernels

Whether the GRUB menu builder should copy kernels and initial ramdisks to /boot. This is done automatically if /boot is on a different partition than /.

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.default

Index of the default menu item to be booted.

Default: 0

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.device

The device on which the GRUB boot loader will be installed. The special value nodev means that a GRUB boot menu will be generated, but GRUB itself will not actually be installed. To install GRUB on multiple devices, use boot.loader.grub.devices.

Default: ""

Example: "/dev/hda"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.devices

The devices on which the boot loader, GRUB, will be installed. Can be used instead of device to install grub into multiple devices (e.g., if as softraid arrays holding /boot).

Default: [ ]

Example: [ "/dev/hda" ]

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.enable

Whether to enable the GNU GRUB boot loader.

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.explicitBootRoot

The relative path of /boot within the parent volume. Leave empty if /boot is not a btrfs subvolume.

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.extraConfig

Additional GRUB commands inserted in the configuration file just before the menu entries.

Default: ""

Example: "serial; terminal_output.serial"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.extraEntries

Any additional entries you want added to the GRUB boot menu.

Default: ""

Example:

''
# GRUB 1 example (not GRUB 2 compatible)
title Windows
  chainloader (hd0,1)+1

# GRUB 2 example
menuentry "Windows 7" {
  chainloader (hd0,4)+1
}
''

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.extraEntriesBeforeNixOS

Whether extraEntries are included before the default option.

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.extraFiles

A set of files to be copied to /boot. Each attribute name denotes the destination file name in /boot, while the corresponding attribute value specifies the source file.

Default: { }

Example:

{ "memtest.bin" = "${pkgs.memtest86plus}/memtest.bin"; }

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.extraPerEntryConfig

Additional GRUB commands inserted in the configuration file at the start of each NixOS menu entry.

Default: ""

Example: "root (hd0)"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.extraPrepareConfig

Additional bash commands to be run at the script that prepares the grub menu entries.

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.memtest86.enable

Make Memtest86+, a memory testing program, available from the GRUB boot menu.

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/memtest.nix>
boot.loader.grub.memtest86.params

Parameters added to the Memtest86+ command line. As of memtest86+ 5.01 the following list of (apparently undocumented) parameters are accepted:

  • console=..., set up a serial console. Examples: console=ttyS0, console=ttyS0,9600 or console=ttyS0,115200n8.

  • btrace, enable boot trace.

  • maxcpus=N, limit number of CPUs.

  • onepass, run one pass and exit if there are no errors.

  • tstlist=..., list of tests to run. Example: 0,1,2.

  • cpumask=..., set a CPU mask, to select CPUs to use for testing.

This list of command line options was obtained by reading the Memtest86+ source code.

Default: [ ]

Example: [ "console=ttyS0,115200" ]

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/memtest.nix>
boot.loader.grub.splashImage

Background image used for GRUB. It must be a 640x480, 14-colour image in XPM format, optionally compressed with gzip or bzip2. Set to null to run GRUB in text mode.

Example:

./my-background.png

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.timeout

Timeout (in seconds) until GRUB boots the default menu item.

Default: 5

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.version

The version of GRUB to use: 1 for GRUB Legacy (versions 0.9x), or 2 (the default) for GRUB 2.

Default: 2

Example: 1

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.gummiboot.enable

Whether to enable the gummiboot UEFI boot manager

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix>
boot.loader.gummiboot.timeout

Timeout (in seconds) for how long to show the menu (null if none). Note that even with no timeout the menu can be forced if the space key is pressed during bootup

Default: null

Example: 4

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix>
boot.loader.initScript.enable

Some systems require a /sbin/init script which is started. Or having it makes starting NixOS easier. This applies to some kind of hosting services and user mode linux. Additionally this script will create /boot/init-other-configurations-contents.txt containing contents of remaining configurations. You can copy paste them into /sbin/init manually running a rescue system or such.

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/init-script/init-script.nix>
boot.loader.raspberryPi.enable

Whether to create files with the system generations in /boot. /boot/old will hold files from old generations.

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix>
boot.postBootCommands

Shell commands to be executed just before systemd is started.

Default: ""

Example: "rm -f /var/log/messages"

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-2.nix>
boot.resumeDevice

Device for manual resume attempt during boot, specified using the device's major and minor number as major:minor.

Default: null

Example: "8:2"

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
boot.runSize

Size limit for the /run tmpfs. Look at mount(8), tmpfs size option, for the accepted syntax.

Default: "25%"

Example: "256m"

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-2.nix>
boot.spl.hostid

ZFS uses a system's hostid to determine if a storage pool (zpool) is native to this system, and should thus be imported automatically. Unfortunately, this hostid can change under linux from boot to boot (by changing network adapters, for instance). Specify a unique 32 bit hostid in hex here for zfs to prevent getting a random hostid between boots and having to manually import pools.

Default: ""

Example: "0xdeadbeef"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
boot.supportedFilesystems

Names of supported filesystem types.

Default: [ ]

Example: [ "btrfs" ]

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
boot.vesa

Whether to activate VESA video mode on boot.

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.zfs.useGit

Use the git version of the SPL and ZFS packages. Note that these are unreleased versions, with less testing, and therefore may be more unstable.

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
containers

A set of NixOS system configurations to be run as lightweight containers. Each container appears as a service container-name on the host system, allowing it to be started and stopped via systemctl .

Default: { }

Example:

{ webserver =
    { path = "/nix/var/nix/profiles/webserver";
    };
  database =
    { config =
        { config, pkgs, ... }:
        { services.postgresql.enable = true;
          services.postgresql.package = pkgs.postgresql92;
        };
    };
}

Declared by:

<nixpkgs/nixos/modules/virtualisation/containers.nix>
containers.<name>.config

A specification of the desired configuration of this container, as a NixOS module.

containers.<name>.hostAddress

The IPv4 address assigned to the host interface.

Default: null

Example: "10.231.136.1"

containers.<name>.localAddress

The IPv4 address assigned to eth0 in the container.

Default: null

Example: "10.231.136.2"

containers.<name>.path

As an alternative to specifying config, you can specify the path to the evaluated NixOS system configuration, typically a symlink to a system profile.

Example: "/nix/var/nix/profiles/containers/webserver"

containers.<name>.privateNetwork

Whether to give the container its own private virtual Ethernet interface. The interface is called eth0, and is hooked up to the interface c-container-name on the host. If this option is not set, then the container shares the network interfaces of the host, and can bind to any port on any interface.

Default: false

environment.binsh

The shell executable that is linked system-wide to /bin/sh. Please note that NixOS assumes all over the place that shell to be Bash, so override the default setting only if you know exactly what you're doing.

Default: "/nix/store/k0f4zly6fs6dr5x66w8zawipm34msnn6-bash-4.2-p45/bin/sh"

Example: "\${pkgs.dash}/bin/dash"

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.blcr.enable

Whether to enable support for the BLCR checkpointing tool.

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/blcr.nix>
environment.checkConfigurationOptions

Whether to check the validity of the entire configuration.

Default: true

Declared by:

<nixpkgs/nixos/modules/misc/check-config.nix>
environment.etc

Set of files that have to be linked in /etc.

Default: { }

Example:

{ hosts =
    { source = "/nix/store/.../etc/dir/file.conf.example";
      mode = "0440";
    };
  "default/useradd".text = "GROUP=100 ...";
}

Declared by:

<nixpkgs/nixos/modules/system/etc/etc.nix>
environment.etc.<name?>.enable

Whether this /etc file should be generated. This option allows specific /etc files to be disabled.

Default: true

environment.etc.<name?>.gid

GID of created file. Only takes affect when the file is copied (that is, the mode is not 'symlink').

Default: 0

environment.etc.<name?>.mode

If set to something else than symlink, the file is copied instead of symlinked, with the given file mode.

Default: "symlink"

Example: "0600"

environment.etc.<name?>.source

Path of the source file.

environment.etc.<name?>.target

Name of symlink (relative to /etc). Defaults to the attribute name.

environment.etc.<name?>.text

Text of the file.

Default: null

environment.etc.<name?>.uid

UID of created file. Only takes affect when the file is copied (that is, the mode is not 'symlink').

Default: 0

environment.extraInit

Shell script code called during global environment initialisation after all variables and profileVariables have been set. This code is asumed to be shell-independent, which means you should stick to pure sh without sh word split.

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.gnome3.excludePackages

Which packages gnome should exclude from the default environment

Default: [ ]

Example: "[ pkgs.gnome3.totem ]"

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/gnome3.nix>
environment.interactiveShellInit

Shell script code called during interactive shell initialisation. This code is asumed to be shell-independent, which means you should stick to pure sh without sh word split.

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.kdePackages

This option is obsolete. Please use environment.systemPackages instead.

Default: [ ]

Example: "[ pkgs.kde4.kdesdk ]"

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/kde4.nix>
environment.loginShellInit

Shell script code called during login shell initialisation. This code is asumed to be shell-independent, which means you should stick to pure sh without sh word split.

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.noXlibs

Switch off the options in the default configuration that require X11 libraries. This includes client-side font configuration and SSH forwarding of X11 authentication in. Thus, you probably do not want to enable this option if you want to run X11 programs on this machine via SSH.

Default: false

Declared by:

<nixpkgs/nixos/modules/config/no-x-libs.nix>
environment.pathsToLink

List of directories to be symlinked in `/run/current-system/sw'.

Default: [ ]

Example: [ "/" ]

Declared by:

<nixpkgs/nixos/modules/config/system-path.nix>
environment.profileVariables

A function which given a profile path should give back a set of environment variables for that profile.

Default:

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.profiles

A list of profiles used to setup the global environment.

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.shellAliases

An attribute set that maps aliases (the top level attribute names in this option) to command strings or directly to build outputs. The aliases are added to all users' shells.

Default: { }

Example: { ll = "ls -l"; }

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.shellInit

Shell script code called during shell initialisation. This code is asumed to be shell-independent, which means you should stick to pure sh without sh word split.

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.shells

A list of permissible login shells for user accounts. No need to mention /bin/sh here, it is placed into this list implicitly.

Default: [ ]

Example: [ "/run/current-system/sw/bin/zsh" ]

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.systemPackages

The set of packages that appear in /run/current-system/sw. These packages are automatically available to all users, and are automatically updated every time you rebuild the system configuration. (The latter is the main difference with installing them in the default profile, /nix/var/nix/profiles/default.

Default: [ ]

Example: "[ pkgs.icecat3 pkgs.thunderbird ]"

Declared by:

<nixpkgs/nixos/modules/config/system-path.nix>
environment.unixODBCDrivers

Specifies Unix ODBC drivers to be registered in /etc/odbcinst.ini. You may also want to add pkgs.unixODBC to the system path to get a command line client to connnect to ODBC databases.

Default: [ ]

Example:

map (x : x.ini) (with pkgs.unixODBCDrivers; [ mysql psql psqlng ] )

Declared by:

<nixpkgs/nixos/modules/config/unix-odbc-drivers.nix>
environment.variables

A set of environment variables used in the global environment. The value of each variable can be either a string or a list of strings. The latter is concatenated, interspersed with colon characters.

Default: { }

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.wvdial.dialerDefaults

Contents of the "Dialer Defaults" section of /etc/wvdial.conf.

Default: ""

Example: ''Init1 = AT+CGDCONT=1,"IP","internet.t-mobile"''

Declared by:

<nixpkgs/nixos/modules/programs/wvdial.nix>
environment.wvdial.pppDefaults

Default ppp settings for wvdial.

Default:

''
noipdefault
usepeerdns
defaultroute
persist
noauth
''

Declared by:

<nixpkgs/nixos/modules/programs/wvdial.nix>
fileSystems

The file systems to be mounted. It must include an entry for the root directory (mountPoint = "/"). Each entry in the list is an attribute set with the following fields: mountPoint, device, fsType (a file system type recognised by mount; defaults to "auto"), and options (the mount options passed to mount using the -o flag; defaults to "defaults"). Instead of specifying device, you can also specify a volume label (label) for file systems that support it, such as ext2/ext3 (see mke2fs -L).

Default: { }

Example: { / = { device = "/dev/hda1"; } ; /bigdisk = { label = "bigdisk"; } ; /data = { device = "/dev/hda2"; fsType = "ext3"; options = "data=journal"; } ; }

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
<nixpkgs/nixos/modules/system/boot/stage-1.nix>
fileSystems.<name?>.autoFormat

If the device does not currently contain a filesystem (as determined by blkid, then automatically format it with the filesystem type specified in fsType. Use with caution.

Default: false

fileSystems.<name?>.device

Location of the device.

Default: null

Example: "/dev/sda"

fileSystems.<name?>.fsType

Type of the file system.

Default: "auto"

Example: "ext3"

fileSystems.<name?>.label

Label of the device (if any).

Default: null

Example: "root-partition"

fileSystems.<name?>.mountPoint

Location of the mounted the file system.

Example: "/mnt/usb"

fileSystems.<name?>.neededForBoot

If set, this file system will be mounted in the initial ramdisk. By default, this applies to the root file system and to the file system containing /nix/store.

Default: false

fileSystems.<name?>.noCheck

Disable running fsck on this filesystem.

Default: false

fileSystems.<name?>.options

Options used to mount the file system.

Default: "defaults,relatime"

Example: "data=journal"

fonts.enableCoreFonts

Whether to include Microsoft's proprietary Core Fonts. These fonts are redistributable, but only verbatim, among other restrictions. See http://corefonts.sourceforge.net/eula.htm for details.

Default: false

Declared by:

<nixpkgs/nixos/modules/config/fonts/corefonts.nix>
fonts.enableFontConfig

If enabled, a Fontconfig configuration file will be built pointing to a set of default fonts. If you don't care about running X11 applications or any other program that uses Fontconfig, you can turn this option off and prevent a dependency on all those fonts.

Default: true

Declared by:

<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
fonts.enableFontDir

Whether to create a directory with links to all fonts in /run/current-system/sw/share/X11-fonts.

Default: false

Declared by:

<nixpkgs/nixos/modules/config/fonts/fontdir.nix>
fonts.enableGhostscriptFonts

Whether to add the fonts provided by Ghostscript (such as various URW fonts and the “Base-14” Postscript fonts) to the list of system fonts, making them available to X11 applications.

Default: false

Declared by:

<nixpkgs/nixos/modules/config/fonts/ghostscript.nix>
fonts.fonts

List of primary font paths.

Example: [ (build of dejavu-fonts-2.34) ]

Declared by:

<nixpkgs/nixos/modules/config/fonts/fonts.nix>
gnu

When enabled, GNU software is chosen by default whenever a there is a choice between GNU and non-GNU software (e.g., GNU lsh vs. OpenSSH).

Default: false

Declared by:

<nixpkgs/nixos/modules/config/gnu.nix>
hardware.amdHybridGraphics.disable

Completely disable the AMD graphics card and use the integrated graphics processor instead.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/amd-hybrid-graphics.nix>
hardware.bluetooth.enable

Whether to enable support for Bluetooth.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/bluetooth.nix>
hardware.bumblebee.enable

Enable the bumblebee daemon to manage Optimus hybrid video cards. This should power off secondary GPU until its use is requested by running an application with optirun. Only nvidia driver is supported so far.

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/video/bumblebee.nix>
hardware.bumblebee.group

Group for bumblebee socket

Default: "wheel"

Example: "video"

Declared by:

<nixpkgs/nixos/modules/hardware/video/bumblebee.nix>
hardware.cpu.amd.updateMicrocode

Update the CPU microcode for AMD processors.

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/cpu/amd-microcode.nix>
hardware.cpu.intel.updateMicrocode

Update the CPU microcode for Intel processors.

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/cpu/intel-microcode.nix>
hardware.enableAllFirmware

Turn on this option if you want to enable all the firmware shipped with Debian/Ubuntu.

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/all-firmware.nix>
hardware.firmware

List of directories containing firmware files. Such files will be loaded automatically if the kernel asks for them (i.e., when it has detected specific hardware that requires firmware to function). If more than one path contains a firmware file with the same name, the first path in the list takes precedence. Note that you must rebuild your system if you add files to any of these directories. For quick testing, put firmware files in /root/test-firmware and add that directory to the list. Note that you can also add firmware packages to this list as these are directories in the nix store.

Default: [ ]

Example: [ "/root/my-firmware" ]

Declared by:

<nixpkgs/nixos/modules/services/hardware/udev.nix>
hardware.nvidiaOptimus.disable

Completely disable the NVIDIA graphics card and use the integrated graphics processor instead.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/nvidia-optimus.nix>
hardware.opengl.driSupport

Whether to enable accelerated OpenGL rendering through the Direct Rendering Interface (DRI).

Default: true

Declared by:

<nixpkgs/nixos/modules/hardware/opengl.nix>
hardware.opengl.driSupport32Bit

On 64-bit systems, whether to support Direct Rendering for 32-bit applications (such as Wine). This is currently only supported for the nvidia driver and for Mesa.

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/opengl.nix>
hardware.opengl.s3tcSupport

Make S3TC(S3 Texture Compression) via libtxc_dxtn available to OpenGL drivers instead of the patent-free S2TC replacement. Using this library may require a patent license depending on your location.

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/opengl.nix>
hardware.pcmcia.config

Path to the configuration file which maps the memory, IRQs and ports used by the PCMCIA hardware.

Default: null

Declared by:

<nixpkgs/nixos/modules/hardware/pcmcia.nix>
hardware.pcmcia.enable

Enable this option to support PCMCIA card.

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/pcmcia.nix>
hardware.pcmcia.firmware

List of firmware used to handle specific PCMCIA card.

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/hardware/pcmcia.nix>
hardware.pulseaudio.configFile

The path to the configuration the PulseAudio server should use. By default, the "default.pa" configuration from the PulseAudio distribution is used.

Default: "/nix/store/7d7xj0fd4n595k0npp3045m3spqygj79-pulseaudio-5.0/etc/pulse/default.pa"

Declared by:

<nixpkgs/nixos/modules/config/pulseaudio.nix>
hardware.pulseaudio.daemon.logLevel

The log level that the system-wide pulseaudio daemon should use, if activated.

Default: "notice"

Declared by:

<nixpkgs/nixos/modules/config/pulseaudio.nix>
hardware.pulseaudio.enable

Whether to enable the PulseAudio sound server.

Default: false

Declared by:

<nixpkgs/nixos/modules/config/pulseaudio.nix>
hardware.pulseaudio.package

The PulseAudio derivation to use. This can be used to enable features (such as JACK support) that are not enabled in the default PulseAudio in Nixpkgs.

Default: (build of pulseaudio-5.0)

Example:

pulseaudio.override { jackaudioSupport = true; }

Declared by:

<nixpkgs/nixos/modules/config/pulseaudio.nix>
hardware.pulseaudio.systemWide

If false, a PulseAudio server is launched automatically for each user that tries to use the sound system. The server runs with user privileges. This is the recommended and most secure way to use PulseAudio. If true, one system-wide PulseAudio server is launched on boot, running as the user "pulse". Please read the PulseAudio documentation for more details.

Default: false

Declared by:

<nixpkgs/nixos/modules/config/pulseaudio.nix>
hardware.sane.enable

Enable support for SANE scanners.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane.nix>
hardware.sane.snapshot

Use a development snapshot of SANE scanner drivers.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane.nix>
i18n.consoleFont

The font used for the virtual consoles. Leave empty to use whatever the setfont program considers the default font.

