I. Installation
1. Obtaining NixOS
2. Installing NixOS
2.1. UEFI Installation
2.2. Booting from a USB Drive
2.3. Booting from the netboot media (PXE)
2.4. Installing in a Virtualbox guest
3. Changing the Configuration
4. Upgrading NixOS
4.1. Automatic Upgrades
II. Configuration
5. Configuration Syntax
5.1. NixOS Configuration File
5.2. Abstractions
5.3. Modularity
5.4. Syntax Summary
6. Package Management
6.1. Declarative Package Management
6.1.1. Customising Packages
6.1.2. Adding Custom Packages
6.2. Ad-Hoc Package Management
7. User Management
8. File Systems
8.1. LUKS-Encrypted File Systems
9. X Window System
10. Networking
10.1. NetworkManager
10.2. Secure Shell Access
10.3. IPv4 Configuration
10.4. IPv6 Configuration
10.5. Firewall
10.6. Wireless Networks
10.7. Ad-Hoc Configuration
11. Linux Kernel
11.1. Developing kernel modules
12. DNSCrypt client proxy
12.1. Basic configuration
12.2. As a forwarder for a caching DNS client
12.2.1. dnsmasq
12.2.2. unbound
13. Taskserver
13.1. Configuration
13.2. The nixos-taskserver tool
13.3. Declarative/automatic CA management
13.4. Manual CA management
14. Gitlab
14.1. Prerequisites
14.2. Configuring
14.3. Maintenance
15. Emacs
15.1. Installing Emacs
15.1.1. The Different Releases of Emacs
15.1.2. Adding Packages to Emacs
15.1.3. Advanced Emacs Configuration
15.2. Running Emacs as a Service
15.2.1. Enabling the Service
15.2.2. Starting the client
15.2.3. Configuring the EDITOR variable
15.2.4. Per-User Enabling of the Service
15.3. Configuring Emacs
15.3.1. A Major Mode for Nix Expressions
15.3.2. Accessing man pages
16. PostgreSQL
16.1. Configuring
16.2. Upgrading
16.3. Options
17. Grsecurity/PaX
17.1. Enabling grsecurity/PaX
17.2. Declarative tuning
17.3. Manual tuning
17.4. Security considerations
17.5. Using a custom grsecurity/PaX kernel
17.6. Per-executable PaX flags
17.7. Issues and work-arounds
17.8. Grsecurity/PaX kernel parameters
18. SSL/TLS Certificates with ACME
18.1. Prerequisites
18.2. Configuring
18.3. Using ACME certificates in Nginx
19. Input Methods
19.1. IBus
19.2. Fcitx
19.3. Nabi
19.4. Uim
III. Administration
20. Service Management
21. Rebooting and Shutting Down
22. User Sessions
23. Control Groups
24. Logging
25. Cleaning the Nix Store
26. Container Management
26.1. Imperative Container Management
26.2. Declarative Container Specification
26.3. Container Networking
27. Troubleshooting
27.1. Boot Problems
27.2. Maintenance Mode
27.3. Rolling Back Configuration Changes
27.4. Nix Store Corruption
27.5. Network Problems
IV. Development
28. Getting the Sources
29. Writing NixOS Modules
29.1. Option Declarations
29.2. Option Definitions
29.3. Meta Attributes
30. Building Specific Parts of NixOS
31. Building Your Own NixOS CD
32. NixOS Tests
32.1. Writing Tests
32.2. Running Tests
32.3. Running Tests interactively
33. Testing the Installer
34. Releases
34.1. Release process
34.1.1. One month before the beta
34.1.2. At beta release time
34.1.3. Before the final release
34.1.4. At final release time
34.2. Release schedule
A. Configuration Options
B. Release Notes
B.1. Release 16.09 (“Flounder”, 2016/09/30)
B.2. Release 16.03 (“Emu”, 2016/03/31)
B.3. Release 15.09 (“Dingo”, 2015/09/30)
B.4. Release 14.12 (“Caterpillar”, 2014/12/30)
B.5. Release 14.04 (“Baboon”, 2014/04/30)
B.6. Release 13.10 (“Aardvark”, 2013/10/31)

This manual describes how to install, use and extend NixOS, a Linux distribution based on the purely functional package management system Nix.

If you encounter problems, please report them on the mailing list or on the #nixos channel on Freenode. Bugs should be reported in NixOS’ GitHub issue tracker.

Note: Commands prefixed with # have to be run as root, either requiring to login as root user or temporarily switching to it using sudo for example.

This section describes how to obtain, install, and configure NixOS for first-time use.

Chapter 1. Obtaining NixOS

NixOS ISO images can be downloaded from the NixOS download page. There are a number of installation options. If you happen to have an optical drive and a spare CD, burning the image to CD and booting from that is probably the easiest option. Most people will need to prepare a USB stick to boot from. Unetbootin is recommended and the process is described in brief below. Note that systems which use UEFI require some additional manual steps. If you run into difficulty a number of alternative methods are presented in the NixOS Wiki.

As an alternative to installing NixOS yourself, you can get a running NixOS system through several other means:

  • Using virtual appliances in Open Virtualization Format (OVF) that can be imported into VirtualBox. These are available from the NixOS download page.

  • Using AMIs for Amazon’s EC2. To find one for your region and instance type, please refer to the list of most recent AMIs.

  • Using NixOps, the NixOS-based cloud deployment tool, which allows you to provision VirtualBox and EC2 NixOS instances from declarative specifications. Check out the NixOps homepage for details.

Chapter 2. Installing NixOS

  1. Boot from the CD.

  2. The CD contains a basic NixOS installation. (It also contains Memtest86+, useful if you want to test new hardware). When it’s finished booting, it should have detected most of your hardware.

  3. The NixOS manual is available on virtual console 8 (press Alt+F8 to access).

  4. You get logged in as root (with empty password).

  5. If you downloaded the graphical ISO image, you can run systemctl start display-manager to start KDE. If you want to continue on the terminal, you can use loadkeys to switch to your preferred keyboard layout. (We even provide neo2 via loadkeys de neo!)

  6. The boot process should have brought up networking (check ip a). Networking is necessary for the installer, since it will download lots of stuff (such as source tarballs or Nixpkgs channel binaries). It’s best if you have a DHCP server on your network. Otherwise configure networking manually using ifconfig.

    To manually configure the network on the graphical installer, first disable network-manager with systemctl stop network-manager.

  7. The NixOS installer doesn’t do any partitioning or formatting yet, so you need to do that yourself. Use the following commands:

    • For partitioning: fdisk.

    • For initialising Ext4 partitions: mkfs.ext4. It is recommended that you assign a unique symbolic label to the file system using the option -L label, since this makes the file system configuration independent from device changes. For example:

      # mkfs.ext4 -L nixos /dev/sda1

    • For creating swap partitions: mkswap. Again it’s recommended to assign a label to the swap partition: -L label.

    • For creating LVM volumes, the LVM commands, e.g.,

      # pvcreate /dev/sda1 /dev/sdb1
      # vgcreate MyVolGroup /dev/sda1 /dev/sdb1
      # lvcreate --size 2G --name bigdisk MyVolGroup
      # lvcreate --size 1G --name smalldisk MyVolGroup

    • For creating software RAID devices, use mdadm.

  8. Mount the target file system on which NixOS should be installed on /mnt, e.g.

    # mount /dev/disk/by-label/nixos /mnt

  9. If your machine has a limited amount of memory, you may want to activate swap devices now (swapon device). The installer (or rather, the build actions that it may spawn) may need quite a bit of RAM, depending on your configuration.

  10. You now need to create a file /mnt/etc/nixos/configuration.nix that specifies the intended configuration of the system. This is because NixOS has a declarative configuration model: you create or edit a description of the desired configuration of your system, and then NixOS takes care of making it happen. The syntax of the NixOS configuration file is described in Chapter 5, Configuration Syntax, while a list of available configuration options appears in Appendix A, Configuration Options. A minimal example is shown in Example 2.2, “NixOS Configuration”.

    The command nixos-generate-config can generate an initial configuration file for you:

    # nixos-generate-config --root /mnt

    You should then edit /mnt/etc/nixos/configuration.nix to suit your needs:

    # nano /mnt/etc/nixos/configuration.nix

    If you’re using the graphical ISO image, other editors may be available (such as vim). If you have network access, you can also install other editors — for instance, you can install Emacs by running nix-env -i emacs.

    You must set the option boot.loader.grub.device to specify on which disk the GRUB boot loader is to be installed. Without it, NixOS cannot boot.

    Another critical option is fileSystems, specifying the file systems that need to be mounted by NixOS. However, you typically don’t need to set it yourself, because nixos-generate-config sets it automatically in /mnt/etc/nixos/hardware-configuration.nix from your currently mounted file systems. (The configuration file hardware-configuration.nix is included from configuration.nix and will be overwritten by future invocations of nixos-generate-config; thus, you generally should not modify it.)

    Note: Depending on your hardware configuration or type of file system, you may need to set the option boot.initrd.kernelModules to include the kernel modules that are necessary for mounting the root file system, otherwise the installed system will not be able to boot. (If this happens, boot from the CD again, mount the target file system on /mnt, fix /mnt/etc/nixos/configuration.nix and rerun nixos-install.) In most cases, nixos-generate-config will figure out the required modules.
  11. Do the installation:

    # nixos-install

    Cross fingers. If this fails due to a temporary problem (such as a network issue while downloading binaries from the NixOS binary cache), you can just re-run nixos-install. Otherwise, fix your configuration.nix and then re-run nixos-install.

    As the last step, nixos-install will ask you to set the password for the root user, e.g.

    setting root password...
    Enter new UNIX password: ***
    Retype new UNIX password: ***

  12. If everything went well:

    # reboot

  13. You should now be able to boot into the installed NixOS. The GRUB boot menu shows a list of available configurations (initially just one). Every time you change the NixOS configuration (see Changing Configuration ), a new item is added to the menu. This allows you to easily roll back to a previous configuration if something goes wrong.

    You should log in and change the root password with passwd.

    You’ll probably want to create some user accounts as well, which can be done with useradd:

    $ useradd -c 'Eelco Dolstra' -m eelco
    $ passwd eelco

    You may also want to install some software. For instance,

    $ nix-env -qa \*

    shows what packages are available, and

    $ nix-env -i w3m

    install the w3m browser.

To summarise, Example 2.1, “Commands for Installing NixOS on /dev/sda shows a typical sequence of commands for installing NixOS on an empty hard drive (here /dev/sda). Example 2.2, “NixOS Configuration” shows a corresponding configuration Nix expression.

Example 2.1. Commands for Installing NixOS on /dev/sda

# fdisk /dev/sda # (or whatever device you want to install on)
# mkfs.ext4 -L nixos /dev/sda1
# mkswap -L swap /dev/sda2
# swapon /dev/sda2
# mount /dev/disk/by-label/nixos /mnt
# nixos-generate-config --root /mnt
# nano /mnt/etc/nixos/configuration.nix
# nixos-install
# reboot

Example 2.2. NixOS Configuration

{ config, pkgs, ... }:

  imports =
    [ # Include the results of the hardware scan.

  boot.loader.grub.device = "/dev/sda";

  # Note: setting fileSystems is generally not
  # necessary, since nixos-generate-config figures them out
  # automatically in hardware-configuration.nix.
  #fileSystems."/".device = "/dev/disk/by-label/nixos";

  # Enable the OpenSSH server.
  services.sshd.enable = true;

2.1. UEFI Installation

NixOS can also be installed on UEFI systems. The procedure is by and large the same as a BIOS installation, with the following changes:

  • You should boot the live CD in UEFI mode (consult your specific hardware's documentation for instructions). You may find the rEFInd boot manager useful.

  • Instead of fdisk, you should use gdisk to partition your disks. You will need to have a separate partition for /boot with partition code EF00, and it should be formatted as a vfat filesystem.

  • You must set boot.loader.systemd-boot.enable to true. nixos-generate-config should do this automatically for new configurations when booted in UEFI mode.

  • After having mounted your installation partition to /mnt, you must mount the boot partition to /mnt/boot.

  • You may want to look at the options starting with boot.loader.efi and boot.loader.systemd-boot as well.

2.2. Booting from a USB Drive

For systems without CD drive, the NixOS live CD can be booted from a USB stick. You can use the dd utility to write the image: dd if=path-to-image of=/dev/sdb. Be careful about specifying the correct drive; you can use the lsblk command to get a list of block devices.

The dd utility will write the image verbatim to the drive, making it the recommended option for both UEFI and non-UEFI installations. For non-UEFI installations, you can alternatively use unetbootin. If you cannot use dd for a UEFI installation, you can also mount the ISO, copy its contents verbatim to your drive, then either:

  • Change the label of the disk partition to the label of the ISO (visible with the blkid command), or

  • Edit loader/entries/nixos-livecd.conf on the drive and change the root= field in the options line to point to your drive (see the documentation on root= in the kernel documentation for more details).

2.3. Booting from the netboot media (PXE)

Advanced users may wish to install NixOS using an existing PXE or iPXE setup.

These instructions assume that you have an existing PXE or iPXE infrastructure and simply want to add the NixOS installer as another option. To build the necessary files from a recent version of nixpkgs, you can run:

nix-build -A netboot nixos/release.nix

This will create a result directory containing: * bzImage – the Linux kernel * initrd – the initrd file * netboot.ipxe – an example ipxe script demonstrating the appropriate kernel command line arguments for this image

If you’re using plain PXE, configure your boot loader to use the bzImage and initrd files and have it provide the same kernel command line arguments found in netboot.ipxe.

If you’re using iPXE, depending on how your HTTP/FTP/etc. server is configured you may be able to use netboot.ipxe unmodified, or you may need to update the paths to the files to match your server’s directory layout

In the future we may begin making these files available as build products from hydra at which point we will update this documentation with instructions on how to obtain them either for placing on a dedicated TFTP server or to boot them directly over the internet.

2.4. Installing in a Virtualbox guest

Installing NixOS into a Virtualbox guest is convenient for users who want to try NixOS without installing it on bare metal. If you want to use a pre-made Virtualbox appliance, it is available at the downloads page. If you want to set up a Virtualbox guest manually, follow these instructions:

  1. Add a New Machine in Virtualbox with OS Type "Linux / Other Linux"

  2. Base Memory Size: 768 MB or higher.

  3. New Hard Disk of 8 GB or higher.

  4. Mount the CD-ROM with the NixOS ISO (by clicking on CD/DVD-ROM)

  5. Click on Settings / System / Processor and enable PAE/NX

  6. Click on Settings / System / Acceleration and enable "VT-x/AMD-V" acceleration

  7. Save the settings, start the virtual machine, and continue installation like normal

There are a few modifications you should make in configuration.nix. Enable the virtualbox guest service in the main block:

virtualisation.virtualbox.guest.enable = true;

Enable booting:

boot.loader.grub.device = "/dev/sda";

Also remove the fsck that runs at startup. It will always fail to run, stopping your boot until you press *.

boot.initrd.checkJournalingFS = false;

Shared folders can be given a name and a path in the host system in the VirtualBox settings (Machine / Settings / Shared Folders, then click on the "Add" icon). Add the following to the /etc/nixos/configuration.nix to auto-mount them:

{ config, pkgs, ...} :

  fileSystems."/virtualboxshare" = {
    fsType = "vboxsf";
    device = "nameofthesharedfolder";
    options = [ "rw" ];

The folder will be available directly under the root directory.

Chapter 3. Changing the Configuration

The file /etc/nixos/configuration.nix contains the current configuration of your machine. Whenever you’ve changed something to that file, you should do

# nixos-rebuild switch

to build the new configuration, make it the default configuration for booting, and try to realise the configuration in the running system (e.g., by restarting system services).

Warning: These commands must be executed as root, so you should either run them from a root shell or by prefixing them with sudo -i.

You can also do

# nixos-rebuild test

to build the configuration and switch the running system to it, but without making it the boot default. So if (say) the configuration locks up your machine, you can just reboot to get back to a working configuration.

There is also

# nixos-rebuild boot

to build the configuration and make it the boot default, but not switch to it now (so it will only take effect after the next reboot).

You can make your configuration show up in a different submenu of the GRUB 2 boot screen by giving it a different profile name, e.g.

# nixos-rebuild switch -p test 

which causes the new configuration (and previous ones created using -p test) to show up in the GRUB submenu “NixOS - Profile 'test'”. This can be useful to separate test configurations from “stable” configurations.

Finally, you can do

$ nixos-rebuild build

to build the configuration but nothing more. This is useful to see whether everything compiles cleanly.

If you have a machine that supports hardware virtualisation, you can also test the new configuration in a sandbox by building and running a QEMU virtual machine that contains the desired configuration. Just do

$ nixos-rebuild build-vm
$ ./result/bin/run-*-vm

The VM does not have any data from your host system, so your existing user accounts and home directories will not be available. You can forward ports on the host to the guest. For instance, the following will forward host port 2222 to guest port 22 (SSH):

$ QEMU_NET_OPTS="hostfwd=tcp::2222-:22" ./result/bin/run-*-vm

allowing you to log in via SSH (assuming you have set the appropriate passwords or SSH authorized keys):

$ ssh -p 2222 localhost

Chapter 4. Upgrading NixOS

The best way to keep your NixOS installation up to date is to use one of the NixOS channels. A channel is a Nix mechanism for distributing Nix expressions and associated binaries. The NixOS channels are updated automatically from NixOS’s Git repository after certain tests have passed and all packages have been built. These channels are:

  • Stable channels, such as nixos-14.12. These only get conservative bug fixes and package upgrades. For instance, a channel update may cause the Linux kernel on your system to be upgraded from 3.4.66 to 3.4.67 (a minor bug fix), but not from 3.4.x to 3.11.x (a major change that has the potential to break things). Stable channels are generally maintained until the next stable branch is created.

  • The unstable channel, nixos-unstable. This corresponds to NixOS’s main development branch, and may thus see radical changes between channel updates. It’s not recommended for production systems.

  • Small channels, such as nixos-14.12-small or nixos-unstable-small. These are identical to the stable and unstable channels described above, except that they contain fewer binary packages. This means they get updated faster than the regular channels (for instance, when a critical security patch is committed to NixOS’s source tree), but may require more packages to be built from source than usual. They’re mostly intended for server environments and as such contain few GUI applications.

To see what channels are available, go to (Note that the URIs of the various channels redirect to a directory that contains the channel’s latest version and includes ISO images and VirtualBox appliances.)

When you first install NixOS, you’re automatically subscribed to the NixOS channel that corresponds to your installation source. For instance, if you installed from a 14.12 ISO, you will be subscribed to the nixos-14.12 channel. To see which NixOS channel you’re subscribed to, run the following as root:

# nix-channel --list | grep nixos

To switch to a different NixOS channel, do

# nix-channel --add nixos

(Be sure to include the nixos parameter at the end.) For instance, to use the NixOS 14.12 stable channel:

# nix-channel --add nixos

If you have a server, you may want to use the “small” channel instead:

# nix-channel --add nixos

And if you want to live on the bleeding edge:

# nix-channel --add nixos

You can then upgrade NixOS to the latest version in your chosen channel by running

# nixos-rebuild switch --upgrade

which is equivalent to the more verbose nix-channel --update nixos; nixos-rebuild switch.

Warning: It is generally safe to switch back and forth between channels. The only exception is that a newer NixOS may also have a newer Nix version, which may involve an upgrade of Nix’s database schema. This cannot be undone easily, so in that case you will not be able to go back to your original channel.

4.1. Automatic Upgrades

You can keep a NixOS system up-to-date automatically by adding the following to configuration.nix:

system.autoUpgrade.enable = true;

This enables a periodically executed systemd service named nixos-upgrade.service. It runs nixos-rebuild switch --upgrade to upgrade NixOS to the latest version in the current channel. (To see when the service runs, see systemctl list-timers.) You can also specify a channel explicitly, e.g. =;

This chapter describes how to configure various aspects of a NixOS machine through the configuration file /etc/nixos/configuration.nix. As described in Chapter 3, Changing the Configuration, changes to this file only take effect after you run nixos-rebuild.

Chapter 5. Configuration Syntax

The NixOS configuration file /etc/nixos/configuration.nix is actually a Nix expression, which is the Nix package manager’s purely functional language for describing how to build packages and configurations. This means you have all the expressive power of that language at your disposal, including the ability to abstract over common patterns, which is very useful when managing complex systems. The syntax and semantics of the Nix language are fully described in the Nix manual, but here we give a short overview of the most important constructs useful in NixOS configuration files.

5.1. NixOS Configuration File

The NixOS configuration file generally looks like this:

{ config, pkgs, ... }:

{ option definitions

The first line ({ config, pkgs, ... }:) denotes that this is actually a function that takes at least the two arguments config and pkgs. (These are explained later.) The function returns a set of option definitions ({ ... }). These definitions have the form name = value, where name is the name of an option and value is its value. For example,

{ config, pkgs, ... }:

{ services.httpd.enable = true;
  services.httpd.adminAddr = "";
  services.httpd.documentRoot = "/webroot";

defines a configuration with three option definitions that together enable the Apache HTTP Server with /webroot as the document root.

Sets can be nested, and in fact dots in option names are shorthand for defining a set containing another set. For instance, services.httpd.enable defines a set named services that contains a set named httpd, which in turn contains an option definition named enable with value true. This means that the example above can also be written as:

{ config, pkgs, ... }:

{ services = {
    httpd = {
      enable = true;
      adminAddr = "";
      documentRoot = "/webroot";

which may be more convenient if you have lots of option definitions that share the same prefix (such as services.httpd).

NixOS checks your option definitions for correctness. For instance, if you try to define an option that doesn’t exist (that is, doesn’t have a corresponding option declaration), nixos-rebuild will give an error like:

The option `services.httpd.enable' defined in `/etc/nixos/configuration.nix' does not exist.

Likewise, values in option definitions must have a correct type. For instance, services.httpd.enable must be a Boolean (true or false). Trying to give it a value of another type, such as a string, will cause an error:

The option value `services.httpd.enable' in `/etc/nixos/configuration.nix' is not a boolean.

Options have various types of values. The most important are:


Strings are enclosed in double quotes, e.g.

networking.hostName = "dexter";

Special characters can be escaped by prefixing them with a backslash (e.g. \").

Multi-line strings can be enclosed in double single quotes, e.g.

networking.extraHosts =
  '' other-localhost server

The main difference is that it strips from each line a number of spaces equal to the minimal indentation of the string as a whole (disregarding the indentation of empty lines), and that characters like " and \ are not special (making it more convenient for including things like shell code). See more info about this in the Nix manual here.


These can be true or false, e.g.

networking.firewall.enable = true;
networking.firewall.allowPing = false;


For example,

boot.kernel.sysctl."net.ipv4.tcp_keepalive_time" = 60;

(Note that here the attribute name net.ipv4.tcp_keepalive_time is enclosed in quotes to prevent it from being interpreted as a set named net containing a set named ipv4, and so on. This is because it’s not a NixOS option but the literal name of a Linux kernel setting.)