Default: "lat9w-16"

Example: "LatArCyrHeb-16"

Declared by:

<nixpkgs/nixos/modules/config/i18n.nix>
i18n.consoleKeyMap

The keyboard mapping table for the virtual consoles.

Default: "us"

Example: "fr"

Declared by:

<nixpkgs/nixos/modules/config/i18n.nix>
i18n.defaultLocale

The default locale. It determines the language for program messages, the format for dates and times, sort order, and so on. It also determines the character set, such as UTF-8.

Default: "en_US.UTF-8"

Example: "nl_NL.UTF-8"

Declared by:

<nixpkgs/nixos/modules/config/i18n.nix>
i18n.supportedLocales

List of locales that the system should support. The value "all" means that all locales supported by Glibc will be installed. A full list of supported locales can be found at http://sourceware.org/cgi-bin/cvsweb.cgi/libc/localedata/SUPPORTED?cvsroot=glibc.

Default: [ "all" ]

Example: [ "en_US.UTF-8/UTF-8" "nl_NL.UTF-8/UTF-8" "nl_NL/ISO-8859-1" ]

Declared by:

<nixpkgs/nixos/modules/config/i18n.nix>
jobs

This option is a legacy method to define system services, dating from the era where NixOS used Upstart instead of systemd. You should use systemd.services instead. Services defined using jobs are mapped automatically to systemd.services, but may not work perfectly; in particular, most startOn conditions are not supported.

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/upstart/upstart.nix>
jobs.<name?>.after

If the specified units are started at the same time as this unit, delay this unit until they have started.

Default: [ ]

jobs.<name?>.before

If the specified units are started at the same time as this unit, delay them until this unit has started.

Default: [ ]

jobs.<name?>.bindsTo

Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.

Default: [ ]

jobs.<name?>.conflicts

If the specified units are started, then this unit is stopped and vice versa.

Default: [ ]

jobs.<name?>.daemonType

Determines how systemd detects when a daemon should be considered “running”. The value none means that the daemon is considered ready immediately. The value fork means that the daemon will fork once. The value daemon means that the daemon will fork twice. The value stop means that the daemon will raise the SIGSTOP signal to indicate readiness.

Default: "none"

jobs.<name?>.description

Description of this unit used in systemd messages and progress indicators.

Default: ""

jobs.<name?>.enable

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started.

Default: true

jobs.<name?>.environment

Environment variables passed to the service's processes.

Default: { }

Example: { LANG = "nl_NL.UTF-8"; PATH = "/foo/bar/bin"; }

jobs.<name?>.exec

Command to start the job's main process. If empty, the job has no main process, but can still have pre/post-start and pre/post-stop scripts, and is considered “running” until it is stopped.

Default: ""

jobs.<name?>.name

Name of the job, mapped to the systemd unit name.service.

Example: "sshd"

jobs.<name?>.partOf

If the specified units are stopped or restarted, then this unit is stopped or restarted as well.

Default: [ ]

jobs.<name?>.path

Packages added to the job's PATH environment variable. Both the bin and sbin subdirectories of each package are added.

Default: [ ]

jobs.<name?>.postStart

Shell commands executed after the job is started (i.e. after the job's main process is started), but before the job is considered “running”.

Default: ""

jobs.<name?>.postStop

Shell commands executed after the job has stopped (i.e. after the job's main process has terminated).

Default: ""

jobs.<name?>.preStart

Shell commands executed before the service's main process is started.

Default: ""

jobs.<name?>.preStop

Shell commands executed before the job is stopped (i.e. before systemd kills the job's main process). This can be used to cleanly shut down a daemon.

Default: ""

jobs.<name?>.reloadIfChanged

Whether the service should be reloaded during a NixOS configuration switch if its definition has changed. If enabled, the value of restartIfChanged is ignored.

Default: false

jobs.<name?>.requiredBy

Units that require (i.e. depend on and need to go down with) this unit.

Default: [ ]

jobs.<name?>.requires

Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.

Default: [ ]

jobs.<name?>.respawn

Whether to restart the job automatically if its process ends unexpectedly.

Default: true

jobs.<name?>.restartIfChanged

Whether the service should be restarted during a NixOS configuration switch if its definition has changed.

Default: true

jobs.<name?>.restartTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.

Default: [ ]

jobs.<name?>.script

Shell commands executed as the service's main process.

Default: ""

jobs.<name?>.scriptArgs

Arguments passed to the main process script.

Default: ""

jobs.<name?>.serviceConfig

Each attribute in this set specifies an option in the [Service] section of the unit. See systemd.service(5) for details.

Default: { }

Example: { RestartSec = 5; StartLimitInterval = 10; }

jobs.<name?>.setgid

Run the daemon as a different group.

Default: ""

jobs.<name?>.setuid

Run the daemon as a different user.

Default: ""

jobs.<name?>.startAt

Automatically start this unit at the given date/time, which must be in the format described in systemd.time(5). This is equivalent to adding a corresponding timer unit with OnCalendar set to the value given here.

Default: ""

Example: "Sun 14:00:00"

jobs.<name?>.startOn

The Upstart event that triggers this job to be started. Some are mapped to systemd dependencies; otherwise you will get a warning. If empty, the job will not start automatically.

Default: ""

jobs.<name?>.stopIfChanged

If set, a changed unit is restarted by calling systemctl stop in the old configuration, then systemctl start in the new one. Otherwise, it is restarted in a single step using systemctl restart in the new configuration. The latter is less correct because it runs the ExecStop commands from the new configuration.

Default: true

jobs.<name?>.stopOn

Ignored; this was the Upstart event that triggers this job to be stopped.

Default: "starting shutdown"

jobs.<name?>.task

Whether this job is a task rather than a service. Tasks are executed only once, while services are restarted when they exit.

Default: false

jobs.<name?>.unit

Generated definition of the systemd unit corresponding to this job.

Default: { after = [ ] ; before = [ ] ; description = ""; environment = { } ; partOf = [ ] ; path = [ ] ; requires = [ ] ; restartIfChanged = true; serviceConfig = { RemainAfterExit = true; Type = "oneshot"; } ; unitConfig = { } ; wantedBy = [ ] ; wants = [ ] ; }

jobs.<name?>.unitConfig

Each attribute in this set specifies an option in the [Unit] section of the unit. See systemd.unit(5) for details.

Default: { }

Example: { RequiresMountsFor = "/data"; }

jobs.<name?>.wantedBy

Units that want (i.e. depend on) this unit.

Default: [ ]

jobs.<name?>.wants

Start the specified units when this unit is started.

Default: [ ]

krb5.defaultRealm

Default realm.

Default: "ATENA.MIT.EDU"

Declared by:

<nixpkgs/nixos/modules/config/krb5.nix>
krb5.domainRealm

Default domain realm.

Default: "atena.mit.edu"

Declared by:

<nixpkgs/nixos/modules/config/krb5.nix>
krb5.enable

Whether to enable Kerberos V.

Default: false

Declared by:

<nixpkgs/nixos/modules/config/krb5.nix>
krb5.kdc

Kerberos Domain Controller

Default: "kerberos.mit.edu"

Declared by:

<nixpkgs/nixos/modules/config/krb5.nix>
krb5.kerberosAdminServer

Kerberos Admin Server

Default: "kerberos.mit.edu"

Declared by:

<nixpkgs/nixos/modules/config/krb5.nix>
lib

This option allows modules to define helper functions, constants, etc.

Default: { }

Declared by:

<nixpkgs/nixos/modules/misc/lib.nix>
nesting.children

Additional configurations to build.

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/activation/top-level.nix>
nesting.clone

Additional configurations to build based on the current configuration which is has a lower priority.

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/activation/top-level.nix>
networking.WLANInterface

Obsolete. Use networking.wireless.interfaces instead.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
networking.bonds

This option allows you to define bond devices that aggregate multiple, underlying networking interfaces together. The value of this option is an attribute set. Each attribute specifies a bond, with the attribute name specifying the name of the bond's network interface

Default: { }

Example: { bond0 = { interfaces = [ "eth0" "wlan0" ] ; miimon = 100; mode = "active-backup"; } ; fatpipe = { interfaces = [ "enp4s0f0" "enp4s0f1" "enp5s0f0" "enp5s0f1" ] ; } ; }

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.bonds.<name>.interfaces

The interfaces to bond together

Example: [ "enp4s0f0" "enp4s0f1" "wlan0" ]

networking.bonds.<name>.miimon

Miimon is the number of millisecond in between each round of polling by the device driver for failed links. By default polling is not enabled and the driver is trusted to properly detect and handle failure scenarios.

Default: null

Example: 100

networking.bonds.<name>.mode

The mode which the bond will be running. The default mode for the bonding driver is balance-rr, optimizing for throughput. More information about valid modes can be found at https://www.kernel.org/doc/Documentation/networking/bonding.txt

Default: null

Example: "active-backup"

networking.bridges

This option allows you to define Ethernet bridge devices that connect physical networks together. The value of this option is an attribute set. Each attribute specifies a bridge, with the attribute name specifying the name of the bridge's network interface.

Default: { }

Example: { br0 = { interfaces = [ "eth0" "eth1" ] ; } ; br1 = { interfaces = [ "eth2" "wlan0" ] ; } ; }

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.bridges.<name>.interfaces

The physical network interfaces connected by the bridge.

Example: [ "eth0" "eth1" ]

networking.connman.enable

Whether to use ConnMan for managing your network connections.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/connman.nix>
networking.defaultGateway

The default gateway. It can be left empty if it is auto-detected through DHCP.

Default: ""

Example: "131.211.84.1"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.defaultGatewayWindowSize

The window size of the default gateway. It limits maximal data bursts that TCP peers are allowed to send to us.

Default: null

Example: 524288

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.defaultMailServer.authPass

Password used for SMTP auth. (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)

Default: ""

Example: "correctHorseBatteryStaple"

Declared by:

<nixpkgs/nixos/modules/programs/ssmtp.nix>
networking.defaultMailServer.authUser

Username used for SMTP auth. Leave blank to disable.

Default: ""

Example: "foo@example.org"

Declared by:

<nixpkgs/nixos/modules/programs/ssmtp.nix>
networking.defaultMailServer.directDelivery

Use the trivial Mail Transfer Agent (MTA) ssmtp package to allow programs to send e-mail. If you don't want to run a “real” MTA like sendmail or postfix on your machine, set this option to true, and set the option networking.defaultMailServer.hostName to the host name of your preferred mail server.

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/ssmtp.nix>
networking.defaultMailServer.domain

The domain from which mail will appear to be sent.

Default: ""

Example: "example.org"

Declared by:

<nixpkgs/nixos/modules/programs/ssmtp.nix>
networking.defaultMailServer.hostName

The host name of the default mail server to use to deliver e-mail.

Example: "mail.example.org"

Declared by:

<nixpkgs/nixos/modules/programs/ssmtp.nix>
networking.defaultMailServer.useSTARTTLS

Whether the STARTTLS should be used to connect to the default mail server. (This is needed for TLS-capable mail servers running on the default SMTP port 25.)

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/ssmtp.nix>
networking.defaultMailServer.useTLS

Whether TLS should be used to connect to the default mail server.

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/ssmtp.nix>
networking.dhcpcd.denyInterfaces

Disable the DHCP client for any interface whose name matches any of the shell glob patterns in this list. The purpose of this option is to blacklist virtual interfaces such as those created by Xen, libvirt, LXC, etc.

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpcd.nix>
networking.dhcpcd.extraConfig

Literal string to append to the config file generated for dhcpcd.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpcd.nix>
networking.dnsSingleRequest

Recent versions of glibc will issue both ipv4 (A) and ipv6 (AAAA) address queries at the same time, from the same port. Sometimes upstream routers will systemically drop the ipv4 queries. The symptom of this problem is that 'getent hosts example.com' only returns ipv6 (or perhaps only ipv4) addresses. The workaround for this is to specify the option 'single-request' in /etc/resolv.conf. This option enables that.

Default: false

Declared by:

<nixpkgs/nixos/modules/config/networking.nix>
networking.domain

The domain. It can be left empty if it is auto-detected through DHCP.

Default: ""

Example: "home"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.enableB43Firmware

Turn on this option if you want firmware for the NICs supported by the b43 module.

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/network/b43.nix>
networking.enableIPv6

Whether to enable support for IPv6.

Default: true

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.enableIntel2100BGFirmware

Turn on this option if you want firmware for the Intel PRO/Wireless 2100BG to be loaded automatically. This is required if you want to use this device.

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/network/intel-2100bg.nix>
networking.enableIntel2200BGFirmware

Turn on this option if you want firmware for the Intel PRO/Wireless 2200BG to be loaded automatically. This is required if you want to use this device.

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/network/intel-2200bg.nix>
networking.enableIntel3945ABGFirmware

This option enables automatic loading of the firmware for the Intel PRO/Wireless 3945ABG.

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/network/intel-3945abg.nix>
networking.enableRTL8192cFirmware

Turn on this option if you want firmware for the RTL8192c (and related) NICs.

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/network/rtl8192c.nix>
networking.enableRalinkFirmware

Turn on this option if you want firmware for the RT73 NIC.

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/network/ralink.nix>
networking.extraHosts

Additional entries to be appended to /etc/hosts.

Default: ""

Example: "192.168.0.1 lanlocalhost"

Declared by:

<nixpkgs/nixos/modules/config/networking.nix>
networking.firewall.allowPing

Whether to respond to incoming ICMPv4 echo requests ("pings"). ICMPv6 pings are always allowed because the larger address space of IPv6 makes network scanning much less effective.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.allowedTCPPortRanges

A range of TCP ports on which incoming connections are accepted.

Default: [ ]

Example: [ { from = 8999; to = 9003; } ]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.allowedTCPPorts

List of TCP ports on which incoming connections are accepted.

Default: [ ]

Example: [ 22 80 ]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.allowedUDPPortRanges

Range of open UDP ports.

Default: [ ]

Example: [ { from = 60000; to = 61000; } ]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.allowedUDPPorts

List of open UDP ports.

Default: [ ]

Example: [ 53 ]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.autoLoadConntrackHelpers

Whether to auto-load connection-tracking helpers. See the description at networking.firewall.connectionTrackingModules (needs kernel 3.5+)

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.checkReversePath

Performs a reverse path filter test on a packet. If a reply to the packet would not be sent via the same interface that the packet arrived on, it is refused. If using asymmetric routing or other complicated routing, disable this setting and setup your own counter-measures. (needs kernel 3.3+)

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.connectionTrackingModules

List of connection-tracking helpers that are auto-loaded. The complete list of possible values is given in the example. As helpers can pose as a security risk, it is advised to set this to an empty list and disable the setting networking.firewall.autoLoadConntrackHelpers Loading of helpers is recommended to be done through the new CT target. More info: https://home.regit.org/netfilter-en/secure-use-of-helpers/

Default: [ "ftp" ]

Example: [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.enable

Whether to enable the firewall. This is a simple stateful firewall that blocks connection attempts to unauthorised TCP or UDP ports on this machine. It does not affect packet forwarding.

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.extraCommands

Additional shell commands executed as part of the firewall initialisation script. These are executed just before the final "reject" firewall rule is added, so they can be used to allow packets that would otherwise be refused.

Default: ""

Example: "iptables -A INPUT -p icmp -j ACCEPT"

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.logRefusedConnections

Whether to log rejected or dropped incoming connections.

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.logRefusedPackets

Whether to log all rejected or dropped incoming packets. This tends to give a lot of log messages, so it's mostly useful for debugging.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.logRefusedUnicastsOnly

If networking.firewall.logRefusedPackets and this option are enabled, then only log packets specifically directed at this machine, i.e., not broadcasts or multicasts.

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.pingLimit

If pings are allowed, this allows setting rate limits on them. If non-null, this option should be in the form of flags like "-limit 1/minute -limit-burst 5"

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.rejectPackets

If set, forbidden packets are rejected rather than dropped (ignored). This means that an ICMP "port unreachable" error message is sent back to the client. Rejecting packets makes port scanning somewhat easier.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.trustedInterfaces

Traffic coming in from these interfaces will be accepted unconditionally.

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.hostName

The name of the machine. Leave it empty if you want to obtain it from a DHCP server (if using DHCP).

Default: "nixos"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaceMonitor.beep

If true, beep when an Ethernet cable is plugged in or unplugged.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ifplugd.nix>
networking.interfaceMonitor.commands

Shell commands to be executed when the link status of an interface changes. On invocation, the shell variable iface contains the name of the interface, while the variable status contains either up or down to indicate the new status.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/ifplugd.nix>
networking.interfaceMonitor.enable

If true, monitor Ethernet interfaces for cables being plugged in or unplugged. When this occurs, the commands specified in networking.interfaceMonitor.commands are executed.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ifplugd.nix>
networking.interfaces

The configuration for each network interface. If networking.useDHCP is true, then every interface not listed here will be configured using DHCP.

Default: { }

Example: { eth0 = { ipAddress = "131.211.84.78"; subnetMask = "255.255.255.128"; } ; }

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name?>.ipAddress

IP address of the interface. Leave empty to configure the interface using DHCP.

Default: null

Example: "10.0.0.1"

networking.interfaces.<name?>.ipv6Address

IPv6 address of the interface. Leave empty to configure the interface using NDP.

Default: null

Example: "2001:1470:fffd:2098::e006"

networking.interfaces.<name?>.ipv6prefixLength

Subnet mask of the interface, specified as the number of bits in the prefix (64).

Default: 64

Example: 64

networking.interfaces.<name?>.macAddress

MAC address of the interface. Leave empty to use the default.

Default: null

Example: "00:11:22:33:44:55"

networking.interfaces.<name?>.mtu

MTU size for packets leaving the interface. Leave empty to use the default.

Default: null

Example: 9000

networking.interfaces.<name?>.name

Name of the interface.

Example: "eth0"

networking.interfaces.<name?>.prefixLength

Subnet mask of the interface, specified as the number of bits in the prefix (24).

Default: null

Example: 24

networking.interfaces.<name?>.proxyARP

Turn on proxy_arp for this device (and proxy_ndp for ipv6). This is mainly useful for creating pseudo-bridges between a real interface and a virtual network such as VPN or a virtual machine for interfaces that don't support real bridging (most wlan interfaces). As ARP proxying acts slightly above the link-layer, below-ip traffic isn't bridged, so things like DHCP won't work. The advantage above using NAT lies in the fact that no IP addresses are shared, so all hosts are reachable/routeable. WARNING: turns on ip-routing, so if you have multiple interfaces, you should think of the consequence and setup firewall rules to limit this.

Default: false

networking.interfaces.<name?>.subnetMask

Subnet mask of the interface, specified as a bitmask. This is deprecated; use prefixLength instead.

Default: ""

Example: "255.255.255.0"

networking.interfaces.<name?>.virtual

Whether this interface is virtual and should be created by tunctl. This is mainly useful for creating bridges between a host a virtual network such as VPN or a virtual machine. Defaults to tap device, unless interface contains "tun" in its name.

Default: false

networking.interfaces.<name?>.virtualOwner

In case of a virtual device, the user who owns it.

Default: "root"

networking.localCommands

Shell commands to be executed at the end of the network-setup systemd service. Note that if you are using DHCP to obtain the network configuration, interfaces may not be fully configured yet.

Default: ""

Example: "text=anything; echo You can put \$text here."

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.nameservers

The list of nameservers. It can be left empty if it is auto-detected through DHCP.

Default: [ ]

Example: [ "130.161.158.4" "130.161.33.17" ]

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.nat.enable

Whether to enable Network Address Translation (NAT).

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nat.nix>
networking.nat.externalIP

The public IP address to which packets from the local network are to be rewritten. If this is left empty, the IP address associated with the external interface will be used.

Default: null

Example: "203.0.113.123"

Declared by:

<nixpkgs/nixos/modules/services/networking/nat.nix>
networking.nat.externalInterface

The name of the external network interface.

Example: "eth1"

Declared by:

<nixpkgs/nixos/modules/services/networking/nat.nix>
networking.nat.internalIPs

The IP address ranges for which to perform NAT. Packets coming from these addresses (on any interface) and destined for the external interface will be rewritten.

Default: [ ]

Example: [ "192.168.1.0/24" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/nat.nix>
networking.nat.internalInterfaces

The interfaces for which to perform NAT. Packets coming from these interface and destined for the external interface will be rewritten.

Default: [ ]

Example: [ "eth0" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/nat.nix>
networking.networkmanager.appendNameservers

A list of name servers that should be appended to the ones configured in NetworkManager or received by DHCP.

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.enable

Whether to use NetworkManager to obtain an IP address and other configuration for all network interfaces that are not manually configured. If enabled, a group networkmanager will be created. Add all users that should have permission to change network settings to this group.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.insertNameservers

A list of name servers that should be inserted before the ones configured in NetworkManager or received by DHCP.

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.packages

Extra packages that provide NetworkManager plugins.

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.tcpcrypt.enable

Whether to enable opportunistic TCP encryption. If the other end speaks Tcpcrypt, then your traffic will be encrypted; otherwise it will be sent in clear text. Thus, Tcpcrypt alone provides no guarantees -- it is best effort. If, however, a Tcpcrypt connection is successful and any attackers that exist are passive, then Tcpcrypt guarantees privacy.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/tcpcrypt.nix>
networking.useDHCP

Whether to use DHCP to obtain an IP address and other configuration for all network interfaces that are not manually configured.

Default: true

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.useHostResolvConf

In containers, whether to use the resolv.conf supplied by the host.

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.usePredictableInterfaceNames

Whether to assign predictable names to network interfaces. If enabled, interfaces are assigned names that contain topology information (e.g. wlp3s0) and thus should be stable across reboots. If disabled, names depend on the order in which interfaces are discovered by the kernel, which may change randomly across reboots; for instance, you may find eth0 and eth1 flipping unpredictably.

Default: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/udev.nix>
networking.vlans

This option allows you to define vlan devices that tag packets on top of a physical interface. The value of this option is an attribute set. Each attribute specifies a vlan, with the name specifying the name of the vlan interface.

Default: { }

Example: { vlan0 = { id = 3; interface = "enp3s0"; } ; vlan1 = { id = 1; interface = "wlan0"; } ; }

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.vlans.<name>.id

The vlan identifier

Example: 1

networking.vlans.<name>.interface

The interface the vlan will transmit packets through.

Example: "enp4s0"

networking.wicd.enable

Whether to start wicd. Wired and wireless network configurations can then be managed by wicd-client.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/wicd.nix>
networking.wireless.driver

Force a specific wpa_supplicant driver.

Default: "nl80211,wext"

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
networking.wireless.enable

Whether to start wpa_supplicant to scan for and associate with wireless networks. Note: NixOS currently does not generate wpa_supplicant's configuration file, /etc/wpa_supplicant.conf. You should edit this file yourself to define wireless networks, WPA keys and so on (see wpa_supplicant.conf(5)).

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
networking.wireless.interfaces

The interfaces wpa_supplicant will use. If empty, it will automatically use all wireless interfaces.

Default: [ ]

Example: [ "wlan0" "wlan1" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
networking.wireless.userControlled.enable

Allow normal users to control wpa_supplicant through wpa_gui or wpa_cli. This is useful for laptop users that switch networks a lot. When you want to use this, make sure /etc/wpa_supplicant.conf doesn't exist. It will be created for you. Currently it is also necessary to explicitly specify networking.wireless.interfaces.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
networking.wireless.userControlled.group

Members of this group can control wpa_supplicant.

Default: "wheel"

Example: "network"

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
nix.binaryCaches

List of binary cache URLs used to obtain pre-built binaries of Nix packages.

Default: [ "http://cache.nixos.org/" ]

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.buildMachines

This option lists the machines to be used if distributed builds are enabled (see nix.distributedBuilds). Nix will perform derivations on those machines via SSH by copying the inputs to the Nix store on the remote machine, starting the build, then copying the output back to the local Nix store. Each element of the list should be an attribute set containing the machine's host name (hostname), the user name to be used for the SSH connection (sshUser), the Nix system type (system, e.g., "i686-linux"), the maximum number of jobs to be run in parallel on that machine (maxJobs), the path to the SSH private key to be used to connect (sshKey), a list of supported features of the machine (supportedFeatures) and a list of mandatory features of the machine (mandatoryFeatures). The SSH private key should not have a passphrase, and the corresponding public key should be added to ~sshUser/authorized_keys on the remote machine.

Default: [ ]

Example: [ { hostName = "voila.labs.cs.uu.nl"; maxJobs = 1; sshKey = "/root/.ssh/id_buildfarm"; sshUser = "nix"; system = "powerpc-darwin"; } { hostName = "linux64.example.org"; mandatoryFeatures = "perf"; maxJobs = 2; sshKey = "/root/.ssh/id_buildfarm"; sshUser = "buildfarm"; supportedFeatures = "kvm"; system = "x86_64-linux"; } ]

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.chrootDirs

Directories from the host filesystem to be included in the chroot.

Default: [ ]

Example: [ "/dev" "/proc" ]

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.daemonIONiceLevel

Nix daemon process I/O priority. This priority propagates to build processes. 0 is the default Unix process I/O priority, 7 is the lowest.

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.daemonNiceLevel

Nix daemon process priority. This priority propagates to build processes. 0 is the default Unix process priority, 20 is the lowest.

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.distributedBuilds

Whether to distribute builds to the machines listed in nix.buildMachines.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.extraOptions

Additional text appended to nix.conf.

Default: ""

Example:

''
gc-keep-outputs = true
gc-keep-derivations = true
''

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.gc.automatic

Automatically run the garbage collector at a specific time.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-gc.nix>
nix.gc.dates

Specification (in the format described by systemd.time(5)) of the time at which the garbage collector will run.

Default: "03:15"

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-gc.nix>
nix.gc.options

Options given to nix-collect-garbage when the garbage collector is run automatically.

Default: ""

Example: "--max-freed \$((64 * 1024**3))"

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-gc.nix>
nix.maxJobs

This option defines the maximum number of jobs that Nix will try to build in parallel. The default is 1. You should generally set it to the number of CPUs in your system (e.g., 2 on an Athlon 64 X2).

Default: 1

Example: 64

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.nrBuildUsers

Number of nixbld user accounts created to perform secure concurrent builds. If you receive an error message saying that “all build users are currently in use”, you should increase this value.

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.package

This option specifies the Nix package instance to use throughout the system.

Default: (build of nix-1.7)

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.proxy

This option specifies the proxy to use for fetchurl. The real effect is just exporting http_proxy, https_proxy and ftp_proxy with that value.

Default: ""

Example: "http://127.0.0.1:3128"

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.readOnlyStore

If set, NixOS will enforce the immutability of the Nix store by making /nix/store a read-only bind mount. Nix will automatically make the store writable when needed.

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.sshServe.enable

Whether to enable serving the nix store over ssh.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-ssh-serve.nix>
nix.trustedBinaryCaches

List of binary cache URLs that non-root users can use (in addition to those specified using nix.binaryCaches by passing --option binary-caches to Nix commands.

Default: [ ]

Example: [ "http://hydra.nixos.org/" ]

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nix.useChroot

If set, Nix will perform builds in a chroot-environment that it will set up automatically for each build. This prevents impurities in builds by disallowing access to dependencies outside of the Nix store.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-daemon.nix>
nixpkgs.config

The configuration of the Nix Packages collection. (For details, see the Nixpkgs documentation.) It allows you to set package configuration options, and to override packages globally through the packageOverrides option. The latter is a function that takes as an argument the original Nixpkgs, and must evaluate to a set of new or overridden packages.

Default: { }

Example:

{ firefox.enableGeckoMediaPlayer = true;
  packageOverrides = pkgs: {
    firefox60Pkgs = pkgs.firefox60Pkgs.override {
      enableOfficialBranding = true;
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/misc/nixpkgs.nix>
nixpkgs.system

Specifies the Nix platform type for which NixOS should be built. If unset, it defaults to the platform type of your host system. Specifying this option is useful when doing distributed multi-platform deployment, or when building virtual machines.

Declared by:

<nixpkgs/nixos/modules/misc/nixpkgs.nix>
power.ups.enable

Enables support for Power Devices, such as Uninterruptible Power Supplies, Power Distribution Units and Solar Controllers.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.maxStartDelay

This can be set as a global variable above your first UPS definition and it can also be set in a UPS section. This value controls how long upsdrvctl will wait for the driver to finish starting. This keeps your system from getting stuck due to a broken driver or UPS.

Default: 45

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.mode

The MODE determines which part of the NUT is to be started, and which configuration files must be modified. The values of MODE can be: - none: NUT is not configured, or use the Integrated Power Management, or use some external system to startup NUT components. So nothing is to be started. - standalone: This mode address a local only configuration, with 1 UPS protecting the local system. This implies to start the 3 NUT layers (driver, upsd and upsmon) and the matching configuration files. This mode can also address UPS redundancy. - netserver: same as for the standalone configuration, but also need some more ACLs and possibly a specific LISTEN directive in upsd.conf. Since this MODE is opened to the network, a special care should be applied to security concerns. - netclient: this mode only requires upsmon.

Default: "standalone"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.schedulerRules

File which contains the rules to handle UPS events.

Example: "/etc/nixos/upssched.conf"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.ups

This is where you configure all the UPSes that this system will be monitoring directly. These are usually attached to serial ports, but USB devices are also supported.

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.ups.<name>.description

Description of the UPS.

Default: ""

power.ups.ups.<name>.directives

List of configuration directives for this UPS.

Default: [ ]

power.ups.ups.<name>.driver

Specify the program to run to talk to this UPS. apcsmart, bestups, and sec are some examples.

power.ups.ups.<name>.maxStartDelay

This can be set as a global variable above your first UPS definition and it can also be set in a UPS section. This value controls how long upsdrvctl will wait for the driver to finish starting. This keeps your system from getting stuck due to a broken driver or UPS.

Default: null

power.ups.ups.<name>.port

The serial port to which your UPS is connected. /dev/ttyS0 is usually the first port on Linux boxes, for example.

power.ups.ups.<name>.shutdownOrder

When you have multiple UPSes on your system, you usually need to turn them off in a certain order. upsdrvctl shuts down all the 0s, then the 1s, 2s, and so on. To exclude a UPS from the shutdown sequence, set this to -1.

Default: 0

power.ups.ups.<name>.summary

Lines which would be added inside ups.conf for handling this UPS.

Default: ""

powerManagement.cpuFreqGovernor

Configure the governor used to regulate the frequence of the available CPUs. By default, the kernel configures the on-demand governor.

Default: null

Example: "ondemand"

Declared by:

<nixpkgs/nixos/modules/tasks/cpu-freq.nix>
powerManagement.enable

Whether to enable power management. This includes support for suspend-to-RAM and powersave features on laptops.

Default: true

Declared by:

<nixpkgs/nixos/modules/config/power-management.nix>
powerManagement.powerDownCommands

Commands executed when the machine powers down. That is, they're executed both when the system shuts down and when it goes to suspend or hibernation.

Default: ""

Example: "/nix/store/c10rdpg4jb9ivrdzsbb9sg7v4pzaqcbn-hdparm-9.43/sbin/hdparm -B 255 /dev/sda"

Declared by:

<nixpkgs/nixos/modules/config/power-management.nix>
powerManagement.powerUpCommands

Commands executed when the machine powers up. That is, they're executed both when the system first boots and when it resumes from suspend or hibernation.

Default: ""

Example: "/nix/store/c10rdpg4jb9ivrdzsbb9sg7v4pzaqcbn-hdparm-9.43/sbin/hdparm -B 255 /dev/sda"

Declared by:

<nixpkgs/nixos/modules/config/power-management.nix>
powerManagement.resumeCommands

Commands executed after the system resumes from suspend-to-RAM.

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/power-management.nix>
powerManagement.scsiLinkPolicy

Configure the SCSI link power management policy. By default, the kernel configures "max_performance".

Default: ""

Example: "min_power"

Declared by:

<nixpkgs/nixos/modules/tasks/scsi-link-power-management.nix>
programs.atop.settings

Parameters to be written to /etc/atoprc

Default: { }

Example: { flags = "a1f"; interval = 5; }

Declared by:

<nixpkgs/nixos/modules/programs/atop.nix>
programs.bash.enableCompletion

Enable Bash completion for all interactive bash shells.

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/bash/bash.nix>
programs.bash.interactiveShellInit

Shell script code called during interactive bash shell initialisation.

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/bash/bash.nix>
programs.bash.loginShellInit

Shell script code called during login bash shell initialisation.

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/bash/bash.nix>
programs.bash.promptInit

Shell script code used to initialise the bash prompt.

Default:

''
# Provide a nice prompt.
PROMPT_COLOR="1;31m"
let $UID && PROMPT_COLOR="1;32m"
PS1="\n\[\033[$PROMPT_COLOR\][\u@\h:\w]\\$\[\033[0m\] "
if test "$TERM" = "xterm"; then
  PS1="\[\033]2;\h:\u:\w\007\]$PS1"
fi
''

Declared by:

<nixpkgs/nixos/modules/programs/bash/bash.nix>
programs.bash.shellAliases

Set of aliases for bash shell. See environment.shellAliases for an option format description.

Default: { l = "ls -alh"; ll = "ls -l"; ls = "ls --color=tty"; restart = "systemctl restart"; start = "systemctl start"; status = "systemctl status"; stop = "systemctl stop"; which = "type -P"; }

Declared by:

<nixpkgs/nixos/modules/programs/bash/bash.nix>
programs.bash.shellInit

Shell script code called during bash shell initialisation.

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/bash/bash.nix>
programs.screen.screenrc

The contents of /etc/screenrc file.

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/screen.nix>
programs.ssh.extraConfig

Extra configuration text appended to ssh_config. See ssh_config(5) for help.

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.forwardX11

Whether to request X11 forwarding on outgoing connections by default. This is useful for running graphical programs on the remote machine and have them display to your local X11 server. Historically, this value has depended on the value used by the local sshd daemon, but there really isn't a relation between the two. Note: there are some security risks to forwarding an X11 connection. NixOS's X server is built with the SECURITY extension, which prevents some obvious attacks. To enable or disable forwarding on a per-connection basis, see the -X and -x options to ssh. The -Y option to ssh enables trusted forwarding, which bypasses the SECURITY extension.

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.setXAuthLocation

Whether to set the path to xauth for X11-forwarded connections. This causes a dependency on X11 packages.

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.startAgent

Whether to start the OpenSSH agent when you log in. The OpenSSH agent remembers private keys for you so that you don't have to type in passphrases every time you make an SSH connection. Use ssh-add to add a key to the agent.

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.zsh.enable

Whenever to configure Zsh as an interactive shell.

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
programs.zsh.interactiveShellInit

Shell script code called during interactive zsh shell initialisation.

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
programs.zsh.loginShellInit

Shell script code called during zsh login shell initialisation.

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
programs.zsh.promptInit

Shell script code used to initialise the zsh prompt.

Default:

''
autoload -U promptinit && promptinit && prompt walters
''

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
programs.zsh.shellAliases

Set of aliases for zsh shell. See environment.shellAliases for an option format description.

Default: { l = "ls -alh"; ll = "ls -l"; ls = "ls --color=tty"; restart = "systemctl restart"; start = "systemctl start"; status = "systemctl status"; stop = "systemctl stop"; }

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
programs.zsh.shellInit

Shell script code called during zsh shell initialisation.

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
security.apparmor.confineSUIDApplications

Install AppArmor profiles for commonly-used SUID application to mitigate potential privilege escalation attacks due to bugs in such applications. Currently available profiles: ping

Default: true

Declared by:

<nixpkgs/nixos/modules/security/apparmor-suid.nix>
security.apparmor.enable

Enable the AppArmor Mandatory Access Control system.

Default: false

Declared by:

<nixpkgs/nixos/modules/security/apparmor.nix>
security.apparmor.profiles

List of files containing AppArmor profiles.

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/apparmor.nix>
security.duosec.acceptEnvFactor

Look for factor selection or passcode in the $DUO_PASSCODE environment variable before prompting the user for input. When $DUO_PASSCODE is non-empty, it will override autopush. The SSH client will need SendEnv DUO_PASSCODE in its configuration, and the SSH server will similarily need AcceptEnv DUO_PASSCODE.

Default: false

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.autopush

If true, Duo Unix will automatically send a push login request to the user’s phone, falling back on a phone call if push is unavailable. If false, the user will be prompted to choose an authentication method. When configured with autopush = yes, we recommend setting prompts = 1.

Default: false

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.failmode

On service or configuration errors that prevent Duo authentication, fail "safe" (allow access) or "secure" (deny access). The default is "safe".

Default: "safe"

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.fallbackLocalIP

Duo Unix reports the IP address of the authorizing user, for the purposes of authorization and whitelisting. If Duo Unix cannot detect the IP address of the client, setting fallbackLocalIP = yes will cause Duo Unix to send the IP address of the server it is running on. If you are using IP whitelisting, enabling this option could cause unauthorized logins if the local IP is listed in the whitelist.

Default: false

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.group

Use Duo authentication for users only in this group.

Default: ""

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.host

Duo API hostname.

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.ikey

Integration key.

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.motd

Print the contents of /etc/motd to screen after a succesful login.

Default: false

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.pam.enable

If enabled, protect logins with Duo Security using PAM support.

Default: false

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.prompts

If a user fails to authenticate with a second factor, Duo Unix will prompt the user to authenticate again. This option sets the maximum number of prompts that Duo Unix will display before denying access. Must be 1, 2, or 3. Default is 3. For example, when prompts = 1, the user will have to successfully authenticate on the first prompt, whereas if prompts = 2, if the user enters incorrect information at the initial prompt, he/she will be prompted to authenticate again. When configured with autopush = true, we recommend setting prompts = 1.

Default: 3

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.pushinfo

Include information such as the command to be executed in the Duo Push message.

Default: false

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.skey

Secret key.

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.ssh.enable

If enabled, protect SSH logins with Duo Security.

Default: false

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.grsecurity.config.denyChrootChmod

If true, then set GRKERN_CHROOT_CHMOD y. If enabled, this denies processes inside a chroot from setting the suid or sgid bits using chmod or fchmod. By default this protection is disabled - it makes it impossible to use Nix to build software on your system, which is what most users want. If you are using NixOps to deploy your software to a remote machine, you're encouraged to enable this as you won't need to compile code.

Default: false

Declared by:

<nixpkgs/nixos/modules/security/grsecurity.nix>
security.grsecurity.config.disableRBAC

If true, then set GRKERN_NO_RBAC y. This disables the /dev/grsec device, which in turn disables the RBAC system (and gradm).

Default: false

Declared by:

<nixpkgs/nixos/modules/security/grsecurity.nix>
security.grsecurity.config.hardwareVirtualisation

grsecurity hardware virtualisation configuration. Set to true if your machine supports hardware accelerated virtualisation.