Sets were introduced above. They are name/value pairs enclosed in braces, as in the option definition

fileSystems."/boot" =
  { device = "/dev/sda1";
    fsType = "ext4";
    options = [ "rw" "data=ordered" "relatime" ];


The important thing to note about lists is that list elements are separated by whitespace, like this:

boot.kernelModules = [ "fuse" "kvm-intel" "coretemp" ];

List elements can be any other type, e.g. sets:

swapDevices = [ { device = "/dev/disk/by-label/swap"; } ];


Usually, the packages you need are already part of the Nix Packages collection, which is a set that can be accessed through the function argument pkgs. Typical uses:

environment.systemPackages =
  [ pkgs.thunderbird

postgresql.package = pkgs.postgresql90;

The latter option definition changes the default PostgreSQL package used by NixOS’s PostgreSQL service to 9.0. For more information on packages, including how to add new ones, see Section 6.1.2, “Adding Custom Packages”.

5.2. Abstractions

If you find yourself repeating yourself over and over, it’s time to abstract. Take, for instance, this Apache HTTP Server configuration:

  services.httpd.virtualHosts =
    [ { hostName = "";
        documentRoot = "/webroot";
        adminAddr = "";
        enableUserDir = true;
      { hostName = "";
        documentRoot = "/webroot";
        adminAddr = "";
        enableUserDir = true;
        enableSSL = true;
        sslServerCert = "/root/ssl-example-org.crt";
        sslServerKey = "/root/ssl-example-org.key";

It defines two virtual hosts with nearly identical configuration; the only difference is that the second one has SSL enabled. To prevent this duplication, we can use a let:

  exampleOrgCommon =
    { hostName = "";
      documentRoot = "/webroot";
      adminAddr = "";
      enableUserDir = true;
  services.httpd.virtualHosts =
    [ exampleOrgCommon
      (exampleOrgCommon // {
        enableSSL = true;
        sslServerCert = "/root/ssl-example-org.crt";
        sslServerKey = "/root/ssl-example-org.key";

The let exampleOrgCommon = ... defines a variable named exampleOrgCommon. The // operator merges two attribute sets, so the configuration of the second virtual host is the set exampleOrgCommon extended with the SSL options.

You can write a let wherever an expression is allowed. Thus, you also could have written:

  services.httpd.virtualHosts =
    let exampleOrgCommon = ...; in
    [ exampleOrgCommon
      (exampleOrgCommon // { ... })

but not { let exampleOrgCommon = ...; in ...; } since attributes (as opposed to attribute values) are not expressions.

Functions provide another method of abstraction. For instance, suppose that we want to generate lots of different virtual hosts, all with identical configuration except for the host name. This can be done as follows:

  services.httpd.virtualHosts =
      makeVirtualHost = name:
        { hostName = name;
          documentRoot = "/webroot";
          adminAddr = "";
      [ (makeVirtualHost "")
        (makeVirtualHost "")
        (makeVirtualHost "")
        (makeVirtualHost "")

Here, makeVirtualHost is a function that takes a single argument name and returns the configuration for a virtual host. That function is then called for several names to produce the list of virtual host configurations.

We can further improve on this by using the function map, which applies another function to every element in a list:

  services.httpd.virtualHosts =
      makeVirtualHost = ...;
    in map makeVirtualHost
      [ "" "" "" "" ];

(The function map is called a higher-order function because it takes another function as an argument.)

What if you need more than one argument, for instance, if we want to use a different documentRoot for each virtual host? Then we can make makeVirtualHost a function that takes a set as its argument, like this:

  services.httpd.virtualHosts =
      makeVirtualHost = { name, root }:
        { hostName = name;
          documentRoot = root;
          adminAddr = "";
    in map makeVirtualHost
      [ { name = ""; root = "/sites/"; }
        { name = ""; root = "/sites/"; }
        { name = ""; root = "/sites/"; }
        { name = ""; root = "/sites/"; }

But in this case (where every root is a subdirectory of /sites named after the virtual host), it would have been shorter to define makeVirtualHost as

makeVirtualHost = name:
  { hostName = name;
    documentRoot = "/sites/${name}";
    adminAddr = "";

Here, the construct ${...} allows the result of an expression to be spliced into a string.

5.3. Modularity

The NixOS configuration mechanism is modular. If your configuration.nix becomes too big, you can split it into multiple files. Likewise, if you have multiple NixOS configurations (e.g. for different computers) with some commonality, you can move the common configuration into a shared file.

Modules have exactly the same syntax as configuration.nix. In fact, configuration.nix is itself a module. You can use other modules by including them from configuration.nix, e.g.:

{ config, pkgs, ... }:

{ imports = [ ./vpn.nix ./kde.nix ];
  services.httpd.enable = true;
  environment.systemPackages = [ pkgs.emacs ];

Here, we include two modules from the same directory, vpn.nix and kde.nix. The latter might look like this:

{ config, pkgs, ... }:

{ services.xserver.enable = true;
  services.xserver.displayManager.kdm.enable = true;
  services.xserver.desktopManager.kde4.enable = true;
  environment.systemPackages = [ pkgs.kde4.kscreensaver ];

Note that both configuration.nix and kde.nix define the option environment.systemPackages. When multiple modules define an option, NixOS will try to merge the definitions. In the case of environment.systemPackages, that’s easy: the lists of packages can simply be concatenated. The value in configuration.nix is merged last, so for list-type options, it will appear at the end of the merged list. If you want it to appear first, you can use mkBefore:

boot.kernelModules = mkBefore [ "kvm-intel" ];

This causes the kvm-intel kernel module to be loaded before any other kernel modules.

For other types of options, a merge may not be possible. For instance, if two modules define services.httpd.adminAddr, nixos-rebuild will give an error:

The unique option `services.httpd.adminAddr' is defined multiple times, in `/etc/nixos/httpd.nix' and `/etc/nixos/configuration.nix'.

When that happens, it’s possible to force one definition take precedence over the others:

services.httpd.adminAddr = pkgs.lib.mkForce "";

When using multiple modules, you may need to access configuration values defined in other modules. This is what the config function argument is for: it contains the complete, merged system configuration. That is, config is the result of combining the configurations returned by every module[1]. For example, here is a module that adds some packages to environment.systemPackages only if services.xserver.enable is set to true somewhere else:

{ config, pkgs, ... }:

{ environment.systemPackages =
    if then
      [ pkgs.firefox
      [ ];

With multiple modules, it may not be obvious what the final value of a configuration option is. The command nixos-option allows you to find out:

$ nixos-option services.xserver.enable

$ nixos-option boot.kernelModules
[ "tun" "ipv6" "loop" ... ]

Interactive exploration of the configuration is possible using nix-repl, a read-eval-print loop for Nix expressions. It’s not installed by default; run nix-env -i nix-repl to get it. A typical use:

$ nix-repl '<nixos>'

nix-repl> config.networking.hostName

nix-repl> map (x: x.hostName)
[ "" "" ]

5.4. Syntax Summary

Below is a summary of the most important syntactic constructs in the Nix expression language. It’s not complete. In particular, there are many other built-in functions. See the Nix manual for the rest.

Basic values
"Hello world"A string
"${pkgs.bash}/bin/sh"A string containing an expression (expands to "/nix/store/hash-bash-version/bin/sh")
true, falseBooleans
123An integer
./foo.pngA path (relative to the containing Nix expression)
Compound values
{ x = 1; y = 2; }An set with attributes names x and y
{ = 1; }A nested set, equivalent to { foo = { bar = 1; }; }
rec { x = "foo"; y = x + "bar"; }A recursive set, equivalent to { x = "foo"; y = "foobar"; }
[ "foo" "bar" ]A list with two elements
"foo" + "bar"String concatenation
1 + 2Integer addition
"foo" == "f" + "oo"Equality test (evaluates to true)
"foo" != "bar"Inequality test (evaluates to true)
!trueBoolean negation
{ x = 1; y = 2; }.xAttribute selection (evaluates to 1)
{ x = 1; y = 2; }.z or 3Attribute selection with default (evaluates to 3)
{ x = 1; y = 2; } // { z = 3; }Merge two sets (attributes in the right-hand set taking precedence)
Control structures
if 1 + 1 == 2 then "yes!" else "no!"Conditional expression
assert 1 + 1 == 2; "yes!"Assertion check (evaluates to "yes!")
let x = "foo"; y = "bar"; in x + yVariable definition
with pkgs.lib; head [ 1 2 3 ]Add all attributes from the given set to the scope (evaluates to 1)
Functions (lambdas)
x: x + 1A function that expects an integer and returns it increased by 1
(x: x + 1) 100A function call (evaluates to 101)
let inc = x: x + 1; in inc (inc (inc 100))A function bound to a variable and subsequently called by name (evaluates to 103)
{ x, y }: x + yA function that expects a set with required attributes x and y and concatenates them
{ x, y ? "bar" }: x + yA function that expects a set with required attribute x and optional y, using "bar" as default value for y
{ x, y, ... }: x + yA function that expects a set with required attributes x and y and ignores any other attributes
{ x, y } @ args: x + yA function that expects a set with required attributes x and y, and binds the whole set to args
Built-in functions
import ./foo.nixLoad and return Nix expression in given file
map (x: x + x) [ 1 2 3 ]Apply a function to every element of a list (evaluates to [ 2 4 6 ])

[1] If you’re wondering how it’s possible that the (indirect) result of a function is passed as an input to that same function: that’s because Nix is a “lazy” language — it only computes values when they are needed. This works as long as no individual configuration value depends on itself.

Chapter 6. Package Management

This section describes how to add additional packages to your system. NixOS has two distinct styles of package management:

  • Declarative, where you declare what packages you want in your configuration.nix. Every time you run nixos-rebuild, NixOS will ensure that you get a consistent set of binaries corresponding to your specification.

  • Ad hoc, where you install, upgrade and uninstall packages via the nix-env command. This style allows mixing packages from different Nixpkgs versions. It’s the only choice for non-root users.

6.1. Declarative Package Management

With declarative package management, you specify which packages you want on your system by setting the option environment.systemPackages. For instance, adding the following line to configuration.nix enables the Mozilla Thunderbird email application:

environment.systemPackages = [ pkgs.thunderbird ];

The effect of this specification is that the Thunderbird package from Nixpkgs will be built or downloaded as part of the system when you run nixos-rebuild switch.

You can get a list of the available packages as follows:

$ nix-env -qaP '*' --description
nixos.firefox   firefox-23.0   Mozilla Firefox - the browser, reloaded

The first column in the output is the attribute name, such as nixos.thunderbird. (The nixos prefix allows distinguishing between different channels that you might have.)

To “uninstall” a package, simply remove it from environment.systemPackages and run nixos-rebuild switch.

6.1.1. Customising Packages

Some packages in Nixpkgs have options to enable or disable optional functionality or change other aspects of the package. For instance, the Firefox wrapper package (which provides Firefox with a set of plugins such as the Adobe Flash player) has an option to enable the Google Talk plugin. It can be set in configuration.nix as follows: nixpkgs.config.firefox.enableGoogleTalkPlugin = true;

Warning: Unfortunately, Nixpkgs currently lacks a way to query available configuration options.

Apart from high-level options, it’s possible to tweak a package in almost arbitrary ways, such as changing or disabling dependencies of a package. For instance, the Emacs package in Nixpkgs by default has a dependency on GTK+ 2. If you want to build it against GTK+ 3, you can specify that as follows:

environment.systemPackages = [ (pkgs.emacs.override { gtk = pkgs.gtk3; }) ];

The function override performs the call to the Nix function that produces Emacs, with the original arguments amended by the set of arguments specified by you. So here the function argument gtk gets the value pkgs.gtk3, causing Emacs to depend on GTK+ 3. (The parentheses are necessary because in Nix, function application binds more weakly than list construction, so without them, environment.systemPackages would be a list with two elements.)