Default: null

Example: true

Declared by:

<nixpkgs/nixos/modules/security/grsecurity.nix>
security.grsecurity.config.kernelExtraConfig

Extra kernel configuration parameters.

Default: ""

Declared by:

<nixpkgs/nixos/modules/security/grsecurity.nix>
security.grsecurity.config.mode

grsecurity configuration mode. This specifies whether grsecurity is auto-configured or otherwise completely manually configured. Can either by custom or auto. auto is recommended.

Default: "auto"

Example: "custom"

Declared by:

<nixpkgs/nixos/modules/security/grsecurity.nix>
security.grsecurity.config.priority

grsecurity configuration priority. This specifies whether the kernel configuration should emphasize speed or security. Can either by security or performance.

Default: "security"

Example: "performance"

Declared by:

<nixpkgs/nixos/modules/security/grsecurity.nix>
security.grsecurity.config.restrictProc

If true, then set GRKERN_PROC_USER y. This restricts non-root users to only viewing their own processes and restricts network-related information, kernel symbols, and module information.

Default: false

Declared by:

<nixpkgs/nixos/modules/security/grsecurity.nix>
security.grsecurity.config.restrictProcWithGroup

If true, then set GRKERN_PROC_USERGROUP y. This is similar to restrictProc except it allows a special group (specified by unrestrictProcGid) to still access otherwise classified information in /proc.

Default: true

Declared by:

<nixpkgs/nixos/modules/security/grsecurity.nix>
security.grsecurity.config.sysctl

If true, then set GRKERN_SYSCTL y. If enabled then grsecurity can be controlled using sysctl (and turned off). You are advised to *never* enable this, but if you do, make sure to always set the sysctl kernel.grsecurity.grsec_lock to non-zero as soon as all sysctl options are set. *THIS IS EXTREMELY IMPORTANT*! If disabled, this also turns off the systemd-sysctl service.

Default: false

Declared by:

<nixpkgs/nixos/modules/security/grsecurity.nix>
security.grsecurity.config.system

grsecurity system configuration. This specifies whether the kernel configuration should be suitable for a Desktop or a Server. Can either by server or desktop.

Default: ""

Example: "desktop"

Declared by:

<nixpkgs/nixos/modules/security/grsecurity.nix>
security.grsecurity.config.unrestrictProcGid

If set, specifies a GID which is exempt from /proc restrictions (set by GRKERN_PROC_USERGROUP). By default, this is set to the GID for grsecurity, a predefined NixOS group, which the root account is a member of. You may conveniently add other users to this group if you need access to /proc

Default: 121

Declared by:

<nixpkgs/nixos/modules/security/grsecurity.nix>
security.grsecurity.config.verboseVersion

Use verbose version in kernel localversion.

Default: false

Declared by:

<nixpkgs/nixos/modules/security/grsecurity.nix>
security.grsecurity.config.virtualisationConfig

grsecurity virtualisation configuration. This specifies the virtualisation role of the machine - that is, whether it will be a virtual machine guest, a virtual machine host, or neither. Can be one of none, host, or guest.

Default: "none"

Example: "host"

Declared by:

<nixpkgs/nixos/modules/security/grsecurity.nix>
security.grsecurity.config.virtualisationSoftware

grsecurity virtualisation software. Set this to the specified virtual machine technology if the machine is running as a guest, or a host. Can be one of kvm, xen, vmware or virtualbox.

Default: ""

Example: "kvm"

Declared by:

<nixpkgs/nixos/modules/security/grsecurity.nix>
security.grsecurity.enable

Enable grsecurity support. This enables advanced exploit hardening for the Linux kernel, and adds support for administrative Role-Based Acess Control (RBAC) via gradm. It also includes traditional utilities for PaX.

Default: false

Declared by:

<nixpkgs/nixos/modules/security/grsecurity.nix>
security.grsecurity.stable

Enable the stable grsecurity patch, based on Linux 3.2.

Default: false

Declared by:

<nixpkgs/nixos/modules/security/grsecurity.nix>
security.grsecurity.testing

Enable the testing grsecurity patch, based on Linux 3.13.

Default: false

Declared by:

<nixpkgs/nixos/modules/security/grsecurity.nix>
security.grsecurity.vserver

Enable the stable grsecurity/vserver patches, based on Linux 3.2.

Default: false

Declared by:

<nixpkgs/nixos/modules/security/grsecurity.nix>
security.initialRootPassword

The (hashed) password for the root account set on initial installation. The empty string denotes that root can login locally without a password (but not via remote services such as SSH, or indirectly via su or sudo). The string ! prevents root from logging in using a password. Note, setting this option sets users.extraUsers.root.hashedPassword. Note, if users.mutableUsers is false you cannot change the root password manually, so in that case the name of this option is a bit misleading, since it will define the root password beyond the user initialisation phase.

Default: ""

Example: "!"

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
security.pam.enableOTPW

Enable the OTPW (one-time password) PAM module.

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.enableSSHAgentAuth

Enable sudo logins if the user's SSH agent provides a key present in ~/.ssh/authorized_keys. This allows machines to exclusively use SSH keys instead of passwords.

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.loginLimits

Define resource limits that should apply to users or groups. Each item in the list should be an attribute set with a domain, type, item, and value attribute. The syntax and semantics of these attributes must be that described in the limits.conf(5) man page.

Default: [ ]

Example: [ { domain = "ftp"; item = "nproc"; type = "hard"; value = "0"; } { domain = "@student"; item = "maxlogins"; type = "-"; value = "4"; } ]

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services

This option defines the PAM services. A service typically corresponds to a program that uses PAM, e.g. login or passwd. Each attribute of this set defines a PAM service, with the attribute name defining the name of the service.

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name?>.allowNullPassword

Whether to allow logging into accounts that have no password set (i.e., have an empty password field in /etc/passwd or /etc/group). This does not enable logging into disabled accounts (i.e., that have the password field set to !). Note that regardless of what the pam_unix documentation says, accounts with hashed empty passwords are always allowed to log in.

Default: false

security.pam.services.<name?>.forwardXAuth

Whether X authentication keys should be passed from the calling user to the target user (e.g. for su)

Default: false

security.pam.services.<name?>.limits

Attribute set describing resource limits. Defaults to the value of security.pam.loginLimits.

security.pam.services.<name?>.name

Name of the PAM service.

Example: "sshd"

security.pam.services.<name?>.otpwAuth

If set, the OTPW system will be used (if ~/.otpw exists).

Default: false

security.pam.services.<name?>.rootOK

If set, root doesn't need to authenticate (e.g. for the useradd service).

Default: false

security.pam.services.<name?>.setLoginUid

Set the login uid of the process (/proc/self/loginuid) for auditing purposes. The login uid is only set by ‘entry points’ like login and sshd, not by commands like sudo.

security.pam.services.<name?>.showMotd

Whether to show the message of the day.

Default: false

security.pam.services.<name?>.sshAgentAuth

If set, the calling user's SSH agent is used to authenticate against the keys in the calling user's ~/.ssh/authorized_keys. This is useful for sudo on password-less remote systems.

Default: false

security.pam.services.<name?>.startSession

If set, the service will register a new session with systemd's login manager. For local sessions, this will give the user access to audio devices, CD-ROM drives. In the default PolicyKit configuration, it also allows the user to reboot the system.

Default: false

security.pam.services.<name?>.text

Contents of the PAM service file.

security.pam.services.<name?>.unixAuth

Whether users can log in with passwords defined in /etc/shadow.

Default: true

security.pam.services.<name?>.updateWtmp

Whether to update /var/log/wtmp.

Default: false

security.pam.services.<name?>.usbAuth

If set, users listed in /etc/pamusb.conf are able to log in with the associated USB key.

Default: false

security.pam.usb.enable

Enable USB login for all login systems that support it. For more information, visit http://pamusb.org/doc/quickstart#setting_up.

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam_usb.nix>
security.polkit.adminIdentities

Specifies which users are considered “administrators”, for those actions that require the user to authenticate as an administrator (i.e. have an auth_admin value). By default, this is the root user and all users in the wheel group.

Default: [ "unix-user:0" "unix-group:wheel" ]

Example: [ "unix-user:alice" "unix-group:admin" ]

Declared by:

<nixpkgs/nixos/modules/security/polkit.nix>
security.polkit.enable

Whether to enable PolKit.

Default: true

Declared by:

<nixpkgs/nixos/modules/security/polkit.nix>
security.polkit.extraConfig

Any polkit rules to be added to config (in JavaScript ;-). See: http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules

Default: ""

Example:

''
/* Log authorization checks. */
polkit.addRule(function(action, subject) {
  polkit.log("user " +  subject.user + " is attempting action " + action.id + " from PID " + subject.pid);
});

/* Allow any local user to do anything (dangerous!). */
polkit.addRule(function(action, subject) {
  if (subject.local) return "yes";
});
''

Declared by:

<nixpkgs/nixos/modules/security/polkit.nix>
security.rngd.enable

Whether to enable the rng daemon, which adds entropy from hardware sources of randomness to the kernel entropy pool when available.

Default: true

Declared by:

<nixpkgs/nixos/modules/security/rngd.nix>
security.rtkit.enable

Whether to enable the RealtimeKit system service, which hands out realtime scheduling priority to user processes on demand. For example, the PulseAudio server uses this to acquire realtime priority.

Default: false

Declared by:

<nixpkgs/nixos/modules/security/rtkit.nix>
security.setuidOwners

This option allows the ownership and permissions on the setuid wrappers for specific programs to be overridden from the default (setuid root, but not setgid root).

Default: [ ]

Example: [ { group = "postdrop"; owner = "nobody"; permissions = "u+rx,g+x,o+x"; program = "sendmail"; setgid = true; setuid = false; } ]

Declared by:

<nixpkgs/nixos/modules/security/setuid-wrappers.nix>
security.setuidPrograms

The Nix store cannot contain setuid/setgid programs directly. For this reason, NixOS can automatically generate wrapper programs that have the necessary privileges. This option lists the names of programs in the system environment for which setuid root wrappers should be created.

Default: [ ]

Example: [ "passwd" ]

Declared by:

<nixpkgs/nixos/modules/security/setuid-wrappers.nix>
security.sudo.configFile

This string contains the contents of the sudoers file.

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.sudo.enable

Whether to enable the sudo command, which allows non-root users to execute commands as root.

Default: true

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.sudo.wheelNeedsPassword

Whether users of the wheel group can execute commands as super user without entering a password.

Default: true

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
services.accounts-daemon.enable

Whether to enable AccountsService, a DBus service for accessing the list of user accounts and information attached to those accounts.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/accountservice.nix>
services.acpid.acEventCommands

Shell commands to execute on an ac_adapter.* event.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/hardware/acpid.nix>
services.acpid.enable

Whether to enable the ACPI daemon.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/acpid.nix>
services.acpid.lidEventCommands

Shell commands to execute on a button/lid.* event.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/hardware/acpid.nix>
services.acpid.powerEventCommands

Shell commands to execute on a button/power.* event.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/hardware/acpid.nix>
services.activemq.baseDir

The base directory where ActiveMQ stores its persistent data and logs. This will be overridden if you set "activemq.base" and "activemq.data" in the javaProperties option. You can also override this in activemq.xml.

Default: "/var/activemq"

Declared by:

<nixpkgs/nixos/modules/services/amqp/activemq/default.nix>
services.activemq.configurationDir

The base directory for ActiveMQ's configuration. By default, this directory is searched for a file named activemq.xml, which should contain the configuration for the broker service.

Default: "/nix/store/716c6c54p62gm0573wkr8ch5f8ryzgh2-apache-activemq-5.8.0/conf"

Declared by:

<nixpkgs/nixos/modules/services/amqp/activemq/default.nix>
services.activemq.configurationURI

The URI that is passed along to the BrokerFactory to set up the configuration of the ActiveMQ broker service. You should not need to change this. For custom configuration, set the configurationDir instead, and create an activemq.xml configuration file in it.

Default: "xbean:activemq.xml"

Declared by:

<nixpkgs/nixos/modules/services/amqp/activemq/default.nix>
services.activemq.enable

Enable the Apache ActiveMQ message broker service.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/amqp/activemq/default.nix>
services.activemq.extraJavaOptions

Add extra options here that you want to be sent to the Java runtime when the broker service is started.

Default: ""

Example: "-Xmx2G -Xms2G -XX:MaxPermSize=512M"

Declared by:

<nixpkgs/nixos/modules/services/amqp/activemq/default.nix>
services.activemq.javaProperties

Specifies Java properties that are sent to the ActiveMQ broker service with the "-D" option. You can set properties here to change the behaviour and configuration of the broker. All essential properties that are not set here are automatically given reasonable defaults.

Default: { }

Example: { java.net.preferIPv4Stack = "true"; }

Declared by:

<nixpkgs/nixos/modules/services/amqp/activemq/default.nix>
services.almir.director_address

IP/Hostname for Director to connect with bconsole.

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/backup/almir.nix>
services.almir.director_name

Name of the Director to connect with bconsole.

Declared by:

<nixpkgs/nixos/modules/services/backup/almir.nix>
services.almir.director_password

Password for Director to connect with bconsole.

Declared by:

<nixpkgs/nixos/modules/services/backup/almir.nix>
services.almir.director_port

Port for Director to connect with bconsole.

Default: 9101

Declared by:

<nixpkgs/nixos/modules/services/backup/almir.nix>
services.almir.enable

Enable Almir web server. Also configures postgresql database and installs bacula.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/almir.nix>
services.almir.port

Port for Almir web server to listen on.

Default: 35000

Declared by:

<nixpkgs/nixos/modules/services/backup/almir.nix>
services.almir.sqlalchemy_engine_url

Define SQL database connection to bacula catalog as specified in http://docs.sqlalchemy.org/en/latest/core/engines.html#database-urls

Example:

''
postgresql://bacula:bacula@localhost:5432/bacula
mysql+mysqlconnector://<user>:<password>@<hostname>/<database>'
sqlite:////var/lib/bacula/bacula.db'
''

Declared by:

<nixpkgs/nixos/modules/services/backup/almir.nix>
services.almir.timezone

Timezone as specified in https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

Example: "Europe/Ljubljana"

Declared by:

<nixpkgs/nixos/modules/services/backup/almir.nix>
services.amule.dataDir

The directory holding configuration, incoming and temporary files.

Default: "/home/amule/"

Declared by:

<nixpkgs/nixos/modules/services/networking/amuled.nix>
services.amule.enable

Whether to run the AMule daemon. You need to manually run "amuled --ec-config" to configure the service for the first time.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/amuled.nix>
services.amule.user

The user the AMule daemon should run as.

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/amuled.nix>
services.apcupsd.configText

Contents of the runtime configuration file, apcupsd.conf. The default settings makes apcupsd autodetect USB UPSes, limit network access to localhost and shutdown the system when the battery level is below 50 percent, or when the UPS has calculated that it has 5 minutes or less of remaining power-on time. See man apcupsd.conf for details.

Default:

''
UPSTYPE usb
NISIP 127.0.0.1
BATTERYLEVEL 50
MINUTES 5
''

Declared by:

<nixpkgs/nixos/modules/services/monitoring/apcupsd.nix>
services.apcupsd.enable

Whether to enable the APC UPS daemon. apcupsd monitors your UPS and permits orderly shutdown of your computer in the event of a power failure. User manual: http://www.apcupsd.com/manual/manual.html. Note that apcupsd runs as root (to allow shutdown of computer). You can check the status of your UPS with the "apcaccess" command.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/apcupsd.nix>
services.apcupsd.hooks

Each attribute in this option names an apcupsd event and the string value it contains will be executed in a shell, in response to that event (prior to the default action). See "man apccontrol" for the list of events and what they represent. A hook script can stop apccontrol from doing its default action by exiting with value 99. Do not do this unless you know what you're doing.

Default: { }

Example: { doshutdown = "# shell commands to notify that the computer is shutting down"; }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/apcupsd.nix>
services.atd.allowEveryone

Whether to make /var/spool/at{jobs,spool} writeable by everyone (and sticky). This is normally not needed since the at commands are setuid/setgid atd.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/scheduling/atd.nix>
services.atd.enable

Whether to enable the at daemon, a command scheduler.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/scheduling/atd.nix>
services.avahi.browseDomains

List of non-local DNS domains to be browsed.

Default: [ "0pointer.de" "zeroconf.org" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.enable

Whether to run the Avahi daemon, which allows Avahi clients to use Avahi's service discovery facilities and also allows the local machine to advertise its presence and services (through the mDNS responder implemented by `avahi-daemon').

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.hostName

Host name advertised on the LAN. If not set, avahi will use the value of config.networking.hostName.

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.ipv4

Whether to use IPv4

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.ipv6

Whether to use IPv6

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.nssmdns

Whether to enable the mDNS NSS (Name Service Switch) plug-in. Enabling it allows applications to resolve names in the `.local' domain by transparently querying the Avahi daemon.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.publishing

Whether to allow publishing.

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.wideArea

Whether to enable wide-area service discovery.

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.bacula-dir.enable

Whether to enable Bacula Director Daemon.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-dir.extraConfig

Extra configuration for Bacula Director Daemon.

Default: ""

Example:

''
TODO
''

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-dir.extraDirectorConfig

Extra configuration to be passed in Director directive.

Default: ""

Example:

''
Maximum Concurrent Jobs = 20;
Heartbeat Interval = 30;
''

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-dir.extraMessagesConfig

Extra configuration to be passed in Messages directive.

Default: ""

Example:

''
console = all
''

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-dir.name

The director name used by the system administrator. This directive is required.

Default: "nixos-dir"

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-dir.password

Specifies the password that must be supplied for a Director.

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-dir.port

Specify the port (a positive integer) on which the Director daemon will listen for Bacula Console connections. This same port number must be specified in the Director resource of the Console configuration file. The default is 9101, so normally this directive need not be specified. This directive should not be used if you specify DirAddresses (N.B plural) directive.

Default: 9101

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.director

This option defines director resources in Bacula File Daemon.

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.director.<name>.monitor

If Monitor is set to no (default), this director will have full

Default: "no"

Example: "yes"

services.bacula-fd.director.<name>.password

Specifies the password that must be supplied for a Director to b

services.bacula-fd.enable

Whether to enable Bacula File Daemon.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.extraClientConfig

Extra configuration to be passed in Client directive.

Default: ""

Example:

''
Maximum Concurrent Jobs = 20;
Heartbeat Interval = 30;
''

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.extraMessagesConfig

Extra configuration to be passed in Messages directive.

Default: ""

Example:

''
console = all
''

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.name

The client name that must be used by the Director when connecting. Generally, it is a good idea to use a name related to the machine so that error messages can be easily identified if you have multiple Clients. This directive is required.

Default: "nixos-fd"

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.port

This specifies the port number on which the Client listens for Director connections. It must agree with the FDPort specified in the Client resource of the Director's configuration file. The default is 9102.

Default: 9102

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.device

This option defines Device resources in Bacula Storage Daemon.

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.device.<name>.archiveDevice

The specified name-string gives the system file name of the storage device managed by this storage daemon. This will usually be the device file name of a removable storage device (tape drive), for example " /dev/nst0" or "/dev/rmt/0mbn". For a DVD-writer, it will be for example /dev/hdc. It may also be a directory name if you are archiving to disk storage.

services.bacula-sd.device.<name>.extraDeviceConfig

Extra configuration to be passed in Device directive.

Default: ""

Example:

''
LabelMedia = yes
Random Access = no
AutomaticMount = no
RemovableMedia = no
MaximumOpenWait = 60
AlwaysOpen = no
''
services.bacula-sd.device.<name>.mediaType

The specified name-string names the type of media supported by this device, for example, "DLT7000". Media type names are arbitrary in that you set them to anything you want, but they must be known to the volume database to keep track of which storage daemons can read which volumes. In general, each different storage type should have a unique Media Type associated with it. The same name-string must appear in the appropriate Storage resource definition in the Director's configuration file.

services.bacula-sd.director

This option defines Director resources in Bacula Storage Daemon.

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.director.<name>.monitor

If Monitor is set to no (default), this director will have full

Default: "no"

Example: "yes"

services.bacula-sd.director.<name>.password

Specifies the password that must be supplied for a Director to b

services.bacula-sd.enable

Whether to enable Bacula Storage Daemon.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.extraMessagesConfig

Extra configuration to be passed in Messages directive.

Default: ""

Example:

''
console = all
''

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.extraStorageConfig

Extra configuration to be passed in Storage directive.

Default: ""

Example:

''
Maximum Concurrent Jobs = 20;
Heartbeat Interval = 30;
''

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.name

Specifies the Name of the Storage daemon.

Default: "nixos-sd"

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.port

Specifies port number on which the Storage daemon listens for Director connections. The default is 9103.

Default: 9103

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bind.blockedNetworks

What networks are just blocked.

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.cacheNetworks

What networks are allowed to use us as a resolver.

Default: [ "127.0.0.0/24" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.configFile

Overridable config file to use for named. By default, that generated by nixos.

Default: (build of named.conf)

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.enable

Whether to enable BIND domain name server.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.forwarders

List of servers we should forward requests to.

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.ipv4Only

Only use ipv4, even if the host supports ipv6.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.zones

List of zones we claim authority over. master=false means slave server; slaves means addresses who may request zone transfer.

Default: [ ]

Example: [ { file = "/var/dns/example.com"; master = false; masters = [ "192.168.0.1" ] ; name = "example.com"; slaves = [ ] ; } ]

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bitlbee.authMode

The following authentication modes are available: Open -- Accept connections from anyone, use NickServ for user authentication. Closed -- Require authorization (using the PASS command during login) before allowing the user to connect at all. Registered -- Only allow registered users to use this server; this disables the register- and the account command until the user identifies himself.

Default: "Open"

Declared by:

<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
services.bitlbee.enable

Whether to run the BitlBee IRC to other chat network gateway. Running it allows you to access the MSN, Jabber, Yahoo! and ICQ chat networks via an IRC client.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
services.bitlbee.extraDefaults

Will be inserted in the Default section of the config file.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
services.bitlbee.extraSettings

Will be inserted in the Settings section of the config file.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
services.bitlbee.interface

The interface the BitlBee deamon will be listening to. If `127.0.0.1', only clients on the local host can connect to it; if `0.0.0.0', clients can access it from any network interface.

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
services.bitlbee.portNumber

Number of the port BitlBee will be listening to.

Default: 6667

Declared by:

<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
services.btsync.apiKey

API key, which enables the developer API.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/btsync.nix>
services.btsync.checkForUpdates

Determines whether to check for updates and alert the user about them in the UI.

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/btsync.nix>
services.btsync.deviceName

Name of the Bittorrent Sync device.

Example: "Voltron"

Declared by:

<nixpkgs/nixos/modules/services/networking/btsync.nix>
services.btsync.downloadLimit

Download speed limit. 0 is unlimited (default).

Default: 0

Example: 1024

Declared by:

<nixpkgs/nixos/modules/services/networking/btsync.nix>
services.btsync.enable

If enabled, start the Bittorrent Sync daemon. Once enabled, you can interact with the service through the Web UI, or configure it in your NixOS configuration. Enabling the btsync service also installs a multi-instance systemd unit which can be used to start user-specific copies of the daemon. Once installed, you can use systemctl start btsync@user to start the daemon only for user user, using the configuration file located at $HOME/.config/btsync.conf

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/btsync.nix>
services.btsync.enableWebUI

Enable Web UI for administration. Bound to the specified httpListenAddress and httpListenPort.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/btsync.nix>
services.btsync.encryptLAN

Encrypt LAN data.

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/btsync.nix>
services.btsync.httpListenAddr

HTTP address to bind to.

Default: "0.0.0.0"

Example: "1.2.3.4"

Declared by:

<nixpkgs/nixos/modules/services/networking/btsync.nix>
services.btsync.httpListenPort

HTTP port to bind on.

Default: 9000

Declared by:

<nixpkgs/nixos/modules/services/networking/btsync.nix>
services.btsync.httpLogin

HTTP web login username.

Default: ""

Example: "allyourbase"

Declared by:

<nixpkgs/nixos/modules/services/networking/btsync.nix>
services.btsync.httpPass

HTTP web login password.

Default: ""

Example: "arebelongtous"

Declared by:

<nixpkgs/nixos/modules/services/networking/btsync.nix>
services.btsync.listeningPort

Listening port. Defaults to 0 which randomizes the port.

Default: 0

Example: 44444

Declared by:

<nixpkgs/nixos/modules/services/networking/btsync.nix>
services.btsync.sharedFolders

Shared folder list. If enabled, web UI must be disabled. Secrets can be generated using btsync --generate-secret. Note that this secret will be put inside the Nix store, so it is realistically not very secret.

Default: [ ]

Example: [ { directory = "/home/user/sync_test"; knownHosts = [ "192.168.1.2:4444" "192.168.1.3:4444" ] ; searchLAN = true; secret = "AHMYFPCQAHBM7LQPFXQ7WV6Y42IGUXJ5Y"; useDHT = false; useRelayServer = true; useSyncTrash = true; useTracker = true; } ]

Declared by:

<nixpkgs/nixos/modules/services/networking/btsync.nix>
services.btsync.uploadLimit

Upload speed limit. 0 is unlimited (default).

Default: 0

Example: 1024

Declared by:

<nixpkgs/nixos/modules/services/networking/btsync.nix>
services.btsync.useUpnp

Use Universal Plug-n-Play (UPnP)

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/btsync.nix>
services.cgminer.config

Additional config

Default: { }

Example: { auto-fan = true; auto-gpu = true; expiry = 120; failover-only = true; gpu-threads = 2; log = 5; queue = 1; scan-time = 60; temp-histeresys = 3; }

Declared by:

<nixpkgs/nixos/modules/services/misc/cgminer.nix>
services.cgminer.enable

Whether to enable cgminer, an ASIC/FPGA/GPU miner for bitcoin and litecoin.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/cgminer.nix>
services.cgminer.hardware

List of config options for every GPU

Default: [ ]

Example: [ { gpu-engine = "0-985"; gpu-fan = "0-85"; gpu-memclock = 860; gpu-powertune = 20; intensity = 9; temp-cutoff = 95; temp-overheat = 85; temp-target = 75; } { gpu-engine = "0-950"; gpu-fan = "0-85"; gpu-memclock = 825; gpu-powertune = 20; intensity = 9; temp-cutoff = 95; temp-overheat = 85; temp-target = 75; } ]

Declared by:

<nixpkgs/nixos/modules/services/misc/cgminer.nix>
services.cgminer.package

Which cgminer derivation to use.

Default: (build of cgminer-3.7.2)

Declared by:

<nixpkgs/nixos/modules/services/misc/cgminer.nix>
services.cgminer.pools

List of pools where to mine

Default: [ ]

Example: [ { password = "X"; url = "http://p2pool.org:9332"; username = "17EUZxTvs9uRmPsjPZSYUU3zCz9iwstudk"; } ]

Declared by:

<nixpkgs/nixos/modules/services/misc/cgminer.nix>
services.cgminer.user

User account under which cgminer runs

Default: "cgminer"

Declared by:

<nixpkgs/nixos/modules/services/misc/cgminer.nix>
services.chrony.enable

Whether to synchronise your machine's time using chrony. Make sure you disable NTP if you enable this service.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/chrony.nix>
services.chrony.extraConfig

Extra configuration directives that should be added to chrony.conf

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/chrony.nix>
services.chrony.initstepslew

Allow chronyd to make a rapid measurement of the system clock error at boot time, and to correct the system clock by stepping before normal operation begins.

Default: { enabled = true; servers = [ "0.pool.ntp.org" "1.pool.ntp.org" "2.pool.ntp.org" ] ; threshold = 1000; }

Declared by:

<nixpkgs/nixos/modules/services/networking/chrony.nix>
services.chrony.servers

The set of NTP servers from which to synchronise.

Default: [ "0.pool.ntp.org" "1.pool.ntp.org" "2.pool.ntp.org" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/chrony.nix>
services.cjdns.confFile

Configuration file to pipe to cjdroute.

Default: "/etc/cjdroute.conf"

Declared by:

<nixpkgs/nixos/modules/services/networking/cjdns.nix>
services.cjdns.enable

Enable this option to start a instance of the cjdns network encryption and and routing engine. Configuration will be read from confFile.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/cjdns.nix>
services.clamav.updater.config

Extra configuration for freshclam. Contents will be added verbatim to the configuration file.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/security/clamav.nix>
services.clamav.updater.enable

Whether to enable automatic ClamAV virus definitions database updates.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/clamav.nix>
services.clamav.updater.frequency

Number of database checks per day.

Default: 12

Declared by:

<nixpkgs/nixos/modules/services/security/clamav.nix>
services.cntlm.domain

Proxy account domain/workgroup name.

Declared by:

<nixpkgs/nixos/modules/services/networking/cntlm.nix>
services.cntlm.enable

Whether to enable the cntlm, which start a local proxy.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/cntlm.nix>
services.cntlm.extraConfig

Verbatim contents of cntlm.conf.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/cntlm.nix>
services.cntlm.netbios_hostname

The hostname of your machine.

Declared by:

<nixpkgs/nixos/modules/services/networking/cntlm.nix>
services.cntlm.password

Proxy account password. Note: use chmod 0600 on /etc/cntlm.password for security.

Default: "/etc/cntlm.password"

Declared by:

<nixpkgs/nixos/modules/services/networking/cntlm.nix>
services.cntlm.port

Specifies on which ports the cntlm daemon listens.

Default: [ 3128 ]

Declared by:

<nixpkgs/nixos/modules/services/networking/cntlm.nix>
services.cntlm.proxy

A list of NTLM/NTLMv2 authenticating HTTP proxies. Parent proxy, which requires authentication. The same as proxy on the command-line, can be used more than once to specify unlimited number of proxies. Should one proxy fail, cntlm automatically moves on to the next one. The connect request fails only if the whole list of proxies is scanned and (for each request) and found to be invalid. Command-line takes precedence over the configuration file.

Declared by:

<nixpkgs/nixos/modules/services/networking/cntlm.nix>
services.cntlm.username

Proxy account name, without the possibility to include domain name ('at' sign is interpreted literally).

Declared by:

<nixpkgs/nixos/modules/services/networking/cntlm.nix>
services.couchdb.bindAddress

Defines the IP address by which CouchDB will be accessible.

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.databaseDir

Specifies location of CouchDB database files (*.couch named). This location should be writable and readable for the user the CouchDB service runs as (couchdb by default).

Default: "/var/lib/couchdb"

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.enable

Whether to run CouchDB Server.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.extraConfig

Extra configuration. Overrides any other cofiguration.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.group

Group account under which couchdb runs.

Default: "couchdb"

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.logFile

Specifies the location of file for logging output.

Default: "/var/log/couchdb.log"

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.package

CouchDB package to use.

Default: (build of couchdb-1.5.0)

Example:

pkgs.couchdb

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.port

Defined the port number to listen.

Default: 5984

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.uriFile

This file contains the full URI that can be used to access this instance of CouchDB. It is used to help discover the port CouchDB is running on (if it was set to 0 (e.g. automatically assigned any free one). This file should be writable and readable for the user that runs the CouchDB service (couchdb by default).

Default: "/var/run/couchdb/couchdb.uri"

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.user

User account under which couchdb runs.

Default: "couchdb"

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.viewIndexDir

Specifies location of CouchDB view index files. This location should be writable and readable for the user that runs the CouchDB service (couchdb by default).

Default: "/var/lib/couchdb"

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.cron.enable

Whether to enable the Vixie cron daemon.

Default: true

Declared by:

<nixpkgs/nixos/modules/services/scheduling/cron.nix>
services.cron.mailto

Email address to which job output will be mailed.

Default: null

Declared by:

<nixpkgs/nixos/modules/services/scheduling/cron.nix>
services.cron.systemCronJobs

A list of Cron jobs to be appended to the system-wide crontab. See the manual page for crontab for the expected format. If you want to get the results mailed you must setuid sendmail. See security.setuidOwners If neither /var/cron/cron.deny nor /var/cron/cron.allow exist only root will is allowed to have its own crontab file. The /var/cron/cron.deny file is created automatically for you. So every user can use a crontab. Many nixos modules set systemCronJobs, so if you decide to disable vixie cron and enable another cron daemon, you may want it to get its system crontab based on systemCronJobs.

Default: [ ]

Example:

[ "* * * * *  test   ls -l / > /tmp/cronout 2>&1"
  "* * * * *  eelco  echo Hello World > /home/eelco/cronout"
]

Declared by:

<nixpkgs/nixos/modules/services/scheduling/cron.nix>
services.dbus.enable

Whether to start the D-Bus message bus daemon, which is required by many other system services and applications.

Default: true

Declared by:

<nixpkgs/nixos/modules/services/system/dbus.nix>
services.dbus.packages

Packages whose D-Bus configuration files should be included in the configuration of the D-Bus system-wide message bus. Specifically, every file in pkg/etc/dbus-1/system.d is included.

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/system/dbus.nix>
services.dd-agent.api_key

The Datadog API key to associate the agent with your account

Example: "ae0aa6a8f08efa988ba0a17578f009ab"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/dd-agent.nix>
services.dd-agent.enable

Whether to enable the dd-agent montioring service

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/dd-agent.nix>
services.dd-agent.hostname

The hostname to show in the Datadog dashboard (optional)

Default: null

Example: "mymachine.mydomain"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/dd-agent.nix>
services.dd-agent.nginxConfig

Datadog nginx integration configuration

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/dd-agent.nix>
services.dd-agent.postgresqlConfig

Datadog PostgreSQL integration configuration

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/dd-agent.nix>
services.ddclient.domain

Domain name to synchronize.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddclient.enable

Whether to synchronise your machine's IP address with a dynamic DNS provider (e.g. dyndns.org).

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddclient.extraConfig

Extra configuration. Contents will be added verbatim to the configuration file.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddclient.password

Password.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddclient.protocol

Protocol to use with dynamic DNS provider. (see also, http://sourceforge.net/apps/trac/ddclient/wiki/Protocols)

Default: "dyndns2"

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddclient.server

Server

Default: "members.dyndns.org"

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddclient.username

Username.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddclient.web

Default: "web, web=checkip.dyndns.com/, web-skip='Current IP Address: '"

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.deluge.enable

Start Deluge daemon.

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/torrent/deluge.nix>
services.deluge.web.enable

Start Deluge Web daemon.

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/torrent/deluge.nix>
services.dhcpd.configFile

The path of the DHCP server configuration file. If no file is specified, a file is generated using the other options.

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd.enable

Whether to enable the DHCP server.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd.extraConfig

Extra text to be appended to the DHCP server configuration file. Currently, you almost certainly need to specify something here, such as the options specifying the subnet mask, DNS servers, etc.

Default: ""

Example:

''
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.5;
option domain-name-servers 130.161.158.4, 130.161.33.17, 130.161.180.1;
option domain-name "example.org";
subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.100 192.168.1.200;
}
''

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd.interfaces

The interfaces on which the DHCP server should listen.

Default: [ "eth0" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dhcpd.machines

A list mapping ethernet addresses to IP addresses for the DHCP server.

Default: [ ]

Example: [ { ethernetAddress = "00:16:76:9a:32:1d"; hostName = "foo"; ipAddress = "192.168.1.10"; } { ethernetAddress = "00:19:d1:1d:c4:9a"; hostName = "bar"; ipAddress = "192.168.1.11"; } ]

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpd.nix>
services.dictd.DBs

List of databases to make available.

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/dictd.nix>
services.dictd.enable

Whether to enable the DICT.org dictionary server.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/dictd.nix>
services.disnix.enable

Whether to enable Disnix

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/disnix.nix>
services.disnix.infrastructure

List of name value pairs containing properties for the infrastructure model

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/disnix.nix>
services.disnix.publishAvahi

Whether to publish capabilities/properties as a Disnix service through Avahi

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/disnix.nix>
services.disnix.publishInfrastructure.enable

Whether to publish capabilities/properties of this machine in as attributes in the infrastructure option

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/disnix.nix>
services.disnix.publishInfrastructure.enableAuthentication

Whether to publish authentication credentials through the infrastructure attribute (not recommended in combination with Avahi)

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/disnix.nix>
services.disnix.useWebServiceInterface

Whether to enable the DisnixWebService interface running on Apache Tomcat

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/disnix.nix>
services.dnsmasq.enable

Whether to run dnsmasq.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/dnsmasq.nix>
services.dnsmasq.extraConfig

Extra configuration directives that should be added to dnsmasq.conf

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/dnsmasq.nix>
services.dnsmasq.servers

The parameter to dnsmasq -S.

Default: [ ]

Example: [ "8.8.8.8" "8.8.4.4" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/dnsmasq.nix>
services.dovecot2.enable

Whether to enable the Dovecot 2.x POP3/IMAP server.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.enableImap

Start the IMAP listener (when Dovecot is enabled).

Default: true

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.enablePop3

Start the POP3 listener (when Dovecot is enabled).

Default: true

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.extraConfig

Additional entries to put verbatim into Dovecot's config file.

Default: ""

Example: "mail_debug = yes"

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.group

Dovecot group name.

Default: "dovecot2"

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.mailLocation

Location that dovecot will use for mail folders. Dovecot mail_location option.

Default: "maildir:/var/spool/mail/%u"

Example: "maildir:~/mail:INBOX=/var/spool/mail/%u"

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.showPAMFailure

Show the PAM failure message on authentication error (useful for OTPW).

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.sslCACert

CA certificate used by the server certificate.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.sslServerCert

Server certificate

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.sslServerKey

Server key.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.user

Dovecot user name.

Default: "dovecot2"

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.drbd.config

Contents of the drbd.conf configuration file.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/drbd.nix>
services.drbd.enable

Whether to enable support for DRBD, the Distributed Replicated Block Device.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/drbd.nix>
services.ejabberd.confDir

Location of the config directory of ejabberd

Default: "/var/ejabberd"

Declared by:

<nixpkgs/nixos/modules/services/networking/ejabberd.nix>
services.ejabberd.enable

Whether to enable ejabberd server

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ejabberd.nix>
services.ejabberd.loadDumps

Configuration dump that should be loaded on the first startup

Default: [ ]

Example:

[ ./myejabberd.dump ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ejabberd.nix>
services.ejabberd.logsDir

Location of the logfile directory of ejabberd

Default: "/var/log/ejabberd"

Declared by:

<nixpkgs/nixos/modules/services/networking/ejabberd.nix>
services.ejabberd.spoolDir

Location of the spooldir of ejabberd

Default: "/var/lib/ejabberd"

Declared by:

<nixpkgs/nixos/modules/services/networking/ejabberd.nix>
services.ejabberd.virtualHosts

Virtualhosts that ejabberd should host. Hostnames are surrounded with doublequotes and separated by commas

Default: ''"localhost"''

Declared by:

<nixpkgs/nixos/modules/services/networking/ejabberd.nix>
services.elasticsearch.cluster_name

Elasticsearch name that identifies your cluster for auto-discovery

Default: "elasticsearch"

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch.nix>
services.elasticsearch.dataDir

Data directory for elasticsearch.