Even greater customisation is possible using the function overrideDerivation. While the override mechanism above overrides the arguments of a package function, overrideDerivation allows changing the result of the function. This permits changing any aspect of the package, such as the source code. For instance, if you want to override the source code of Emacs, you can say:

environment.systemPackages =
  [ (pkgs.lib.overrideDerivation pkgs.emacs (attrs: {
      name = "emacs-25.0-pre";
      src = /path/to/my/emacs/tree;

Here, overrideDerivation takes the Nix derivation specified by pkgs.emacs and produces a new derivation in which the original’s name and src attribute have been replaced by the given values. The original attributes are accessible via attrs.

The overrides shown above are not global. They do not affect the original package; other packages in Nixpkgs continue to depend on the original rather than the customised package. This means that if another package in your system depends on the original package, you end up with two instances of the package. If you want to have everything depend on your customised instance, you can apply a global override as follows:

nixpkgs.config.packageOverrides = pkgs:
  { emacs = pkgs.emacs.override { gtk = pkgs.gtk3; };

The effect of this definition is essentially equivalent to modifying the emacs attribute in the Nixpkgs source tree. Any package in Nixpkgs that depends on emacs will be passed your customised instance. (However, the value pkgs.emacs in nixpkgs.config.packageOverrides refers to the original rather than overridden instance, to prevent an infinite recursion.)

6.1.2. Adding Custom Packages

It’s possible that a package you need is not available in NixOS. In that case, you can do two things. First, you can clone the Nixpkgs repository, add the package to your clone, and (optionally) submit a patch or pull request to have it accepted into the main Nixpkgs repository. This is described in detail in the Nixpkgs manual. In short, you clone Nixpkgs:

$ git clone git://
$ cd nixpkgs

Then you write and test the package as described in the Nixpkgs manual. Finally, you add it to environment.systemPackages, e.g.

environment.systemPackages = [ ];

and you run nixos-rebuild, specifying your own Nixpkgs tree:

# nixos-rebuild switch -I nixpkgs=/path/to/my/nixpkgs

The second possibility is to add the package outside of the Nixpkgs tree. For instance, here is how you specify a build of the GNU Hello package directly in configuration.nix:

environment.systemPackages =
    my-hello = with pkgs; stdenv.mkDerivation rec {
      name = "hello-2.8";
      src = fetchurl {
        url = "mirror://gnu/hello/${name}.tar.gz";
        sha256 = "0wqd8sjmxfskrflaxywc7gqw7sfawrfvdxd9skxawzfgyy0pzdz6";
  [ my-hello ];

Of course, you can also move the definition of my-hello into a separate Nix expression, e.g.

environment.systemPackages = [ (import ./my-hello.nix) ];

where my-hello.nix contains:

with import <nixpkgs> {}; # bring all of Nixpkgs into scope

stdenv.mkDerivation rec {
  name = "hello-2.8";
  src = fetchurl {
    url = "mirror://gnu/hello/${name}.tar.gz";
    sha256 = "0wqd8sjmxfskrflaxywc7gqw7sfawrfvdxd9skxawzfgyy0pzdz6";

This allows testing the package easily:

$ nix-build my-hello.nix
$ ./result/bin/hello
Hello, world!

6.2. Ad-Hoc Package Management

With the command nix-env, you can install and uninstall packages from the command line. For instance, to install Mozilla Thunderbird:

$ nix-env -iA nixos.thunderbird

If you invoke this as root, the package is installed in the Nix profile /nix/var/nix/profiles/default and visible to all users of the system; otherwise, the package ends up in /nix/var/nix/profiles/per-user/username/profile and is not visible to other users. The -A flag specifies the package by its attribute name; without it, the package is installed by matching against its package name (e.g. thunderbird). The latter is slower because it requires matching against all available Nix packages, and is ambiguous if there are multiple matching packages.

Packages come from the NixOS channel. You typically upgrade a package by updating to the latest version of the NixOS channel:

$ nix-channel --update nixos

and then running nix-env -i again. Other packages in the profile are not affected; this is the crucial difference with the declarative style of package management, where running nixos-rebuild switch causes all packages to be updated to their current versions in the NixOS channel. You can however upgrade all packages for which there is a newer version by doing:

$ nix-env -u '*'

A package can be uninstalled using the -e flag:

$ nix-env -e thunderbird

Finally, you can roll back an undesirable nix-env action:

$ nix-env --rollback

nix-env has many more flags. For details, see the nix-env(1) manpage or the Nix manual.

Chapter 7. User Management

NixOS supports both declarative and imperative styles of user management. In the declarative style, users are specified in configuration.nix. For instance, the following states that a user account named alice shall exist:

users.extraUsers.alice =
  { isNormalUser = true;
    home = "/home/alice";
    description = "Alice Foobar";
    extraGroups = [ "wheel" "networkmanager" ];
    openssh.authorizedKeys.keys = [ "ssh-dss AAAAB3Nza... alice@foobar" ];

Note that alice is a member of the wheel and networkmanager groups, which allows her to use sudo to execute commands as root and to configure the network, respectively. Also note the SSH public key that allows remote logins with the corresponding private key. Users created in this way do not have a password by default, so they cannot log in via mechanisms that require a password. However, you can use the passwd program to set a password, which is retained across invocations of nixos-rebuild.

If you set users.mutableUsers to false, then the contents of /etc/passwd and /etc/group will be congruent to your NixOS configuration. For instance, if you remove a user from users.extraUsers and run nixos-rebuild, the user account will cease to exist. Also, imperative commands for managing users and groups, such as useradd, are no longer available.

A user ID (uid) is assigned automatically. You can also specify a uid manually by adding

    uid = 1000;

to the user specification.

Groups can be specified similarly. The following states that a group named students shall exist:

users.extraGroups.students.gid = 1000;

As with users, the group ID (gid) is optional and will be assigned automatically if it’s missing.

In the imperative style, users and groups are managed by commands such as useradd, groupmod and so on. For instance, to create a user account named alice:

# useradd -m alice

To make all nix tools available to this new user use `su - USER` which opens a login shell (==shell that loads the profile) for given user. This will create the ~/.nix-defexpr symlink. So run:

# su - alice -c "true"

The flag -m causes the creation of a home directory for the new user, which is generally what you want. The user does not have an initial password and therefore cannot log in. A password can be set using the passwd utility:

# passwd alice
Enter new UNIX password: ***
Retype new UNIX password: ***

A user can be deleted using userdel:

# userdel -r alice

The flag -r deletes the user’s home directory. Accounts can be modified using usermod. Unix groups can be managed using groupadd, groupmod and groupdel.

Chapter 8. File Systems

You can define file systems using the fileSystems configuration option. For instance, the following definition causes NixOS to mount the Ext4 file system on device /dev/disk/by-label/data onto the mount point /data:

fileSystems."/data" =
  { device = "/dev/disk/by-label/data";
    fsType = "ext4";

Mount points are created automatically if they don’t already exist. For device, it’s best to use the topology-independent device aliases in /dev/disk/by-label and /dev/disk/by-uuid, as these don’t change if the topology changes (e.g. if a disk is moved to another IDE controller).

You can usually omit the file system type (fsType), since mount can usually detect the type and load the necessary kernel module automatically. However, if the file system is needed at early boot (in the initial ramdisk) and is not ext2, ext3 or ext4, then it’s best to specify fsType to ensure that the kernel module is available.

8.1. LUKS-Encrypted File Systems

NixOS supports file systems that are encrypted using LUKS (Linux Unified Key Setup). For example, here is how you create an encrypted Ext4 file system on the device /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d:

# cryptsetup luksFormat /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d

This will overwrite data on /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: ***
Verify passphrase: ***

# cryptsetup luksOpen /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d crypted
Enter passphrase for /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d: ***

# mkfs.ext4 /dev/mapper/crypted

To ensure that this file system is automatically mounted at boot time as /, add the following to configuration.nix:

boot.initrd.luks.devices.crypted.device = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d";
fileSystems."/".device = "/dev/mapper/crypted";

Chapter 9. X Window System

The X Window System (X11) provides the basis of NixOS’ graphical user interface. It can be enabled as follows:

services.xserver.enable = true;

The X server will automatically detect and use the appropriate video driver from a set of drivers (such as vesa and intel). You can also specify a driver manually, e.g.

services.xserver.videoDrivers = [ "r128" ];

to enable’s xf86-video-r128 driver.

You also need to enable at least one desktop or window manager. Otherwise, you can only log into a plain undecorated xterm window. Thus you should pick one or more of the following lines:

services.xserver.desktopManager.kde4.enable = true;
services.xserver.desktopManager.xfce.enable = true;
services.xserver.windowManager.xmonad.enable = true;
services.xserver.windowManager.twm.enable = true;
services.xserver.windowManager.icewm.enable = true;

NixOS’s default display manager (the program that provides a graphical login prompt and manages the X server) is SLiM. You can select KDE’s kdm instead:

services.xserver.displayManager.kdm.enable = true;

The X server is started automatically at boot time. If you don’t want this to happen, you can set:

services.xserver.autorun = false;

The X server can then be started manually:

# systemctl start display-manager.service

NVIDIA Graphics Cards

NVIDIA provides a proprietary driver for its graphics cards that has better 3D performance than the drivers. It is not enabled by default because it’s not free software. You can enable it as follows:

services.xserver.videoDrivers = [ "nvidia" ];

Or if you have an older card, you may have to use one of the legacy drivers:

services.xserver.videoDrivers = [ "nvidiaLegacy340" ];
services.xserver.videoDrivers = [ "nvidiaLegacy304" ];
services.xserver.videoDrivers = [ "nvidiaLegacy173" ];

You may need to reboot after enabling this driver to prevent a clash with other kernel modules.

On 64-bit systems, if you want full acceleration for 32-bit programs such as Wine, you should also set the following:

hardware.opengl.driSupport32Bit = true;

AMD Graphics Cards

AMD provides a proprietary driver for its graphics cards that has better 3D performance than the drivers. It is not enabled by default because it’s not free software. You can enable it as follows:

services.xserver.videoDrivers = [ "ati_unfree" ];

You will need to reboot after enabling this driver to prevent a clash with other kernel modules.

On 64-bit systems, if you want full acceleration for 32-bit programs such as Wine, you should also set the following:

hardware.opengl.driSupport32Bit = true;


Support for Synaptics touchpads (found in many laptops such as the Dell Latitude series) can be enabled as follows:

services.xserver.synaptics.enable = true;

The driver has many options (see Appendix A, Configuration Options). For instance, the following enables two-finger scrolling:

services.xserver.synaptics.twoFingerScroll = true;

GTK/Qt themes

GTK themes can be installed either to user profile or system-wide (via system.environmentPackages). To make Qt 5 applications look similar to GTK2 ones, you can install qt5.qtbase.gtk package into your system environment. It should work for all Qt 5 library versions.

Chapter 10. Networking

This section describes how to configure networking components on your NixOS machine.

10.1. NetworkManager

To facilitate network configuration, some desktop environments use NetworkManager. You can enable NetworkManager by setting:

networking.networkmanager.enable = true;

some desktop managers (e.g., GNOME) enable NetworkManager automatically for you.

All users that should have permission to change network settings must belong to the networkmanager group.

Note: networking.networkmanager and networking.wireless can not be enabled at the same time: you can still connect to the wireless networks using NetworkManager.

10.2. Secure Shell Access

Secure shell (SSH) access to your machine can be enabled by setting:

services.openssh.enable = true;

By default, root logins using a password are disallowed. They can be disabled entirely by setting services.openssh.permitRootLogin to "no".

You can declaratively specify authorised RSA/DSA public keys for a user as follows:

users.extraUsers.alice.openssh.authorizedKeys.keys =
  [ "ssh-dss AAAAB3NzaC1kc3MAAACBAPIkGWVEt4..." ];

10.3. IPv4 Configuration

By default, NixOS uses DHCP (specifically, dhcpcd) to automatically configure network interfaces. However, you can configure an interface manually as follows:

networking.interfaces.eth0.ip4 = [ { address = ""; prefixLength = 24; } ];

Typically you’ll also want to set a default gateway and set of name servers:

networking.defaultGateway = "";
networking.nameservers = [ "" ];

Note: Statically configured interfaces are set up by the systemd service interface-name-cfg.service. The default gateway and name server configuration is performed by network-setup.service.