Default: "/var/lib/elasticsearch"

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch.nix>
services.elasticsearch.enable

Whether to enable elasticsearch

Default: false

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch.nix>
services.elasticsearch.extraConf

Extra configuration for elasticsearch

Default: ""

Example:

''
node.name: "elasticsearch"
node.master: true
node.data: false
index.number_of_shards: 5
index.number_of_replicas: 1
''

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch.nix>
services.elasticsearch.host

Elasticsearch listen address

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch.nix>
services.elasticsearch.logging

Elasticsearch logging configuration

Default:

''
rootLogger: INFO, console
logger:
  action: INFO
  com.amazonaws: WARN
appender:
  console:
    type: console
    layout:
      type: consolePattern
      conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %m%n"
''

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch.nix>
services.elasticsearch.port

Elasticsearch port to listen for HTTP traffic

Default: 9200

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch.nix>
services.elasticsearch.tcp_port

Elasticsearch port for the node to node communication

Default: 9300

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch.nix>
services.fcron.allow

Users allowed to use fcrontab and fcrondyn (one name per line, all for everyone).

Default: [ "all" ]

Declared by:

<nixpkgs/nixos/modules/services/scheduling/fcron.nix>
services.fcron.deny

Users forbidden from using fcron.

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/scheduling/fcron.nix>
services.fcron.enable

Whether to enable the fcron daemon.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/scheduling/fcron.nix>
services.fcron.maxSerialJobs

Maximum number of serial jobs which can run simultaneously.

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/scheduling/fcron.nix>
services.fcron.queuelen

Number of jobs the serial queue and the lavg queue can contain.

Default: null

Declared by:

<nixpkgs/nixos/modules/services/scheduling/fcron.nix>
services.fcron.systab

The "system" crontab contents.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/scheduling/fcron.nix>
services.felix.bundles

List of bundles that should be activated on startup

Default: [ (build of apache-felix-remoteshell-bundle-1.0.4) ]

Declared by:

<nixpkgs/nixos/modules/services/misc/felix.nix>
services.felix.enable

Whether to enable the Apache Felix OSGi service

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/felix.nix>
services.felix.group

Group account under which Apache Felix runs.

Default: "osgi"

Declared by:

<nixpkgs/nixos/modules/services/misc/felix.nix>
services.felix.user

User account under which Apache Felix runs.

Default: "osgi"

Declared by:

<nixpkgs/nixos/modules/services/misc/felix.nix>
services.firebird.baseDir

Location containing data/ and system/ directories. data/ stores the databases, system/ stores the password database security2.fdb.

Default: "/var/db/firebird"

Declared by:

<nixpkgs/nixos/modules/services/databases/firebird.nix>
services.firebird.enable

Whether to enable the Firebird super server.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/firebird.nix>
services.firebird.package

Which firebird derivation to use.

Default: (build of firebird-2.5.2.26540-0)

Declared by:

<nixpkgs/nixos/modules/services/databases/firebird.nix>
services.firebird.port

Port Firebird uses.

Default: "3050"

Declared by:

<nixpkgs/nixos/modules/services/databases/firebird.nix>
services.firebird.user

User account under which firebird runs.

Default: "firebird"

Declared by:

<nixpkgs/nixos/modules/services/databases/firebird.nix>
services.flashpolicyd.enable

Whether to enable the Flash Policy server. This is necessary if you want Flash applications to make connections to your server.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/flashpolicyd.nix>
services.flashpolicyd.policy

The policy to be served. The default is to allow connections from any domain to any port.

Default:

''
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy> 
  <site-control permitted-cross-domain-policies="master-only"/>
  <allow-access-from domain="*" to-ports="*" />
</cross-domain-policy>
''

Declared by:

<nixpkgs/nixos/modules/services/networking/flashpolicyd.nix>
services.foldingAtHome.config

Extra configuration. Contents will be added verbatim to the configuration file.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/folding-at-home.nix>
services.foldingAtHome.enable

Whether to enable the Folding@Home to use idle CPU time.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/folding-at-home.nix>
services.foldingAtHome.nickname

A unique handle for statistics.

Default: "Anonymous"

Declared by:

<nixpkgs/nixos/modules/services/misc/folding-at-home.nix>
services.fourStore.database

RDF database name. If it doesn't exist, it will be created. Databases are stored in /var/lib/4store.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/databases/4store.nix>
services.fourStore.enable

Whether to enable 4Store RDF database server.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/4store.nix>
services.fourStore.options

Extra CLI options to pass to 4Store.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/databases/4store.nix>
services.fourStoreEndpoint.database

RDF database name to expose via the endpoint. Defaults to local 4Store database name.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/databases/4store-endpoint.nix>
services.fourStoreEndpoint.enable

Whether to enable 4Store SPARQL endpoint.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/4store-endpoint.nix>
services.fourStoreEndpoint.listenAddress

IP address to listen on.

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/4store-endpoint.nix>
services.fourStoreEndpoint.options

Extra CLI options to pass to 4Store's 4s-httpd process.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/databases/4store-endpoint.nix>
services.fourStoreEndpoint.port

port to listen on.

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/databases/4store-endpoint.nix>
services.fprot.updater.enable

Whether to enable automatic F-Prot virus definitions database updates.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/fprot.nix>
services.fprot.updater.frequency

Update virus definitions every X minutes.

Default: 30

Declared by:

<nixpkgs/nixos/modules/services/security/fprot.nix>
services.fprot.updater.licenseKeyfile

License keyfile. Defaults to the one supplied with installation package.

Declared by:

<nixpkgs/nixos/modules/services/security/fprot.nix>
services.fprot.updater.productData

product.data file. Defaults to the one supplied with installation package.

Declared by:

<nixpkgs/nixos/modules/services/security/fprot.nix>
services.frandom.enable

enable the /dev/frandom device (a very fast random number generator)

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/frandom.nix>
services.freenet.enable

Enable the Freenet daemon

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/freenet.nix>
services.freenet.nice

Set the nice level for the Freenet daemon

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/networking/freenet.nix>
services.fuppesd.config

Mutable configuration file which can be edited with the web interface. Due to possible modification, double quote the full path of the filename stored in your filesystem to avoid attempts to modify the content of the nix store.

Example: "/etc/fuppes/fuppes.cfg"

Declared by:

<nixpkgs/nixos/modules/services/audio/fuppes.nix>
services.fuppesd.database

Database file which index all shared files.

Default: "/var/lib/fuppes/fuppes.db"

Declared by:

<nixpkgs/nixos/modules/services/audio/fuppes.nix>
services.fuppesd.enable

Enables Fuppes (UPnP A/V Media Server). Can be used to watch photos, video and listen to music from a phone/tv connected to the local network.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/audio/fuppes.nix>
services.fuppesd.log.file

File which will contains the log produced by the daemon.

Default: "/var/log/fuppes.log"

Declared by:

<nixpkgs/nixos/modules/services/audio/fuppes.nix>
services.fuppesd.log.level

Logging level of fuppes, An integer between 0 and 3.

Default: 0

Example: 3

Declared by:

<nixpkgs/nixos/modules/services/audio/fuppes.nix>
services.fuppesd.name

Enables Fuppes (UPnP A/V Media Server). Can be used to watch photos, video and listen to music from a phone/tv connected to the local network.

Example: "Media Center"

Declared by:

<nixpkgs/nixos/modules/services/audio/fuppes.nix>
services.fuppesd.user

Name of the user which own the configuration files and under which the fuppes daemon will be executed.

Default: "root"

Example: "fuppes"

Declared by:

<nixpkgs/nixos/modules/services/audio/fuppes.nix>
services.fuppesd.vfolder

XML file describing the layout of virtual folder visible by the client.

Example:

/etc/fuppes/vfolder.cfg

Declared by:

<nixpkgs/nixos/modules/services/audio/fuppes.nix>
services.ghostOne.config

Extra configuration options.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/games/ghost-one.nix>
services.ghostOne.enable

Enable Ghost-One Warcraft3 game hosting server.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/ghost-one.nix>
services.ghostOne.language

The language of bot messages: English, Spanish, Russian, Serbian or Turkish.

Default: "English"

Declared by:

<nixpkgs/nixos/modules/services/games/ghost-one.nix>
services.ghostOne.mappath

The path to the directory where you keep your map files. GHost One doesn't require map files but if it has access to them it can send them to players and automatically calculate most map config values. GHost One will search [bot_mappath + map_localpath] for the map file (map_localpath is set in each map's config file).

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/games/ghost-one.nix>
services.ghostOne.war3path

The path to your local Warcraft III directory, which must contain war3.exe, storm.dll, and game.dll.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/games/ghost-one.nix>
services.gitDaemon.basePath

Remap all the path requests as relative to the given path. For example, if you set base-path to /srv/git, then if you later try to pull git://example.com/hello.git, Git daemon will interpret the path as /srv/git/hello.git.

Default: ""

Example: "/srv/git/"

Declared by:

<nixpkgs/nixos/modules/services/networking/git-daemon.nix>
services.gitDaemon.enable

Enable Git daemon, which allows public hosting of git repositories without any access controls. This is mostly intended for read-only access. You can allow write access by setting daemon.receivepack configuration item of the repository to true. This is solely meant for a closed LAN setting where everybody is friendly. If you need any access controls, use something else.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/git-daemon.nix>
services.gitDaemon.exportAll

Publish all directories that look like Git repositories (have the objects and refs subdirectories), even if they do not have the git-daemon-export-ok file. If disabled, you need to touch .git/git-daemon-export-ok in each repository you want the daemon to publish. Warning: enabling this without a repository whitelist or basePath publishes every git repository you have.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/git-daemon.nix>
services.gitDaemon.listenAddress

Listen on a specific IP address or hostname.

Default: ""

Example: "example.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/git-daemon.nix>
services.gitDaemon.options

Extra configuration options to be passed to Git daemon.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/git-daemon.nix>
services.gitDaemon.port

Port to listen on.

Default: 9418

Declared by:

<nixpkgs/nixos/modules/services/networking/git-daemon.nix>
services.gitDaemon.repositories

A whitelist of paths of git repositories, or directories containing repositories all of which would be published. Paths must not end in "/". Warning: leaving this empty and enabling exportAll publishes all repositories in your filesystem or basePath if specified.

Default: [ ]

Example: [ "/srv/git" "/home/user/git/repo2" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/git-daemon.nix>
services.gnome3.at-spi2-core.enable

Whether to enable at-spi2-core, a service for the Assistive Technologies available on the GNOME platform.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome3/at-spi2-core.nix>
services.gnome3.evolution-data-server.enable

Whether to enable Evolution Data Server, a collection of services for storing addressbooks and calendars.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome3/evolution-data-server.nix>
services.gnome3.gnome-documents.enable

Whether to enable GNOME Documents services, a document manager application for GNOME.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome3/gnome-documents.nix>
services.gnome3.gnome-keyring.enable

Whether to enable GNOME Keyring daemon, a service designed to take care of the user's security credentials, such as user names and passwordsa search engine.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome3/gnome-keyring.nix>
services.gnome3.gnome-online-accounts.enable

Whether to enable GNOME Online Accounts daemon, a service that provides a single sign-on framework for the GNOME desktop.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome3/gnome-online-accounts.nix>
services.gnome3.gnome-online-miners.enable

Whether to enable GNOME Online Miners, a service that crawls through your online content.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome3/gnome-online-miners.nix>
services.gnome3.gnome-user-share.enable

Whether to enable GNOME User Share, a service that exports the contents of the Public folder in your home directory on the local network.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome3/gnome-user-share.nix>
services.gnome3.seahorse.enable

Whether to enable Seahorse search provider for the GNOME Shell activity search.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome3/seahorse.nix>
services.gnome3.sushi.enable

Whether to enable Sushi, a quick previewer for nautilus.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome3/sushi.nix>
services.gnome3.tracker.enable

Whether to enable Tracker services, a search engine, search tool and metadata storage system.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome3/tracker.nix>
services.gnunet.enable

Whether to run the GNUnet daemon. GNUnet is GNU's anonymous peer-to-peer communication and file sharing framework.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/gnunet.nix>
services.gnunet.extraOptions

Additional options that will be copied verbatim in `gnunet.conf'. See `gnunet.conf(5)' for details.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/gnunet.nix>
services.gnunet.fileSharing.quota

Maximum file system usage (in MiB) for file sharing.

Default: 1024

Declared by:

<nixpkgs/nixos/modules/services/networking/gnunet.nix>
services.gnunet.load.hardNetUpBandwidth

Hard bandwidth limit (in bits per second) when uploading data.

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/gnunet.nix>
services.gnunet.load.maxNetDownBandwidth

Maximum bandwidth usage (in bits per second) for GNUnet when downloading data.

Default: 50000

Declared by:

<nixpkgs/nixos/modules/services/networking/gnunet.nix>
services.gnunet.load.maxNetUpBandwidth

Maximum bandwidth usage (in bits per second) for GNUnet when downloading data.

Default: 50000

Declared by:

<nixpkgs/nixos/modules/services/networking/gnunet.nix>
services.gnunet.tcp.port

The TCP port for use by GNUnet.

Default: 2086

Declared by:

<nixpkgs/nixos/modules/services/networking/gnunet.nix>
services.gnunet.udp.port

The UDP port for use by GNUnet.

Default: 2086

Declared by:

<nixpkgs/nixos/modules/services/networking/gnunet.nix>
services.gogoclient.autorun

Whether to automatically start the tunnel.

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/gogoclient.nix>
services.gogoclient.enable

Enable the gogoCLIENT IPv6 tunnel.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/gogoclient.nix>
services.gogoclient.password

Path to a file (as a string), containing your gogoNET password, if any.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/gogoclient.nix>
services.gogoclient.server

The Gateway6 server to be used.

Default: "anonymous.freenet6.net"

Example: "broker.freenet6.net"

Declared by:

<nixpkgs/nixos/modules/services/networking/gogoclient.nix>
services.gogoclient.username

Your Gateway6 login name, if any.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/gogoclient.nix>
services.gpm.enable

Whether to enable GPM, the General Purpose Mouse daemon, which enables mouse support in virtual consoles.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/ttys/gpm.nix>
services.gpm.protocol

Mouse protocol to use.

Default: "ps/2"

Declared by:

<nixpkgs/nixos/modules/services/ttys/gpm.nix>
services.gpsd.debugLevel

The debugging level.

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/misc/gpsd.nix>
services.gpsd.device

A device may be a local serial device for GPS input, or a URL of the form: [{dgpsip|ntrip}://][user:passwd@]host[:port][/stream] in which case it specifies an input source for DGPS or ntrip data.

Default: "/dev/ttyUSB0"

Declared by:

<nixpkgs/nixos/modules/services/misc/gpsd.nix>
services.gpsd.enable

Whether to enable `gpsd', a GPS service daemon.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gpsd.nix>
services.gpsd.port

The port where to listen for TCP connections.

Default: 2947

Declared by:

<nixpkgs/nixos/modules/services/misc/gpsd.nix>
services.gpsd.readonly

Whether to enable the broken-device-safety, otherwise known as read-only mode. Some popular bluetooth and USB receivers lock up or become totally inaccessible when probed or reconfigured. This switch prevents gpsd from writing to a receiver. This means that gpsd cannot configure the receiver for optimal performance, but it also means that gpsd cannot break the receiver. A better solution would be for Bluetooth to not be so fragile. A platform independent method to identify serial-over-Bluetooth devices would also be nice.

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/gpsd.nix>
services.graphite.carbon.aggregationRules

Defines if and how received metrics will be agregated

Default: null

Example:

''
<env>.applications.<app>.all.requests (60) = sum <env>.applications.<app>.*.requests
<env>.applications.<app>.all.latency (60) = avg <env>.applications.<app>.*.latency
''

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.carbon.blacklist

Any metrics received which match one of the experssions will be dropped

Default: null

Example: "^some.noisy.metric.prefix..*"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.carbon.config

Content of carbon configuration file

Default:

''
[cache]
# Listen on localhost by default for security reasons
UDP_RECEIVER_INTERFACE = 127.0.0.1
PICKLE_RECEIVER_INTERFACE = 127.0.0.1
LINE_RECEIVER_INTERFACE = 127.0.0.1
CACHE_QUERY_INTERFACE = 127.0.0.1
# Do not log every update
LOG_UPDATES = False
LOG_CACHE_HITS = False
''

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.carbon.enableAggregator

Whether to enable carbon agregator, the carbon buffering service

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.carbon.enableCache

Whether to enable carbon cache, the graphite storage daemon

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.carbon.enableRelay

Whether to enable carbon relay, the carbon replication and sharding service

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.carbon.relayRules

Relay rules are used to send certain metrics to a certain backend.

Default: null

Example:

''
[example]
pattern = ^mydata\.foo\..+
servers = 10.1.2.3, 10.1.2.4:2004, myserver.mydomain.com
''

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.carbon.rewriteRules

Regular expression patterns that can be used to rewrite metric names in a search and replace fashion

Default: null

Example:

''
[post]
_sum$ =
_avg$ =
''

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.carbon.storageAggregation

Defines how to aggregate data to lower-precision retentions

Default: null

Example:

''
[all_min]
pattern = \.min$
xFilesFactor = 0.1
aggregationMethod = min
''

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.carbon.storageSchemas

Defines retention rates for storing metrics

Default: ""

Example:

''
[apache_busyWorkers]
pattern = ^servers\.www.*\.workers\.busyWorkers$
retentions = 15s:7d,1m:21d,15m:5y
''

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.carbon.whitelist

Only metrics received which match one of the experssions will be persisted

Default: null

Example: ".*"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.dataDir

Data directory for graphite.

Default: "/var/db/graphite"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.web.enable

Whether to enable graphite web frontend

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.web.host

Graphite web frontend listen address

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.web.port

Graphite web frontend port

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.gvpe.configFile

GVPE config file, if already present

Default: null

Example: "/root/my-gvpe-conf"

Declared by:

<nixpkgs/nixos/modules/services/networking/gvpe.nix>
services.gvpe.configText

GVPE config contents

Default: null

Example:

''
tcp-port = 655
udp-port = 655
mtu = 1480
ifname = vpn0

node = alpha
hostname = alpha.example.org
connect = always
enable-udp = true
enable-tcp = true
on alpha if-up = if-up-0
on alpha pid-file = /var/gvpe/gvpe.pid
''

Declared by:

<nixpkgs/nixos/modules/services/networking/gvpe.nix>
services.gvpe.customIFSetup

Additional commands to apply in ifup script

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/gvpe.nix>
services.gvpe.enable

Whether to run gvpe

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/gvpe.nix>
services.gvpe.ipAddress

IP address to assign to GVPE interface

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/gvpe.nix>
services.gvpe.nodename

GVPE node name

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/gvpe.nix>
services.gvpe.startOn

Condition to start GVPE

Default: "started network-interfaces"

Declared by:

<nixpkgs/nixos/modules/services/networking/gvpe.nix>
services.gvpe.stopOn

Condition to stop GVPE

Default: "stopping network-interfaces"

Declared by:

<nixpkgs/nixos/modules/services/networking/gvpe.nix>
services.gvpe.subnet

IP subnet assigned to GVPE network

Default: null

Example: "10.0.0.0/8"

Declared by:

<nixpkgs/nixos/modules/services/networking/gvpe.nix>
services.haproxy.config

Default configuration.

Default:

''
global
  log 127.0.0.1 local6
  maxconn  24000
  daemon
  nbproc 1

defaults
  mode http
  option httpclose

  # Remove requests from the queue if people press stop button
  option abortonclose

  # Try to connect this many times on failure
  retries 3

  # If a client is bound to a particular backend but it goes down,
  # send them to a different one
  option redispatch

  monitor-uri /haproxy-ping

  timeout connect 7s
  timeout queue   300s
  timeout client  300s
  timeout server  300s

  # Enable status page at this URL, on the port HAProxy is bound to
  stats enable
  stats uri /haproxy-status
  stats refresh 5s
  stats realm Haproxy statistics
''

Declared by:

<nixpkgs/nixos/modules/services/networking/haproxy.nix>
services.haproxy.enable

Enable the HAProxy.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/haproxy.nix>
services.hardware.pommed.configFile

The contents of the pommed.conf file.

Default: "/nix/store/c5zq0jpyikyvwns7gw6z17xgl9hmpyas-pommed-1.39/etc/pommed.conf"

Declared by:

<nixpkgs/nixos/modules/services/hardware/pommed.nix>
services.hardware.pommed.enable

Whether to use the pommed tool to handle Apple laptop keyboard hotkeys.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/pommed.nix>
services.haveged.enable

Whether to enable to haveged entropy daemon, which refills /dev/random when low.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/haveged.nix>
services.haveged.refill_threshold

The number of bits of available entropy beneath which haveged should refill the entropy pool.

Default: 1024

Declared by:

<nixpkgs/nixos/modules/services/security/haveged.nix>
services.hostapd.channel

Channel number (IEEE 802.11) Please note that some drivers do not use this value from hostapd and the channel will need to be configured separately with iwconfig.

Default: 7

Example: 11

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.driver

Which driver hostapd will use. Most things will probably use the default.

Default: "nl80211"

Example: "hostapd"

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.enable

Enable putting a wireless interface into infrastructure mode, allowing other wireless devices to associate with the wireless interface and do wireless networking. A simple access point will enable hostapd.wpa, and hostapd.wpa_passphrase, hostapd.ssid, dhcpd on the wireless interface to provide IP addresses to the associated stations, and nat (from the wireless interface to an upstream interface).

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.extraCfg

Extra configuration options to put in the hostapd.conf

Default: ""

Example:

''
auth_algo=0
ieee80211n=1
ht_capab=[HT40-][SHORT-GI-40][DSSS_CCK-40]
''

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.group

members of this group can control hostapd

Default: "wheel"

Example: "network"

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.hwMode

Operation mode (a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.11g

Default: "b"

Example: "g"

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.interface

The interfaces hostapd will use.

Default: ""

Example: "wlan0"

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.ssid

SSID to be used in IEEE 802.11 management frames.

Default: "nixos"

Example: "mySpecialSSID"

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.wpa

enable WPA (IEEE 802.11i/D3.0) to authenticate to the access point

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.wpaPassphrase

WPA-PSK (pre-shared-key) passphrase. Clients will need this passphrase to associate with this access point. Warning: This passphrase will get put into a world-readable file in the nix store.

Default: "my_sekret"

Example: "any_64_char_string"

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.httpd.adminAddr

E-mail address of the server administrator.

Example: "admin@example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.configFile

Override the configuration file used by Apache. By default, NixOS generates one automatically.

Default: (build of httpd.conf)

Example:

pkgs.writeText "httpd.conf" "# my custom config file ...";

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.documentRoot

The path of Apache's document root directory. If left undefined, an empty directory in the Nix store will be used as root.

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.enable

Whether to enable the Apache HTTP Server.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.enableSSL

Whether to enable SSL (https) support.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.enableUserDir

Whether to enable serving ~/public_html as /~username.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.extraConfig

These lines go to httpd.conf verbatim. They will go after directories and directory aliases defined by default.

Default: ""

Example:

''
<Directory /home>
  Options FollowSymlinks
  AllowOverride All
</Directory>
''

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.extraModules

Additional Apache modules to be used. These can be specified as a string in the case of modules distributed with Apache, or as an attribute set specifying the name and path of the module.

Default: [ ]

Example:

[ "proxy_connect" { name = "php5"; path = "${pkgs.php}/modules/libphp5.so"; } ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.extraSubservices

Extra subservices to enable in the webserver.

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.globalRedirect

If set, all requests for this host are redirected permanently to the given URL.

Default: null

Example: "http://newserver.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.group

Group under which httpd runs. The account is created automatically if it doesn't exist.

Default: "wwwrun"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.hostName

Canonical hostname for the server.

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.logDir

Directory for Apache's log files. It is created automatically.

Default: "/var/log/httpd"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.logFormat

Log format for Apache's log files. Possible values are: combined, common, referer, agent.

Default: "common"

Example: "combined"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.logPerVirtualHost

If enabled, each virtual host gets its own access_log and error_log, namely suffixed by the hostName of the virtual host.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.maxClients

Maximum number of httpd processes (prefork)

Default: 150

Example: 8

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.maxRequestsPerChild

Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited

Default: 0

Example: 500

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.multiProcessingModule

Multi-processing module to be used by Apache. Available modules are prefork (the default; handles each request in a separate child process), worker (hybrid approach that starts a number of child processes each running a number of threads) and event (a recent variant of worker that handles persistent connections more efficiently).

Default: "prefork"

Example: "worker"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.package

Overridable attribute of the Apache HTTP Server package to use.

Default: (build of apache-httpd-2.2.27)

Example: "pkgs.apacheHttpd_2_4"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.phpOptions

Options appended to the PHP configuration file php.ini.

Default: ""

Example:

''
date.timezone = "CET"
''

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.port

Port for the server. 0 means use the default port: 80 for http and 443 for https (i.e. when enableSSL is set).

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.servedDirs

This option provides a simple way to serve static directories.

Default: [ ]

Example: [ { dir = "/home/eelco/Dev/nix-homepage"; urlPath = "/nix"; } ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.servedFiles

This option provides a simple way to serve individual, static files.

Default: [ ]

Example: [ { dir = "/home/eelco/some-file.png"; urlPath = "/foo/bar.png"; } ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Default: [ ]

Example: [ "www.example.org" "www.example.org:8080" "example.org" ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.sslServerCert

Path to server SSL certificate.

Default: null

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.sslServerKey

Path to server SSL certificate key.

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.stateDir

Directory for Apache's transient runtime state (such as PID files). It is created automatically. Note that the default, /run/httpd, is deleted at boot time.

Default: "/run/httpd"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.user

User account under which httpd runs. The account is created automatically if it doesn't exist.

Default: "wwwrun"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts

Specification of the virtual hosts served by Apache. Each element should be an attribute set specifying the configuration of the virtual host. The available options are the non-global options permissible for the main host.

Default: [ ]

Example: [ { documentRoot = "/data/webroot-foo"; hostName = "foo"; } { documentRoot = "/data/webroot-bar"; hostName = "bar"; } ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.*.adminAddr

E-mail address of the server administrator.

Default: null

Example: "admin@example.org"

services.httpd.virtualHosts.*.documentRoot

The path of Apache's document root directory. If left undefined, an empty directory in the Nix store will be used as root.

Default: null

Example: "/data/webserver/docs"

services.httpd.virtualHosts.*.enableSSL

Whether to enable SSL (https) support.

Default: false

services.httpd.virtualHosts.*.enableUserDir

Whether to enable serving ~/public_html as /~username.

Default: false

services.httpd.virtualHosts.*.extraConfig

These lines go to httpd.conf verbatim. They will go after directories and directory aliases defined by default.

Default: ""

Example:

''
<Directory /home>
  Options FollowSymlinks
  AllowOverride All
</Directory>
''
services.httpd.virtualHosts.*.extraSubservices

Extra subservices to enable in the webserver.

Default: [ ]

services.httpd.virtualHosts.*.globalRedirect

If set, all requests for this host are redirected permanently to the given URL.

Default: null

Example: "http://newserver.example.org/"

services.httpd.virtualHosts.*.hostName

Canonical hostname for the server.

Default: "localhost"

services.httpd.virtualHosts.*.logFormat

Log format for Apache's log files. Possible values are: combined, common, referer, agent.

Default: "common"

Example: "combined"

services.httpd.virtualHosts.*.port

Port for the server. 0 means use the default port: 80 for http and 443 for https (i.e. when enableSSL is set).

Default: 0

services.httpd.virtualHosts.*.servedDirs

This option provides a simple way to serve static directories.

Default: [ ]

Example: [ { dir = "/home/eelco/Dev/nix-homepage"; urlPath = "/nix"; } ]

services.httpd.virtualHosts.*.servedFiles

This option provides a simple way to serve individual, static files.

Default: [ ]

Example: [ { dir = "/home/eelco/some-file.png"; urlPath = "/foo/bar.png"; } ]

services.httpd.virtualHosts.*.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Default: [ ]

Example: [ "www.example.org" "www.example.org:8080" "example.org" ]

services.httpd.virtualHosts.*.sslServerCert

Path to server SSL certificate.

Default: null

Example: "/var/host.cert"

services.httpd.virtualHosts.*.sslServerKey

Path to server SSL certificate key.

Example: "/var/host.key"

services.iodined.client

Start iodine in client mode

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/iodined.nix>
services.iodined.domain

Domain or subdomain of which nameservers point to us

Default: ""

Example: "tunnel.mydomain.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/iodined.nix>
services.iodined.enable

Enable iodine, ip over dns daemon

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/iodined.nix>
services.iodined.extraConfig

Additional command line parameters

Default: ""

Example: "-P mysecurepassword -l 192.168.1.10 -p 23"

Declared by:

<nixpkgs/nixos/modules/services/networking/iodined.nix>
services.iodined.ip

Assigned ip address or ip range

Default: ""

Example: "172.16.10.1/24"

Declared by:

<nixpkgs/nixos/modules/services/networking/iodined.nix>
services.ircdHybrid.adminEmail

IRCD server administrator e-mail.

Default: "<bit-bucket@example.com>"

Example: "<name@domain.tld>"

Declared by:

<nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix>
services.ircdHybrid.certificate

IRCD server SSL certificate. There are some limitations - read manual.

Default: null

Example:

Declared by:

<nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix>
services.ircdHybrid.description

IRCD server description.

Default: "Hybrid-7 IRC server."

Declared by:

<nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix>
services.ircdHybrid.enable

Enable IRCD.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix>
services.ircdHybrid.extraIPs

Extra IP's to bind.

Default: [ ]

Example: [ "127.0.0.1" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix>
services.ircdHybrid.extraPort

Extra port to avoid filtering.

Default: "7117"

Declared by:

<nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix>
services.ircdHybrid.rsaKey

IRCD server RSA key.

Default: null

Example:

Declared by:

<nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix>
services.ircdHybrid.serverName

IRCD server name.

Default: "hades.arpa"

Declared by:

<nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix>
services.ircdHybrid.sid

IRCD server unique ID in a net of servers.

Default: "0NL"

Declared by:

<nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix>
services.jboss.deployDir

Location of the deployment files

Default: "/nix/var/nix/profiles/default/server/default/deploy/"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/jboss/default.nix>
services.jboss.enable

Whether to enable jboss

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/jboss/default.nix>
services.jboss.libUrl

Location where the shared library JARs are stored

Default: "file:///nix/var/nix/profiles/default/server/default/lib"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/jboss/default.nix>
services.jboss.logDir

Location of the logfile directory of JBoss

Default: "/var/log/jboss"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/jboss/default.nix>
services.jboss.serverDir

Location of the server instance files

Default: "/var/jboss/server"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/jboss/default.nix>
services.jboss.tempDir

Location where JBoss stores its temp files

Default: "/tmp"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/jboss/default.nix>
services.jboss.useJK

Whether to use to connector to the Apache HTTP server

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/jboss/default.nix>
services.jboss.user

User account under which jboss runs.

Default: "nobody"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/jboss/default.nix>
services.jenkins.enable

Whether to enable the jenkins continuous integration server.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix>
services.jenkins.environment

Additional environment variables to be passed to the jenkins process. The environment will always include JENKINS_HOME.

Default: { NIX_REMOTE = "daemon"; }

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix>
services.jenkins.group

If the default user "jenkins" is configured then this is the primary group of that user.

Default: "jenkins"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix>
services.jenkins.home

The path to use as JENKINS_HOME. If the default user "jenkins" is configured then this is the home of the "jenkins" user.

Default: "/var/lib/jenkins"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix>
services.jenkins.packages

Packages to add to PATH for the jenkins process.

Default: [ (build of stdenv) (build of git-minimal-1.9.4) (build of openjdk-7u65b32) (build of openssh-6.6p1) (build of ) ]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix>
services.jenkins.port

Specifies port number on which the jenkins HTTP interface listens. The default is 8080.

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix>
services.jenkins.user

User the jenkins server should execute under.

Default: "jenkins"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix>
services.jenkinsSlave.enable

If true the system will be configured to work as a jenkins slave. If the system is also configured to work as a jenkins master then this has no effect. In progress: Currently only assures the jenkins user is configured.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/slave.nix>
services.jenkinsSlave.group

If the default slave agent user "jenkins" is configured then this is the primary group of that user.

Default: "jenkins"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/slave.nix>
services.jenkinsSlave.home

The path to use as JENKINS_HOME. If the default user "jenkins" is configured then this is the home of the "jenkins" user.

Default: "/var/lib/jenkins"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/slave.nix>
services.jenkinsSlave.user

User the jenkins slave agent should execute under.

Default: "jenkins"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/slave.nix>
services.journald.console

If non-empty, write log messages to the specified TTY device.

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
services.journald.enableHttpGateway

Whether to enable the HTTP gateway to the journal.

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
services.journald.extraConfig

Extra config options for systemd-journald. See man journald.conf for available options.

Default: ""

Example: "Storage=volatile"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
services.journald.rateLimitBurst

Configures the rate limiting burst limit (number of messages per interval) that is applied to all messages generated on the system. This rate limiting is applied per-service, so that two services which log do not interfere with each other's limit.

Default: 100

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
services.journald.rateLimitInterval

Configures the rate limiting interval that is applied to all messages generated on the system. This rate limiting is applied per-service, so that two services which log do not interfere with each other's limit. The value may be specified in the following units: s, min, h, ms, us. To turn off any kind of rate limiting, set either value to 0.

Default: "10s"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
services.kerberos_server.enable

Enable the kerberos authentification server.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/system/kerberos.nix>
services.kippo.enable

Enable the kippo honeypot ssh server.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/kippo.nix>
services.kippo.extraConfig

Extra verbatim configuration added to the end of kippo.cfg.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/kippo.nix>
services.kippo.hostname

Hostname for kippo to present to SSH login

Default: "nas3"

Declared by:

<nixpkgs/nixos/modules/services/networking/kippo.nix>
services.kippo.logPath

Path of log files needed for operation and configuration.

Default: "/var/log/kippo"

Declared by:

<nixpkgs/nixos/modules/services/networking/kippo.nix>
services.kippo.pidPath

Path of pid files needed for operation.

Default: "/run/kippo"

Declared by:

<nixpkgs/nixos/modules/services/networking/kippo.nix>
services.kippo.port

TCP port number for kippo to bind to.

Default: 2222

Declared by:

<nixpkgs/nixos/modules/services/networking/kippo.nix>
services.kippo.varPath

Path of read/write files needed for operation and configuration.

Default: "/var/lib/kippo"

Declared by:

<nixpkgs/nixos/modules/services/networking/kippo.nix>
services.klogd.enable

Whether to enable klogd, the kernel log message processing daemon. Since systemd handles logging of kernel messages on Linux 3.5 and later, this is only useful if you're running an older kernel.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/logging/klogd.nix>
services.kmscon.enable

Use kmscon as the virtual console instead of gettys. kmscon is a kms/dri-based userspace virtual terminal implementation. It supports a richer feature set than the standard linux console VT, including full unicode support, and when the video card supports drm should be much faster.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/ttys/kmscon.nix>
services.kmscon.extraConfig

Extra contents of the kmscon.conf file.

Default: ""

Example: "font-size=14"

Declared by:

<nixpkgs/nixos/modules/services/ttys/kmscon.nix>
services.kmscon.hwRender

Whether to use 3D hardware acceleration to render the console.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/ttys/kmscon.nix>
services.lighttpd.cgit.configText

Verbatim contents of the cgit runtime configuration file. Documentation (with cgitrc example file) is available in "man cgitrc". Or online: http://git.zx2c4.com/cgit/tree/cgitrc.5.txt

Default: ""

Example:

''
cache-size=1000
scan-path=/srv/git
''

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/cgit.nix>
services.lighttpd.cgit.enable

If true, enable cgit (fast web interface for git repositories) as a sub-service in lighttpd. cgit will be accessible at http://yourserver/cgit

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/cgit.nix>
services.lighttpd.configText

Overridable config file contents to use for lighttpd. By default, use the contents automatically generated by NixOS.

Default: ""

Example: "...verbatim config file contents..."

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/default.nix>
services.lighttpd.document-root

Document-root of the web server. Must be readable by the "lighttpd" user.

Default: "/srv/www"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/default.nix>
services.lighttpd.enable

Enable the lighttpd web server.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/default.nix>
services.lighttpd.extraConfig

These configuration lines will be appended to the generated lighttpd config file. Note that this mechanism does not work when the manual configText option is used.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/default.nix>
services.lighttpd.gitweb.enable

If true, enable gitweb in lighttpd. Access it at http://yourserver/gitweb

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/gitweb.nix>
services.lighttpd.gitweb.extraConfig

Verbatim configuration text appended to the generated gitweb.conf file.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/gitweb.nix>
services.lighttpd.gitweb.projectroot

Path to git projects (bare repositories) that should be served by gitweb. Must not end with a slash.

Default: "/srv/git"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/gitweb.nix>
services.lighttpd.mod_status

Show server status overview at /server-status, statistics at /server-statistics and list of loaded modules at /server-config.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/default.nix>
services.lighttpd.mod_userdir

If true, requests in the form /~user/page.html are rewritten to take the file public_html/page.html from the home directory of the user.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/default.nix>
services.lighttpd.port

TCP port number for lighttpd to bind to.

Default: 80

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/default.nix>
services.locate.enable

If enabled, NixOS will periodically update the database of files used by the locate command.

Default: false

Declared by:

<nixpkgs/nixos/modules/misc/locate.nix>
services.locate.period

This option defines (in the format used by cron) when the locate database is updated. The default is to update at 02:15 at night every day.

Default: "15 02 * * *"

Declared by:

<nixpkgs/nixos/modules/misc/locate.nix>
services.logcheck.config

Config options that you would like in logcheck.conf.

Default: "FQDN=1"

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.enable

Enable the logcheck cron job.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.extraGroups

Extra groups for the logcheck user, for example to be able to use sendmail, or to access certain log files.

Default: [ ]

Example: [ "postdrop" "mongodb" ]

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.extraRulesDirs

Directories with extra rules.

Default: [ ]

Example: "/etc/logcheck"

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.files

Which log files to check.