The host name is set using networking.hostName:

networking.hostName = "cartman";

The default host name is nixos. Set it to the empty string ("") to allow the DHCP server to provide the host name.

10.4. IPv6 Configuration

IPv6 is enabled by default. Stateless address autoconfiguration is used to automatically assign IPv6 addresses to all interfaces. You can disable IPv6 support globally by setting:

networking.enableIPv6 = false;

10.5. Firewall

NixOS has a simple stateful firewall that blocks incoming connections and other unexpected packets. The firewall applies to both IPv4 and IPv6 traffic. It is enabled by default. It can be disabled as follows:

networking.firewall.enable = false;

If the firewall is enabled, you can open specific TCP ports to the outside world:

networking.firewall.allowedTCPPorts = [ 80 443 ];

Note that TCP port 22 (ssh) is opened automatically if the SSH daemon is enabled (services.openssh.enable = true). UDP ports can be opened through networking.firewall.allowedUDPPorts. Also of interest is

networking.firewall.allowPing = true;

to allow the machine to respond to ping requests. (ICMPv6 pings are always allowed.)

10.6. Wireless Networks

For a desktop installation using NetworkManager (e.g., GNOME), you just have to make sure the user is in the networkmanager group and you can skip the rest of this section on wireless networks.

NixOS will start wpa_supplicant for you if you enable this setting:

networking.wireless.enable = true;

NixOS lets you specify networks for wpa_supplicant declaratively:

networking.wireless.networks = {
  echelon = {
    psk = "abcdefgh";
  "free.wifi" = {};

Be aware that keys will be written to the nix store in plaintext! When no networks are set, it will default to using a configuration file at /etc/wpa_supplicant.conf. You should edit this file yourself to define wireless networks, WPA keys and so on (see wpa_supplicant.conf(5)).

If you are using WPA2 the wpa_passphrase tool might be useful to generate the wpa_supplicant.conf.

# wpa_passphrase ESSID PSK > /etc/wpa_supplicant.conf

After you have edited the wpa_supplicant.conf, you need to restart the wpa_supplicant service.

# systemctl restart wpa_supplicant.service

10.7. Ad-Hoc Configuration

You can use networking.localCommands to specify shell commands to be run at the end of network-setup.service. This is useful for doing network configuration not covered by the existing NixOS modules. For instance, to statically configure an IPv6 address:

networking.localCommands =
    ip -6 addr add 2001:610:685:1::1/64 dev eth0

Chapter 11. Linux Kernel

You can override the Linux kernel and associated packages using the option boot.kernelPackages. For instance, this selects the Linux 3.10 kernel:

boot.kernelPackages = pkgs.linuxPackages_3_10;

Note that this not only replaces the kernel, but also packages that are specific to the kernel version, such as the NVIDIA video drivers. This ensures that driver packages are consistent with the kernel.

The default Linux kernel configuration should be fine for most users. You can see the configuration of your current kernel with the following command:

zcat /proc/config.gz

If you want to change the kernel configuration, you can use the packageOverrides feature (see Section 6.1.1, “Customising Packages”). For instance, to enable support for the kernel debugger KGDB:

nixpkgs.config.packageOverrides = pkgs:
  { linux_3_4 = pkgs.linux_3_4.override {
      extraConfig =
          KGDB y

extraConfig takes a list of Linux kernel configuration options, one per line. The name of the option should not include the prefix CONFIG_. The option value is typically y, n or m (to build something as a kernel module).

Kernel modules for hardware devices are generally loaded automatically by udev. You can force a module to be loaded via boot.kernelModules, e.g.

boot.kernelModules = [ "fuse" "kvm-intel" "coretemp" ];

If the module is required early during the boot (e.g. to mount the root file system), you can use boot.initrd.extraKernelModules:

boot.initrd.extraKernelModules = [ "cifs" ];

This causes the specified modules and their dependencies to be added to the initial ramdisk.

Kernel runtime parameters can be set through boot.kernel.sysctl, e.g.

boot.kernel.sysctl."net.ipv4.tcp_keepalive_time" = 120;

sets the kernel’s TCP keepalive time to 120 seconds. To see the available parameters, run sysctl -a.

11.1. Developing kernel modules

When developing kernel modules it's often convenient to run edit-compile-run loop as quickly as possible. See below snippet as an example of developing mellanox drivers.

$ nix-build '<nixpkgs>' -A
$ nix-shell '<nixpkgs>' -A linuxPackages.kernel
$ unpackPhase
$ cd linux-*
$ make -C $dev/lib/modules/*/build M=$(pwd)/drivers/net/ethernet/mellanox modules
# insmod ./drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.ko

Chapter 12. DNSCrypt client proxy

The DNSCrypt client proxy relays DNS queries to a DNSCrypt enabled upstream resolver. The traffic between the client and the upstream resolver is encrypted and authenticated, mitigating the risk of MITM attacks, DNS poisoning attacks, and third-party snooping (assuming the upstream is trustworthy).

12.1. Basic configuration

To enable the client proxy, set

      services.dnscrypt-proxy.enable = true;

Enabling the client proxy does not alter the system nameserver; to relay local queries, prepend to networking.nameservers.

12.2. As a forwarder for a caching DNS client

By default, DNSCrypt proxy acts as a transparent proxy for the system stub resolver. Because the client does not cache lookups, this setup can significantly slow down e.g., web browsing. The recommended configuration is to run DNSCrypt proxy as a forwarder for a caching DNS client. To achieve this, change the default proxy listening port to a non-standard value and point the caching client to it:

      services.dnscrypt-proxy.localPort = 43;

12.2.1. dnsmasq

      services.dnsmasq.enable = true;
      services.dnsmasq.servers = [ "" ];

12.2.2. unbound

      networking.nameservers = [ "" ];
      services.unbound.enable = true;
      services.unbound.forwardAddresses = [ "" ];
      services.unbound.extraConfig = ''
        do-not-query-localhost: no

Chapter 13. Taskserver

Taskserver is the server component of Taskwarrior, a free and open source todo list application.

Upstream documentation:

13.1. Configuration

Taskserver does all of its authentication via TLS using client certificates, so you either need to roll your own CA or purchase a certificate from a known CA, which allows creation of client certificates. These certificates are usually advertised as server certificates.

So in order to make it easier to handle your own CA, there is a helper tool called nixos-taskserver which manages the custom CA along with Taskserver organisations, users and groups.

While the client certificates in Taskserver only authenticate whether a user is allowed to connect, every user has its own UUID which identifies it as an entity.

With nixos-taskserver the client certificate is created along with the UUID of the user, so it handles all of the credentials needed in order to setup the Taskwarrior client to work with a Taskserver.

13.2. The nixos-taskserver tool

Because Taskserver by default only provides scripts to setup users imperatively, the nixos-taskserver tool is used for addition and deletion of organisations along with users and groups defined by services.taskserver.organisations and as well for imperative set up.

The tool is designed to not interfere if the command is used to manually set up some organisations, users or groups.

For example if you add a new organisation using nixos-taskserver org add foo, the organisation is not modified and deleted no matter what you define in services.taskserver.organisations, even if you're adding the same organisation in that option.

The tool is modelled to imitate the official taskd command, documentation for each subcommand can be shown by using the --help switch.

13.3. Declarative/automatic CA management

Everything is done according to what you specify in the module options, however in order to set up a Taskwarrior client for synchronisation with a Taskserver instance, you have to transfer the keys and certificates to the client machine.

This is done using nixos-taskserver user export $orgname $username which is printing a shell script fragment to stdout which can either be used verbatim or adjusted to import the user on the client machine.

For example, let's say you have the following configuration:

  services.taskserver.enable = true;
  services.taskserver.fqdn = "server";
  services.taskserver.listenHost = "::"; = [ "alice" ];

This creates an organisation called my-company with the user alice.

Now in order to import the alice user to another machine alicebox, all we need to do is something like this:

$ ssh server nixos-taskserver user export my-company alice | sh

Of course, if no SSH daemon is available on the server you can also copy & paste it directly into a shell.

After this step the user should be set up and you can start synchronising your tasks for the first time with task sync init on alicebox.

Subsequent synchronisation requests merely require the command task sync after that stage.

13.4. Manual CA management

If you set any options within service.taskserver.pki.manual.*, the automatic user and CA management by the nixos-taskserver is disabled and you need to create certificates and keys by yourself.

Chapter 14. Gitlab

Gitlab is a feature-rich git hosting service.

14.1. Prerequisites

The gitlab service exposes only an Unix socket at /run/gitlab/gitlab-workhorse.socket. You need to configure a webserver to proxy HTTP requests to the socket.

For instance, the following configuration could be used to use nginx as frontend proxy:

    services.nginx = {
      enable = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      virtualHosts."" = {
        enableACME = true;
        forceSSL = true;
        locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";

14.2. Configuring

Gitlab depends on both PostgreSQL and Redis and will automatically enable both services. In the case of PostgreSQL, a database and a role will be created.

The default state dir is /var/gitlab/state. This is where all data like the repositories and uploads will be stored.

A basic configuration with some custom settings could look like this:

services.gitlab = {
  enable = true;
  databasePassword = "eXaMpl3";
  initialRootPassword = "UseNixOS!";
  https = true;
  host = "";
  port = 443;
  user = "git";
  group = "git";
  smtp = {
    enable = true;
    address = "localhost";
    port = 25;
  secrets = {
    db = "uPgq1gtwwHiatiuE0YHqbGa5lEIXH7fMsvuTNgdzJi8P0Dg12gibTzBQbq5LT7PNzcc3BP9P1snHVnduqtGF43PgrQtU7XL93ts6gqe9CBNhjtaqUwutQUDkygP5NrV6";
    secret = "devzJ0Tz0POiDBlrpWmcsjjrLaltyiAdS8TtgT9YNBOoUcDsfppiY3IXZjMVtKgXrFImIennFGOpPN8IkP8ATXpRgDD5rxVnKuTTwYQaci2NtaV1XxOQGjdIE50VGsR3";
    otp = "e1GATJVuS2sUh7jxiPzZPre4qtzGGaS22FR50Xs1TerRVdgI3CBVUi5XYtQ38W4xFeS4mDqi5cQjExE838iViSzCdcG19XSL6qNsfokQP9JugwiftmhmCadtsnHErBMI";
  extraConfig = {
    gitlab = {
      email_from = "";
      email_display_name = "Example GitLab";
      email_reply_to = "";
      default_projects_features = { builds = false; };

If you're setting up a new Gitlab instance, generate new secrets. You for instance use tr -dc A-Za-z0-9 < /dev/urandom | head -c 128 to generate a new secret. Gitlab encrypts sensitive data stored in the database. If you're restoring an existing Gitlab instance, you must specify the secrets secret from config/secrets.yml located in your Gitlab state folder.

Refer to Appendix A, Configuration Options for all available configuration options for the services.gitlab module.

14.3. Maintenance

You can run Gitlab's rake tasks with gitlab-rake which will be available on the system when gitlab is enabled. You will have to run the command as the user that you configured to run gitlab with.

For example, to backup a Gitlab instance:

$ sudo -u git -H gitlab-rake gitlab:backup:create

A list of all availabe rake tasks can be obtained by running:

$ sudo -u git -H gitlab-rake -T

Chapter 15. Emacs

Emacs is an extensible, customizable, self-documenting real-time display editor — and more. At its core is an interpreter for Emacs Lisp, a dialect of the Lisp programming language with extensions to support text editing.

Emacs runs within a graphical desktop environment using the X Window System, but works equally well on a text terminal. Under OS X, a "Mac port" edition is available, which uses Apple's native GUI frameworks.

Nixpkgs provides a superior environment for running Emacs. It's simple to create custom builds by overriding the default packages. Chaotic collections of Emacs Lisp code and extensions can be brought under control using declarative package management. NixOS even provides a systemd user service for automatically starting the Emacs daemon.

15.1. Installing Emacs

Emacs can installed in the normal way for Nix (see Chapter 6, Package Management). In addition, a NixOS service can be enabled.

15.1.1. The Different Releases of Emacs

Nixpkgs defines several basic Emacs packages. The following are attributes belonging to the pkgs set:

emacs, emacs24

The latest stable version of Emacs 24 using the GTK+ 2 widget toolkit.


Emacs 24 built without any dependency on X11 libraries.


Emacs 24 with the "Mac port" patches, providing a more native look and feel under OS X.


A pretest version of what will become the first version of Emacs 25.

If those aren't suitable, then the following imitation Emacs editors are also available in Nixpkgs: Zile, mg, Yi.

15.1.2. Adding Packages to Emacs

Emacs includes an entire ecosystem of functionality beyond text editing, including a project planner, mail and news reader, debugger interface, calendar, and more.

Most extensions are gotten with the Emacs packaging system (package.el) from Emacs Lisp Package Archive (ELPA), MELPA, MELPA Stable, and Org ELPA. Nixpkgs is regularly updated to mirror all these archives.

Under NixOS, you can continue to use package-list-packages and package-install to install packages. You can also declare the set of Emacs packages you need using the derivations from Nixpkgs. The rest of this section discusses declarative installation of Emacs packages through nixpkgs.

Note: This documentation describes the new Emacs packages framework in NixOS 16.03 (emacsPackagesNg) which should not be confused with the previous and deprecated framework (emacs24Packages).

The first step to declare the list of packages you want in your Emacs installation is to create a dedicated derivation. This can be done in a dedicated emacs.nix file such as:

Example 15.1. Nix expression to build Emacs with packages (emacs.nix)

This is a nix expression to build Emacs and some Emacs packages I like
from source on any distribution where Nix is installed. This will install
all the dependencies from the nixpkgs repository and build the binary files
without interfering with the host distribution.

To build the project, type the following from the current directory:

$ nix-build emacs.nix

To run the newly compiled executable:

$ ./result/bin/emacs
{ pkgs ? import <nixpkgs> {} }: 1

  myEmacs = pkgs.emacs; 2
  emacsWithPackages = (pkgs.emacsPackagesNgGen myEmacs).emacsWithPackages; 3
  emacsWithPackages (epkgs: (with epkgs.melpaStablePackages; [ 4
    magit          # ; Integrate git <C-x g>
    zerodark-theme # ; Nicolas' theme
  ]) ++ (with epkgs.melpaPackages; [ 5
    undo-tree      # ; <C-x u> to show the undo tree
    zoom-frm       # ; increase/decrease font size for all buffers %lt;C-x C-+>
  ]) ++ (with epkgs.elpaPackages; [ 6
    auctex         # ; LaTeX mode
    beacon         # ; highlight my cursor when scrolling
    nameless       # ; hide current package name everywhere in elisp code
  ]) ++ [
    pkgs.notmuch   # From main packages set 7


The first non-comment line in this file ({ pkgs ? ... }) indicates that the whole file represents a function.


The let expression below defines a myEmacs binding pointing to the current stable version of Emacs. This binding is here to separate the choice of the Emacs binary from the specification of the required packages.


This generates an emacsWithPackages function. It takes a single argument: a function from a package set to a list of packages (the packages that will be available in Emacs).


The rest of the file specifies the list of packages to install. In the example, two packages (magit and zerodark-theme) are taken from MELPA stable.


Two packages (undo-tree and zoom-frm) are taken from MELPA.


Three packages are taken from GNU ELPA.


notmuch is taken from a nixpkgs derivation which contains an Emacs mode.

The result of this configuration will be an emacs command which launches Emacs with all of your chosen packages in the load-path.

You can check that it works by executing this in a terminal:

$ nix-build emacs.nix
$ ./result/bin/emacs -q

and then typing M-x package-initialize. Check that you can use all the packages you want in this Emacs instance. For example, try switching to the zerodark theme through M-x load-theme <RET> zerodark <RET> y.


A few popular extensions worth checking out are: auctex, company, edit-server, flycheck, helm, iedit, magit, multiple-cursors, projectile, and yasnippet.

The list of available packages in the various ELPA repositories can be seen with the following commands:

Example 15.2. Querying Emacs packages

nix-env -f "<nixpkgs>" -qaP -A emacsPackagesNg.elpaPackages
nix-env -f "<nixpkgs>" -qaP -A emacsPackagesNg.melpaPackages
nix-env -f "<nixpkgs>" -qaP -A emacsPackagesNg.melpaStablePackages
nix-env -f "<nixpkgs>" -qaP -A emacsPackagesNg.orgPackages

If you are on NixOS, you can install this particular Emacs for all users by adding it to the list of system packages (see Section 6.1, “Declarative Package Management”). Simply modify your file configuration.nix to make it contain:

Example 15.3. Custom Emacs in configuration.nix

 environment.systemPackages = [
   # [...]
   (import /path/to/emacs.nix { inherit pkgs; })

In this case, the next nixos-rebuild switch will take care of adding your emacs to the PATH environment variable (see Chapter 3, Changing the Configuration).

If you are not on NixOS or want to install this particular Emacs only for yourself, you can do so by adding it to your ~/.nixpkgs/config.nix (see Nixpkgs manual):

Example 15.4. Custom Emacs in ~/.nixpkgs/system.nix

  packageOverrides = super: let self = super.pkgs; in {
    myemacs = import /path/to/emacs.nix { pkgs = self; };

In this case, the next nix-env -f '<nixpkgs>' -iA myemacs will take care of adding your emacs to the PATH environment variable.

15.1.3. Advanced Emacs Configuration

If you want, you can tweak the Emacs package itself from your emacs.nix. For example, if you want to have a GTK+3-based Emacs instead of the default GTK+2-based binary and remove the automatically generated emacs.desktop (useful is you only use emacsclient), you can change your file emacs.nix in this way:

Example 15.5. Custom Emacs build

{ pkgs ? import <nixpkgs> {} }:
  myEmacs = pkgs.lib.overrideDerivation (pkgs.emacs.override {
    # Use gtk3 instead of the default gtk2
    withGTK3 = true;
    withGTK2 = false;
  }) (attrs: {
    # I don't want emacs.desktop file because I only use
    # emacsclient.
    postInstall = attrs.postInstall + ''
      rm $out/share/applications/emacs.desktop
in [...]

After building this file as shown in Example 15.1, “Nix expression to build Emacs with packages (emacs.nix)”, you will get an GTK3-based Emacs binary pre-loaded with your favorite packages.

15.2. Running Emacs as a Service

NixOS provides an optional systemd service which launches Emacs daemon with the user's login session.

Source: modules/services/editors/emacs.nix

15.2.1. Enabling the Service

To install and enable the systemd user service for Emacs daemon, add the following to your configuration.nix:

services.emacs.enable = true;
services.emacs.package = import /home/cassou/.emacs.d { pkgs = pkgs; };

The services.emacs.package option allows a custom derivation to be used, for example, one created by emacsWithPackages.

Ensure that the Emacs server is enabled for your user's Emacs configuration, either by customizing the server-mode variable, or by adding (server-start) to ~/.emacs.d/init.el.

To start the daemon, execute the following:

$ nixos-rebuild switch  # to activate the new configuration.nix
$ systemctl --user daemon-reload        # to force systemd reload
$ systemctl --user start emacs.service  # to start the Emacs daemon

The server should now be ready to serve Emacs clients.

15.2.2. Starting the client

Ensure that the emacs server is enabled, either by customizing the server-mode variable, or by adding (server-start) to ~/.emacs.

To connect to the emacs daemon, run one of the following:

emacsclient FILENAME
emacsclient --create-frame  # opens a new frame (window)
emacsclient --create-frame --tty  # opens a new frame on the current terminal

15.2.3. Configuring the EDITOR variable

If services.emacs.defaultEditor is true, the EDITOR variable will be set to a wrapper script which launches emacsclient.

Any setting of EDITOR in the shell config files will override services.emacs.defaultEditor. To make sure EDITOR refers to the Emacs wrapper script, remove any existing EDITOR assignment from .profile, .bashrc, .zshenv or any other shell config file.

If you have formed certain bad habits when editing files, these can be corrected with a shell alias to the wrapper script:

alias vi=$EDITOR

15.2.4. Per-User Enabling of the Service

In general, systemd user services are globally enabled by symlinks in /etc/systemd/user. In the case where Emacs daemon is not wanted for all users, it is possible to install the service but not globally enable it:

services.emacs.enable = false;
services.emacs.install = true;

To enable the systemd user service for just the currently logged in user, run:

systemctl --user enable emacs

This will add the symlink ~/.config/systemd/user/emacs.service.

15.3. Configuring Emacs

The Emacs init file should be changed to load the extension packages at startup:

Example 15.6. Package initialization in .emacs

(require 'package)

;; optional. makes unpure packages archives unavailable
(setq package-archives nil)

(setq package-enable-at-startup nil)

After the declarative emacs package configuration has been tested, previously downloaded packages can be cleaned up by removing ~/.emacs.d/elpa (do make a backup first, in case you forgot a package).

15.3.1. A Major Mode for Nix Expressions

Of interest may be melpaPackages.nix-mode, which provides syntax highlighting for the Nix language. This is particularly convenient if you regularly edit Nix files.

15.3.2. Accessing man pages

You can use woman to get completion of all available man pages. For example, type M-x woman <RET> nixos-rebuild <RET>.

Chapter 16. PostgreSQL

Source: modules/services/databases/postgresql.nix

Upstream documentation:

PostgreSQL is an advanced, free relational database.

16.1. Configuring

To enable PostgreSQL, add the following to your configuration.nix:

services.postgresql.enable = true;
services.postgresql.package = pkgs.postgresql94;

Note that you are required to specify the desired version of PostgreSQL (e.g. pkgs.postgresql94). Since upgrading your PostgreSQL version requires a database dump and reload (see below), NixOS cannot provide a default value for services.postgresql.package such as the most recent release of PostgreSQL.

By default, PostgreSQL stores its databases in /var/db/postgresql. You can override this using services.postgresql.dataDir, e.g.

services.postgresql.dataDir = "/data/postgresql";

16.2. Upgrading

FIXME: document dump/upgrade/load cycle.

16.3. Options

FIXME: auto-generated list of module options.

Chapter 17. Grsecurity/PaX

Grsecurity/PaX is a set of patches against the Linux kernel that make it harder to exploit bugs. The patchset includes protections such as enforcement of non-executable memory, address space layout randomization, and chroot jail hardening. These and other features render entire classes of exploits inert without additional efforts on the part of the adversary.

The NixOS grsecurity/PaX module is designed with casual users in mind and is intended to be compatible with normal desktop usage, without unnecessarily compromising security. The following sections describe the configuration and administration of a grsecurity/PaX enabled NixOS system. For more comprehensive coverage, please refer to the grsecurity wikibook and the Arch Linux wiki page on grsecurity.

Note: grsecurity/PaX is only available for the latest linux -stable kernel; patches against older kernels are available from upstream only for a fee.

Note: We standardise on a desktop oriented configuration primarily due to lack of resources. The grsecurity/PaX configuration state space is huge and each configuration requires quite a bit of testing to ensure that the resulting packages work as advertised. Defining additional package sets would likely result in a large number of functionally broken packages, to nobody's benefit.


17.1. Enabling grsecurity/PaX

To make use of grsecurity/PaX on NixOS, add the following to your configuration.nix:

      security.grsecurity.enable = true;

followed by

      # nixos-rebuild boot
      # reboot

For most users, further configuration should be unnecessary. All users are encouraged to look over Section 17.4, “Security considerations” before using the system, however. If you experience problems, please refer to Section 17.7, “Issues and work-arounds”.

Once booted into the new system, you can optionally use paxtest to exercise various PaX features:

    # nix-shell -p paxtest --command 'paxtest blackhat'
    Executable anonymous mapping             : Killed
    Executable bss                           : Killed
    # ... remaining output truncated for brevity

17.2. Declarative tuning

The default configuration mode is strictly declarative. Some features simply cannot be changed at all after boot, while others are locked once the system is up and running. Moreover, changes to the configuration enter into effect only upon booting into the new system.

The NixOS module exposes a limited number of options for tuning the behavior of grsecurity/PaX. These are options thought to be of particular interest to most users. For experts, further tuning is possible via boot.kernelParams (see Section 17.8, “Grsecurity/PaX kernel parameters”) and boot.kernel.sysctl."kernel.grsecurity.*" (the wikibook contains an exhaustive listing of grsecurity sysctl tunables).

17.3. Manual tuning

To permit manual tuning of grsecurity runtime parameters, set:

      security.grsecurity.lockTunables = false;

Once booted into this system, grsecurity features that have a corresponding sysctl tunable can be changed without rebooting, either by switching into a new system profile or via the sysctl utility.

To lock all grsecurity tunables until the next boot, do:

      # systemctl start grsec-lock

17.4. Security considerations

The NixOS kernel is built using upstream's recommended settings for a desktop deployment that generally favours security over performance. This section details deviations from upstream's recommendations that may compromise operational security.

Warning: There may be additional problems not covered here!


  • The following hardening features are disabled in the NixOS kernel:

    • Kernel symbol hiding: rendered useless by redistributing kernel objects.

    • Randomization of kernel structures: rendered useless by redistributing kernel objects.

    • TCP simultaneous OPEN connection is permitted: breaking strict TCP conformance is inappropriate for a general purpose kernel. The trade-off is that an attacker may be able to deny outgoing connections if they are able to guess the source port allocated by your OS for that connection and also manage to initiate a TCP simultaneous OPEN on that port before the connection is actually established.

    • /sys hardening: breaks systemd.

    • Trusted path execution: a desirable feature, but requires some more work to operate smoothly on NixOS.

  • The NixOS module conditionally weakens chroot restrictions to accommodate NixOS lightweight containers and sandboxed Nix builds. This is problematic if the deployment also runs a privileged network facing process that relies on chroot for isolation.

  • The NixOS kernel is patched to allow usermode helpers from anywhere in the Nix store. A usermode helper is an executable called by the kernel in certain circumstances, e.g., modprobe. Vanilla grsecurity only allows usermode helpers from paths typically owned by the super user. The NixOS kernel allows an attacker to inject malicious code into the Nix store which could then be executed by the kernel as a usermode helper.

  • The following features are disabled because they overlap with vanilla kernel mechanisms:

    • /proc hardening: use security.hideProcessInformation instead. This trades weaker protection for greater compatibility.

    • dmesg restrictions: use boot.kernel.sysctl."kernel.dmesg_restrict" instead

17.5. Using a custom grsecurity/PaX kernel

The NixOS kernel is likely to be either too permissive or too restrictive for many deployment scenarios. In addition to producing a kernel more suitable for a particular deployment, a custom kernel may improve security by depriving an attacker the ability to study the kernel object code, adding yet more guesswork to successfully carry out certain exploits.

To use a custom kernel with upstream's recommended settings for server deployments:

      boot.kernelPackages =
          kernel = pkgs.linux_grsec_nixos.override {
            extraConfig = ''
              GRKERNSEC y
              PAX y
          self = pkgs.linuxPackagesFor kernel self;
        in self;

The wikibook provides an exhaustive listing of kernel configuration options.

The NixOS module makes several assumptions about the kernel and so may be incompatible with your customised kernel. Most of these assumptions are encoded as assertions — mismatches should ideally result in a build failure. Currently, the only way to work around incompatibilities is to eschew the NixOS module and do all configuration yourself.

17.6. Per-executable PaX flags

Manual tuning of per-file PaX flags for executables in the Nix store is impossible on a properly configured system. If a package in Nixpkgs fails due to PaX, that is a bug in the package recipe and should be reported to the maintainer (including relevant dmesg output).

For executables installed outside of the Nix store, PaX flags can be set using the paxctl utility:

      paxctl -czem foo

Warning: paxctl overwrites files in-place.

Equivalently, on file systems that support extended attributes:

      setfattr -n user.pax.flags -v em foo

17.7. Issues and work-arounds

  • User namespaces require CAP_SYS_ADMIN: consequently, unprivileged namespaces are unsupported. Applications that rely on namespaces for sandboxing must use a privileged helper. For chromium there is security.chromiumSuidSandbox.enable.

  • Access to EFI runtime services is disabled by default: this plugs a potential code injection attack vector; use security.grsecurity.disableEfiRuntimeServices to override this behavior.

  • Virtualization: KVM is the preferred virtualization solution. Xen, Virtualbox, and VMWare are unsupported and most likely require a custom kernel.

  • Attaching gdb to a running process is disallowed by default: unprivileged users can only ptrace processes that are children of the ptracing process. To relax this restriction, set

            boot.kernel.sysctl."kernel.grsecurity.harden_ptrace" = 0;

  • Overflows in boot critical code (e.g., the root filesystem module) can render the system unbootable. Work around by setting

            boot.kernel.kernelParams = [ "pax_size_overflow_report_only" ];

  • The modify_ldt (2) syscall is disabled by default. This restriction can interfere with programs designed to run legacy 16-bit or segmented 32-bit code. To support applications that rely on this syscall, set

            boot.kernel.sysctl."kernel.modify_ldt" = 1;

17.8. Grsecurity/PaX kernel parameters

The NixOS kernel supports the following kernel command line parameters:

  • pax_nouderef: disable UDEREF (separate kernel and user address spaces).

  • pax_weakuderef: enable a faster but weaker variant of UDEREF on 64-bit processors with PCID support (check grep pcid /proc/cpuinfo).

  • pax_sanitize_slab={off|fast|full}: control kernel slab object sanitization

  • pax_size_overflow_report_only: log size overflow violations but leave the violating task running

Chapter 18. SSL/TLS Certificates with ACME

NixOS supports automatic domain validation & certificate retrieval and renewal using the ACME protocol. This is currently only implemented by and for Let's Encrypt. The alternative ACME client simp_le is used under the hood.

18.1. Prerequisites

You need to have a running HTTP server for verification. The server must have a webroot defined that can serve .well-known/acme-challenge. This directory must be writeable by the user that will run the ACME client.

For instance, this generic snippet could be used for Nginx:

http {
  server {
    server_name _;
    listen 80;
    listen [::]:80;

    location /.well-known/acme-challenge {
      root /var/www/challenges;

    location / {
      return 301 https://$host$request_uri;

18.2. Configuring

To enable ACME certificate retrieval & renewal for a certificate for, add the following in your configuration.nix:

security.acme.certs."" = {
  webroot = "/var/www/challenges";
  email = "";

The private key key.pem and certificate fullchain.pem will be put into /var/lib/acme/ The target directory can be configured with the option

Refer to Appendix A, Configuration Options for all available configuration options for the security.acme module.

18.3. Using ACME certificates in Nginx

In practice ACME is mostly used for retrieval and renewal of certificates that will be used in a webserver like Nginx. A configuration for Nginx that uses the certificates from ACME for will look similar to:

security.acme.certs."" = {
  webroot = "/var/www/challenges";
  email = "";
  user = "nginx";
  group = "nginx";
  postRun = "systemctl restart nginx.service";
services.nginx.httpConfig = ''
  server {
    listen 80;
    listen [::]:80;

    location /.well-known/acme-challenge {
      root /var/www/challenges;

    location / {
      return 301 https://$host$request_uri;

  server {
    listen 443 ssl;
    ssl_certificate     ${}/;
    ssl_certificate_key ${}/;
    root /var/www/;

Now Nginx will try to use the certificates that will be retrieved by ACME. ACME needs Nginx (or any other webserver) to function and Nginx needs the certificates to actually start. For this reason the ACME module automatically generates self-signed certificates that will be used by Nginx to start. After that Nginx is used by ACME to retrieve the actual ACME certificates. security.acme.preliminarySelfsigned can be used to control whether to generate the self-signed certificates.

Chapter 19. Input Methods

Input methods are an operating system component that allows any data, such as keyboard strokes or mouse movements, to be received as input. In this way users can enter characters and symbols not found on their input devices. Using an input method is obligatory for any language that has more graphemes than there are keys on the keyboard.

The following input methods are available in NixOS:

  • IBus: The intelligent input bus.

  • Fcitx: A customizable lightweight input method.

  • Nabi: A Korean input method based on XIM.

  • Uim: The universal input method, is a library with a XIM bridge.

19.1. IBus

IBus is an Intelligent Input Bus. It provides full featured and user friendly input method user interface.

The following snippet can be used to configure IBus:

i18n.inputMethod = {
  enabled = "ibus";
  ibus.engines = with pkgs.ibus-engines; [ anthy hangul mozc ];

i18n.inputMethod.ibus.engines is optional and can be used to add extra IBus engines.

Available extra IBus engines are:

  • Anthy (ibus-engines.anthy): Anthy is a system for Japanese input method. It converts Hiragana text to Kana Kanji mixed text.

  • Hangul (ibus-engines.hangul): Korean input method.

  • m17n (ibus-engines.m17n): m17n is an input method that uses input methods and corresponding icons in the m17n database.

  • mozc (ibus-engines.mozc): A Japanese input method from Google.

  • Table (ibus-engines.table): An input method that load tables of input methods.

  • table-others (ibus-engines.table-others): Various table-based input methods.

19.2. Fcitx

Fcitx is an input method framework with extension support. It has three built-in Input Method Engine, Pinyin, QuWei and Table-based input methods.

The following snippet can be used to configure Fcitx:

i18n.inputMethod = {
  enabled = "fcitx";
  fcitx.engines = with pkgs.fcitx-engines; [ mozc hangul m17n ];

i18n.inputMethod.fcitx.engines is optional and can be used to add extra Fcitx engines.

Available extra Fcitx engines are:

  • Anthy (fcitx-engines.anthy): Anthy is a system for Japanese input method. It converts Hiragana text to Kana Kanji mixed text.

  • Chewing (fcitx-engines.chewing): Chewing is an intelligent Zhuyin input method. It is one of the most popular input methods among Traditional Chinese Unix users.

  • Hangul (fcitx-engines.hangul): Korean input method.

  • Unikey (fcitx-engines.unikey): Vietnamese input method.

  • m17n (fcitx-engines.m17n): m17n is an input method that uses input methods and corresponding icons in the m17n database.

  • mozc (fcitx-engines.mozc): A Japanese input method from Google.

  • table-others (fcitx-engines.table-others): Various table-based input methods.

19.3. Nabi

Nabi is an easy to use Korean X input method. It allows you to enter phonetic Korean characters (hangul) and pictographic Korean characters (hanja).

The following snippet can be used to configure Nabi:

i18n.inputMethod = {
  enabled = "nabi";

19.4. Uim

Uim (short for "universal input method") is a multilingual input method framework. Applications can use it through so-called bridges.

The following snippet can be used to configure uim:

i18n.inputMethod = {
  enabled = "uim";

Note: The i18n.inputMethod.uim.toolbar option can be used to choose uim toolbar.

This chapter describes various aspects of managing a running NixOS system, such as how to use the systemd service manager.

Chapter 20. Service Management

In NixOS, all system services are started and monitored using the systemd program. Systemd is the “init” process of the system (i.e. PID 1), the parent of all other processes. It manages a set of so-called “units”, which can be things like system services (programs), but also mount points, swap files, devices, targets (groups of units) and more. Units can have complex dependencies; for instance, one unit can require that another unit must be successfully started before the first unit can be started. When the system boots, it starts a unit named; the dependencies of this unit cause all system services to be started, file systems to be mounted, swap files to be activated, and so on.

The command systemctl is the main way to interact with systemd. Without any arguments, it shows the status of active units:

$ systemctl
-.mount          loaded active mounted   /
swapfile.swap    loaded active active    /swapfile
sshd.service     loaded active running   SSH Daemon loaded active active    Graphical Interface

You can ask for detailed status information about a unit, for instance, the PostgreSQL database service:

$ systemctl status postgresql.service
postgresql.service - PostgreSQL Server
          Loaded: loaded (/nix/store/pn3q73mvh75gsrl8w7fdlfk3fq5qm5mw-unit/postgresql.service)
          Active: active (running) since Mon, 2013-01-07 15:55:57 CET; 9h ago
        Main PID: 2390 (postgres)
          CGroup: name=systemd:/system/postgresql.service
                  ├─2390 postgres
                  ├─2418 postgres: writer process
                  ├─2419 postgres: wal writer process
                  ├─2420 postgres: autovacuum launcher process
                  ├─2421 postgres: stats collector process
                  └─2498 postgres: zabbix zabbix [local] idle

Jan 07 15:55:55 hagbard postgres[2394]: [1-1] LOG:  database system was shut down at 2013-01-07 15:55:05 CET
Jan 07 15:55:57 hagbard postgres[2390]: [1-1] LOG:  database system is ready to accept connections
Jan 07 15:55:57 hagbard postgres[2420]: [1-1] LOG:  autovacuum launcher started
Jan 07 15:55:57 hagbard systemd[1]: Started PostgreSQL Server.

Note that this shows the status of the unit (active and running), all the processes belonging to the service, as well as the most recent log messages from the service.

Units can be stopped, started or restarted:

# systemctl stop postgresql.service
# systemctl start postgresql.service
# systemctl restart postgresql.service

These operations are synchronous: they wait until the service has finished starting or stopping (or has failed). Starting a unit will cause the dependencies of that unit to be started as well (if necessary).

Chapter 21. Rebooting and Shutting Down

The system can be shut down (and automatically powered off) by doing:

# shutdown

This is equivalent to running systemctl poweroff.

To reboot the system, run

# reboot

which is equivalent to systemctl reboot. Alternatively, you can quickly reboot the system using kexec, which bypasses the BIOS by directly loading the new kernel into memory:

# systemctl kexec

The machine can be suspended to RAM (if supported) using systemctl suspend, and suspended to disk using systemctl hibernate.

These commands can be run by any user who is logged in locally, i.e. on a virtual console or in X11; otherwise, the user is asked for authentication.

Chapter 22. User Sessions

Systemd keeps track of all users who are logged into the system (e.g. on a virtual console or remotely via SSH). The command loginctl allows querying and manipulating user sessions. For instance, to list all user sessions:

$ loginctl
   SESSION        UID USER             SEAT
        c1        500 eelco            seat0
        c3          0 root             seat0
        c4        500 alice

This shows that two users are logged in locally, while another is logged in remotely. (“Seats” are essentially the combinations of displays and input devices attached to the system; usually, there is only one seat.) To get information about a session:

$ loginctl session-status c3
c3 - root (0)
           Since: Tue, 2013-01-08 01:17:56 CET; 4min 42s ago
          Leader: 2536 (login)
            Seat: seat0; vc3
             TTY: /dev/tty3
         Service: login; type tty; class user
           State: online
          CGroup: name=systemd:/user/root/c3
                  ├─ 2536 /nix/store/10mn4xip9n7y9bxqwnsx7xwx2v2g34xn-shadow- --
                  ├─10339 -bash
                  └─10355 w3m

This shows that the user is logged in on virtual console 3. It also lists the processes belonging to this session. Since systemd keeps track of this, you can terminate a session in a way that ensures that all the session’s processes are gone:

# loginctl terminate-session c3

Chapter 23. Control Groups

To keep track of the processes in a running system, systemd uses control groups (cgroups). A control group is a set of processes used to allocate resources such as CPU, memory or I/O bandwidth. There can be multiple control group hierarchies, allowing each kind of resource to be managed independently.

The command systemd-cgls lists all control groups in the systemd hierarchy, which is what systemd uses to keep track of the processes belonging to each service or user session:

$ systemd-cgls
│ └─eelco
│   └─c1
│     ├─ 2567 -:0
│     ├─ 2682 kdeinit4: kdeinit4 Running...
│     ├─ ...
│     └─10851 sh -c less -R
  │ ├─2444 httpd -f /nix/store/3pyacby5cpr55a03qwbnndizpciwq161-httpd.conf -DNO_DETACH
  │ └─...
  │ └─2376 dhcpcd --config /nix/store/f8dif8dsi2yaa70n03xir8r653776ka6-dhcpcd.conf
  └─ ...

Similarly, systemd-cgls cpu shows the cgroups in the CPU hierarchy, which allows per-cgroup CPU scheduling priorities. By default, every systemd service gets its own CPU cgroup, while all user sessions are in the top-level CPU cgroup. This ensures, for instance, that a thousand run-away processes in the httpd.service cgroup cannot starve the CPU for one process in the postgresql.service cgroup. (By contrast, it they were in the same cgroup, then the PostgreSQL process would get 1/1001 of the cgroup’s CPU time.) You can limit a service’s CPU share in configuration.nix: = 512;

By default, every cgroup has 1024 CPU shares, so this will halve the CPU allocation of the httpd.service cgroup.

There also is a memory hierarchy that controls memory allocation limits; by default, all processes are in the top-level cgroup, so any service or session can exhaust all available memory. Per-cgroup memory limits can be specified in configuration.nix; for instance, to limit httpd.service to 512 MiB of RAM (excluding swap): = "512M";

The command systemd-cgtop shows a continuously updated list of all cgroups with their CPU and memory usage.

Chapter 24. Logging

System-wide logging is provided by systemd’s journal, which subsumes traditional logging daemons such as syslogd and klogd. Log entries are kept in binary files in /var/log/journal/. The command journalctl allows you to see the contents of the journal. For example,

$ journalctl -b

shows all journal entries since the last reboot. (The output of journalctl is piped into less by default.) You can use various options and match operators to restrict output to messages of interest. For instance, to get all messages from PostgreSQL:

$ journalctl -u postgresql.service
-- Logs begin at Mon, 2013-01-07 13:28:01 CET, end at Tue, 2013-01-08 01:09:57 CET. --
Jan 07 15:44:14 hagbard postgres[2681]: [2-1] LOG:  database system is shut down
-- Reboot --
Jan 07 15:45:10 hagbard postgres[2532]: [1-1] LOG:  database system was shut down at 2013-01-07 15:44:14 CET
Jan 07 15:45:13 hagbard postgres[2500]: [1-1] LOG:  database system is ready to accept connections

Or to get all messages since the last reboot that have at least a “critical” severity level:

$ journalctl -b -p crit
Dec 17 21:08:06 mandark sudo[3673]: pam_unix(sudo:auth): auth could not identify password for [alice]
Dec 29 01:30:22 mandark kernel[6131]: [1053513.909444] CPU6: Core temperature above threshold, cpu clock throttled (total events = 1)

The system journal is readable by root and by users in the wheel and systemd-journal groups. All users have a private journal that can be read using journalctl.

Chapter 25. Cleaning the Nix Store

Nix has a purely functional model, meaning that packages are never upgraded in place. Instead new versions of packages end up in a different location in the Nix store (/nix/store). You should periodically run Nix’s garbage collector to remove old, unreferenced packages. This is easy:

$ nix-collect-garbage

Alternatively, you can use a systemd unit that does the same in the background:

# systemctl start nix-gc.service

You can tell NixOS in configuration.nix to run this unit automatically at certain points in time, for instance, every night at 03:15:

nix.gc.automatic = true;
nix.gc.dates = "03:15";

The commands above do not remove garbage collector roots, such as old system configurations. Thus they do not remove the ability to roll back to previous configurations. The following command deletes old roots, removing the ability to roll back to them:

$ nix-collect-garbage -d

You can also do this for specific profiles, e.g.

$ nix-env -p /nix/var/nix/profiles/per-user/eelco/profile --delete-generations old

Note that NixOS system configurations are stored in the profile /nix/var/nix/profiles/system.

Another way to reclaim disk space (often as much as 40% of the size of the Nix store) is to run Nix’s store optimiser, which seeks out identical files in the store and replaces them with hard links to a single copy.

$ nix-store --optimise

Since this command needs to read the entire Nix store, it can take quite a while to finish.

Chapter 26. Container Management

NixOS allows you to easily run other NixOS instances as containers. Containers are a light-weight approach to virtualisation that runs software in the container at the same speed as in the host system. NixOS containers share the Nix store of the host, making container creation very efficient.

Warning: Currently, NixOS containers are not perfectly isolated from the host system. This means that a user with root access to the container can do things that affect the host. So you should not give container root access to untrusted users.

NixOS containers can be created in two ways: imperatively, using the command nixos-container, and declaratively, by specifying them in your configuration.nix. The declarative approach implies that containers get upgraded along with your host system when you run nixos-rebuild, which is often not what you want. By contrast, in the imperative approach, containers are configured and updated independently from the host system.

26.1. Imperative Container Management

We’ll cover imperative container management using nixos-container first. Be aware that container management is currently only possible as root.

You create a container with identifier foo as follows:

# nixos-container create foo

This creates the container’s root directory in /var/lib/containers/foo and a small configuration file in /etc/containers/foo.conf. It also builds the container’s initial system configuration and stores it in /nix/var/nix/profiles/per-container/foo/system. You can modify the initial configuration of the container on the command line. For instance, to create a container that has sshd running, with the given public key for root:

# nixos-container create foo --config 'services.openssh.enable = true; \
  users.extraUsers.root.openssh.authorizedKeys.keys = ["ssh-dss AAAAB3N…"];'

Creating a container does not start it. To start the container, run:

# nixos-container start foo

This command will return as soon as the container has booted and has reached On the host, the container runs within a systemd unit called container@container-name.service. Thus, if something went wrong, you can get status info using systemctl:

# systemctl status container@foo

If the container has started succesfully, you can log in as root using the root-login operation:

# nixos-container root-login foo

Note that only root on the host can do this (since there is no authentication). You can also get a regular login prompt using the login operation, which is available to all users on the host:

# nixos-container login foo
foo login: alice
Password: ***

With nixos-container run, you can execute arbitrary commands in the container:

# nixos-container run foo -- uname -a
Linux foo 3.4.82 #1-NixOS SMP Thu Mar 20 14:44:05 UTC 2014 x86_64 GNU/Linux

There are several ways to change the configuration of the container. First, on the host, you can edit /var/lib/container/name/etc/nixos/configuration.nix, and run

# nixos-container update foo

This will build and activate the new configuration. You can also specify a new configuration on the command line:

# nixos-container update foo --config 'services.httpd.enable = true; \
  services.httpd.adminAddr = "";'

# curl http://$(nixos-container show-ip foo)/

However, note that this will overwrite the container’s /etc/nixos/configuration.nix.

Alternatively, you can change the configuration from within the container itself by running nixos-rebuild switch inside the container. Note that the container by default does not have a copy of the NixOS channel, so you should run nix-channel --update first.

Containers can be stopped and started using nixos-container stop and nixos-container start, respectively, or by using systemctl on the container’s service unit. To destroy a container, including its