Default: [ "/var/log/messages" ]

Example: [ "/var/log/messages" "/var/log/mail" ]

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.ignore

This option defines extra ignore rules.

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.ignore.<name?>.level

Set the logcheck level. Either "workstation", "server", or "paranoid".

Default: "server"

services.logcheck.ignore.<name?>.regex

Regex specifying which log lines to ignore.

Default: ""

services.logcheck.ignoreCron

This option defines extra ignore rules for cronjobs.

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.ignoreCron.<name?>.cmdline

Command line for the cron job. Will be turned into a regex for the logcheck ignore rule.

Default: ""

services.logcheck.ignoreCron.<name?>.level

Set the logcheck level. Either "workstation", "server", or "paranoid".

Default: "server"

services.logcheck.ignoreCron.<name?>.regex

Regex specifying which log lines to ignore.

Default: ""

services.logcheck.ignoreCron.<name?>.timeArgs

"min hr dom mon dow" crontab time args, to auto-create a cronjob too. Leave at null to not do this and just add a logcheck ignore rule.

Default: null

Example: "02 06 * * *"

services.logcheck.ignoreCron.<name?>.user

User that runs the cronjob.

Default: "root"

services.logcheck.level

Set the logcheck level. Either "workstation", "server", or "paranoid".

Default: "server"

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.mailTo

Email address to send reports to.

Default: "root"

Example: "you@domain.com"

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.timeOfDay

Time of day to run logcheck. A logcheck will be scheduled at xx:02 each day. Leave default (*) to run every hour. Of course when nothing special was logged, logcheck will be silent.

Default: "*"

Example: "6"

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.user

Username for the logcheck user.

Default: "logcheck"

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logind.extraConfig

Extra config options for systemd-logind. See man logind.conf for available options.

Default: ""

Example: "HandleLidSwitch=ignore"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
services.logrotate.config

The contents of the logrotate config file

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/logging/logrotate.nix>
services.logrotate.enable

Enable the logrotate cron job

Default: false

Declared by:

<nixpkgs/nixos/modules/services/logging/logrotate.nix>
services.logstash.enable

Enable logstash

Default: false

Declared by:

<nixpkgs/nixos/modules/services/logging/logstash.nix>
services.logstash.filterConfig

logstash filter configuration

Default: "noop {}"

Example:

''
if [type] == "syslog" {
  # Keep only relevant systemd fields
  # http://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html
  prune {
    whitelist_names => [
      "type", "@timestamp", "@version",
      "MESSAGE", "PRIORITY", "SYSLOG_FACILITY",
    ]
  }
}
''

Declared by:

<nixpkgs/nixos/modules/services/logging/logstash.nix>
services.logstash.inputConfig

Logstash input configuration

Default: ''stdin { type => "example" }''

Example:

''
# Read from journal
pipe {
  command => "/nix/store/kj0855m9xayg5ph5vwrnvcjzv8wkssbh-systemd-212/bin/journalctl -f -o json"
  type => "syslog" codec => json {}
}
''

Declared by:

<nixpkgs/nixos/modules/services/logging/logstash.nix>
services.logstash.outputConfig

Logstash output configuration

Default: ''stdout { debug => true debug_format => "json"}''

Example:

''
redis { host => "localhost" data_type => "list" key => "logstash" codec => json }
elasticsearch { embedded => true }
''

Declared by:

<nixpkgs/nixos/modules/services/logging/logstash.nix>
services.lshd.enable

Whether to enable the GNU lshd SSH2 daemon, which allows secure remote login.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/lshd.nix>
services.lshd.hostKey

Path to the server's private key. Note that this key must have been created, e.g., using "lsh-keygen --server | lsh-writekey --server", so that you can run lshd.

Default: "/etc/lsh/host-key"

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/lshd.nix>
services.lshd.interfaces

List of network interfaces where listening for connections. When providing the empty list, `[]', lshd listens on all network interfaces.

Default: [ ]

Example: [ "localhost" "1.2.3.4:443" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/lshd.nix>
services.lshd.loginShell

If non-null, override the default login shell with the specified value.

Default: null

Example: "/nix/store/xyz-bash-10.0/bin/bash10"

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/lshd.nix>
services.lshd.passwordAuthentication

Whether to enable password authentication.

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/lshd.nix>
services.lshd.portNumber

The port on which to listen for connections.

Default: 22

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/lshd.nix>
services.lshd.publicKeyAuthentication

Whether to enable public key authentication.

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/lshd.nix>
services.lshd.rootLogin

Whether to enable remote root login.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/lshd.nix>
services.lshd.srpKeyExchange

Whether to enable SRP key exchange and user authentication.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/lshd.nix>
services.lshd.subsystems

List of subsystem-path pairs, where the head of the pair denotes the subsystem name, and the tail denotes the path to an executable implementing it.

Default: [ [ "sftp" "/nix/store/7s05hsb9y1wgk3q24w35yj5wqnq3rvg7-lsh-2.0.4/sbin/sftp-server" ] ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/lshd.nix>
services.lshd.syslog

Whether to enable syslog output.

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/lshd.nix>
services.lshd.tcpForwarding

Whether to enable TCP/IP forwarding.

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/lshd.nix>
services.lshd.x11Forwarding

Whether to enable X11 forwarding.

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/lshd.nix>
services.mail.freepopsd.bind

Bind over an IPv4 address instead of any.

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/mail/freepops.nix>
services.mail.freepopsd.enable

Enables Freepops, a POP3 webmail wrapper.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/freepops.nix>
services.mail.freepopsd.logFile

Filename of the log file or syslog to rely on the logging daemon.

Default: "/var/log/freepopsd"

Example: "syslog"

Declared by:

<nixpkgs/nixos/modules/services/mail/freepops.nix>
services.mail.freepopsd.port

Port on which the pop server will listen.

Default: 2000

Declared by:

<nixpkgs/nixos/modules/services/mail/freepops.nix>
services.mail.freepopsd.suid.group

Group under which freepopsd will be after binding the port.

Default: "nogroup"

Declared by:

<nixpkgs/nixos/modules/services/mail/freepops.nix>
services.mail.freepopsd.suid.user

User name under which freepopsd will be after binding the port.

Default: "nobody"

Declared by:

<nixpkgs/nixos/modules/services/mail/freepops.nix>
services.mail.freepopsd.threads

Max simultaneous connections.

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/mail/freepops.nix>
services.mail.sendmailSetuidWrapper

Configuration for the sendmail setuid wrwapper (like an element of security.setuidOwners)";

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/mail.nix>
services.memcached.enable

Whether to enable Memcached.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/memcached.nix>
services.memcached.extraOptions

A list of extra options that will be added as a suffix when running memcached

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/databases/memcached.nix>
services.memcached.listen

The IP address to bind to

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/databases/memcached.nix>
services.memcached.maxConnections

The maximum number of simultaneous connections

Default: 1024

Declared by:

<nixpkgs/nixos/modules/services/databases/memcached.nix>
services.memcached.maxMemory

The maximum amount of memory to use for storage, in megabytes.

Default: 64

Declared by:

<nixpkgs/nixos/modules/services/databases/memcached.nix>
services.memcached.port

The port to bind to

Default: 11211

Declared by:

<nixpkgs/nixos/modules/services/databases/memcached.nix>
services.memcached.socket

Unix socket path to listen on. Setting this will disable network support

Default: ""

Example: "/var/run/memcached"

Declared by:

<nixpkgs/nixos/modules/services/databases/memcached.nix>
services.memcached.user

The user to run Memcached as

Default: "memcached"

Declared by:

<nixpkgs/nixos/modules/services/databases/memcached.nix>
services.minecraft-server.enable

If enabled, start a Minecraft Server. The listening port for the server is always 25565. The server data will be loaded from and saved to /var/lib/minecraft.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/minecraft-server.nix>
services.minecraft-server.jvmOpts

JVM options for the Minecraft Service.

Default: "-Xmx2048M -Xms2048M"

Declared by:

<nixpkgs/nixos/modules/services/games/minecraft-server.nix>
services.mingetty.greetingLine

Welcome line printed by mingetty.

Default: ''<<< Welcome to NixOS 14.04.439.2b27053 (\m) - \l >>>''

Declared by:

<nixpkgs/nixos/modules/services/ttys/agetty.nix>
services.mingetty.helpLine

Help line printed by mingetty below the welcome line. Used by the installation CD to give some hints on how to proceed.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/ttys/agetty.nix>
services.mingetty.serialSpeed

Bitrates to allow for agetty's listening on serial ports. Listing more bitrates gives more interoperability but at the cost of long delays for getting a sync on the line.

Default: [ 115200 57600 38400 9600 ]

Example: [ 38400 9600 ]

Declared by:

<nixpkgs/nixos/modules/services/ttys/agetty.nix>
services.minidlna.config

The contents of MiniDLNA's configuration file.

Declared by:

<nixpkgs/nixos/modules/services/networking/minidlna.nix>
services.minidlna.enable

Whether to enable MiniDLNA, a simple DLNA server. It serves media files such as video and music to DLNA client devices such as televisions and media players.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/minidlna.nix>
services.minidlna.mediaDirs

Directories to be scanned for media files. The prefixes A,, V, and P, restrict a directory to audio, video or image files. The directories must be accessible to the minidlna user account.

Default: [ ]

Example: [ "/data/media" "V,/home/alice/video" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/minidlna.nix>
services.monetdb.dbfarmDir

Specifies location of Monetdb dbfarm (keeps database and auxiliary files).

Default: "/var/lib/monetdb"

Declared by:

<nixpkgs/nixos/modules/services/databases/monetdb.nix>
services.monetdb.enable

Whether to enable MonetDB database server.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/monetdb.nix>
services.monetdb.package

MonetDB package to use.

Declared by:

<nixpkgs/nixos/modules/services/databases/monetdb.nix>
services.monetdb.port

Port to listen on.

Default: "50000"

Example: "50000"

Declared by:

<nixpkgs/nixos/modules/services/databases/monetdb.nix>
services.mongodb.bind_ip

IP to bind to

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/databases/mongodb.nix>
services.mongodb.dbpath

Location where MongoDB stores its files

Default: "/var/db/mongodb"

Declared by:

<nixpkgs/nixos/modules/services/databases/mongodb.nix>
services.mongodb.enable

Whether to enable the MongoDB server.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/mongodb.nix>
services.mongodb.logappend

Append logfile instead over overwriting

Default: true

Declared by:

<nixpkgs/nixos/modules/services/databases/mongodb.nix>
services.mongodb.logpath

Location where MongoDB stores its logfile

Default: "/var/log/mongodb/mongod.log"

Declared by:

<nixpkgs/nixos/modules/services/databases/mongodb.nix>
services.mongodb.package

Which MongoDB derivation to use.

Default: (build of mongodb-2.4.8)

Declared by:

<nixpkgs/nixos/modules/services/databases/mongodb.nix>
services.mongodb.quiet

quieter output

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/mongodb.nix>
services.mongodb.replSetName

If this instance is part of a replica set, set its name here. Otherwise, leave empty to run as single node.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/databases/mongodb.nix>
services.mongodb.user

User account under which MongoDB runs

Default: "mongodb"

Declared by:

<nixpkgs/nixos/modules/services/databases/mongodb.nix>
services.monit.config

monit.conf content

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/monit.nix>
services.monit.enable

Whether to run Monit system watcher.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/monit.nix>
services.monit.startOn

What Monit supposes to be already present

Default: "started network-interfaces"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/monit.nix>
services.mpd.dataDir

The directory where MPD stores its state, tag cache, playlists etc.

Default: "/var/lib/mpd/"

Declared by:

<nixpkgs/nixos/modules/services/audio/mpd.nix>
services.mpd.enable

Whether to enable MPD, the music player daemon.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/audio/mpd.nix>
services.mpd.extraConfig

Extra directives added to to the end of MPD's configuration file, mpd.conf. Basic configuration like file location and uid/gid is added automatically to the beginning of the file.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/audio/mpd.nix>
services.mpd.musicDirectory

Extra configuration added to the end of MPD's configuration file, mpd.conf.

Default: "/var/lib/mpd//music"

Declared by:

<nixpkgs/nixos/modules/services/audio/mpd.nix>
services.munin-cron.enable

Enable munin-cron. Takes care of all heavy lifting to collect data from nodes and draws graphs to html. Runs munin-update, munin-limits, munin-graphs and munin-html in that order. HTML output is in /var/www/munin/, configure your favourite webserver to serve static files.

Default: false

Example:

services = {
   munin-node.enable = true;
   munin-cron = {
     enable = true;
     hosts = ''
       [${config.networking.hostName}]
       address localhost
     '';
     extraGlobalConfig = ''
       contact.email.command mail -s "Munin notification for ${var:host}" someone@example.com
     '';
   };
};

Declared by:

<nixpkgs/nixos/modules/services/monitoring/munin.nix>
services.munin-cron.extraGlobalConfig

munin.conf extra global configuration. See http://munin-monitoring.org/wiki/munin.conf. Useful to setup notifications, see http://munin-monitoring.org/wiki/HowToContact

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/munin.nix>
services.munin-cron.hosts

Definitions of hosts of nodes to collect data from. Needs at least one hosts for cron to succeed. See http://munin-monitoring.org/wiki/munin.conf

Example:

''
[''${config.networking.hostName}]
address localhost
''

Declared by:

<nixpkgs/nixos/modules/services/monitoring/munin.nix>
services.munin-node.enable

Enable Munin Node agent. Munin node listens on 0.0.0.0 and by default accepts connections only from 127.0.0.1 for security reasons. See http://munin-monitoring.org/wiki/munin-node.conf.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/munin.nix>
services.munin-node.extraConfig

munin-node.conf extra configuration. See http://munin-monitoring.org/wiki/munin-node.conf

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/munin.nix>
services.murmur.allowHtml

Allow HTML in client messages, comments, and channel descriptions.

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.autobanAttempts

Number of attempts a client is allowed to make in autobanTimeframe seconds, before being banned for autobanTime.

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.autobanTime

The amount of time an IP ban lasts (in seconds).

Default: 300

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.autobanTimeframe

Timeframe in which a client can connect without being banned for repeated attempts (in seconds).

Default: 120

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.bandwidth

Maximum bandwidth (in bits per second) that clients may send speech at.

Default: 72000

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.bonjour

Enable Bonjour auto-discovery, which allows clients over your LAN to automatically discover Murmur servers.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.clientCertRequired

Require clients to authenticate via certificates.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.enable

If enabled, start the Murmur Service.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.hostName

Host to bind to. Defaults binding on all addresses.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.imgMsgLength

Max length of image messages. Set 0 for no limit.

Default: 131072

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.logDays

How long to store RPC logs for in the database. Set 0 to keep logs forever, or -1 to disable DB logging.

Default: 31

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.password

Required password to join server, if specified.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.pidfile

Path to PID file for Murmur daemon.

Default: "/tmp/murmurd.pid"

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.port

Ports to bind to (UDP and TCP).

Default: 64738

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.registerHostname

DNS hostname where your server can be reached. This is only needed if you want your server to be accessed by its hostname and not IP - but the name *must* resolve on the internet properly.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.registerName

Public server registration name, and also the name of the Root channel. Even if you don't publicly register your server, you probably still want to set this.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.registerPassword

Public server registry password, used authenticate your server to the registry to prevent impersonation; required for subsequent registry updates.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.registerUrl

URL website for your server.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.sendVersion

Send Murmur version in UDP response.

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.sslCert

Path to your SSL certificate.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.sslKey

Path to your SSL key.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.textMsgLength

Max length of text messages. Set 0 for no limit.

Default: 5000

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.users

Maximum number of concurrent clients allowed.

Default: 100

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.welcome

Welcome message for connected clients.

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.mysql.dataDir

Location where MySQL stores its table files

Default: "/var/mysql"

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.enable

Whether to enable the MySQL server.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.extraOptions

Provide extra options to the MySQL configuration file. Please note, that these options are added to the [mysqld] section so you don't need to explicitly state it again.

Default: ""

Example:

''
key_buffer_size = 6G
table_cache = 1600
log-error = /var/log/mysql_err.log
''

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.initialDatabases

List of database names and their initial schemas that should be used to create databases on the first startup of MySQL

Default: [ ]

Example: [ { name = "foodatabase"; schema = ./foodatabase.sql; } { name = "bardatabase"; schema = ./bardatabase.sql; } ]

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.initialScript

A file containing SQL statements to be executed on the first startup. Can be used for granting certain permissions on the database

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.package

Which MySQL derivation to use.

Example:

pkgs.mysql

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.pidDir

Location of the file which stores the PID of the MySQL server

Default: "/var/run/mysql"

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.port

Port of MySQL

Default: "3306"

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.replication.masterHost

Hostname of the MySQL master server

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.replication.masterPassword

Password of the MySQL replication user

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.replication.masterPort

Port number on which the MySQL master server runs

Default: 3306

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.replication.masterUser

Username of the MySQL replication user

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.replication.role

Role of the MySQL server instance. Can be either: master, slave or none

Default: "none"

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.replication.serverId

Id of the MySQL server instance. This number must be unique for each instance

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.rootPassword

Path to a file containing the root password, modified on the first startup. Not specifying a root password will leave the root password empty.

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.user

User account under which MySQL runs

Default: "mysql"

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysqlBackup.databases

List of database names to dump.

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/backup/mysql-backup.nix>
services.mysqlBackup.enable

Whether to enable MySQL backups.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/mysql-backup.nix>
services.mysqlBackup.location

Location to put the gzipped MySQL database dumps.

Default: "/var/backup/mysql"

Declared by:

<nixpkgs/nixos/modules/services/backup/mysql-backup.nix>
services.mysqlBackup.period

This option defines (in the format used by cron) when the databases should be dumped. The default is to update at 01:15 (at night) every day.

Default: "15 01 * * *"

Declared by:

<nixpkgs/nixos/modules/services/backup/mysql-backup.nix>
services.mysqlBackup.singleTransaction

Whether to create database dump in a single transaction

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/mysql-backup.nix>
services.mysqlBackup.user

User to be used to perform backup.

Default: "mysql"

Declared by:

<nixpkgs/nixos/modules/services/backup/mysql-backup.nix>
services.nagios.enable

Whether to use Nagios to monitor your system or network.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios/default.nix>
services.nagios.enableWebInterface

Whether to enable the Nagios web interface. You should also enable Apache (services.httpd.enable).

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios/default.nix>
services.nagios.objectDefs

A list of Nagios object configuration files that must define the hosts, host groups, services and contacts for the network that you want Nagios to monitor.

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios/default.nix>
services.nagios.plugins

Packages to be added to the Nagios PATH. Typically used to add plugins, but can be anything.

Default: [ (build of nagios-plugins-1.4.10) (build of ssmtp-2.64) ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios/default.nix>
services.nagios.urlPath

The URL path under which the Nagios web interface appears. That is, you can access the Nagios web interface through http://server/urlPath.

Default: "/nagios"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios/default.nix>
services.networking.websockify.enable

Whether to enable websockify to forward websocket connections to TCP connections.

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/websockify.nix>
services.networking.websockify.portMap

Ports to map by default.

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/websockify.nix>
services.networking.websockify.sslCert

Path to the SSL certificate.

Declared by:

<nixpkgs/nixos/modules/services/networking/websockify.nix>
services.networking.websockify.sslKey

Path to the SSL key.

Default: "config.services.networking.websockify.sslCert"

Declared by: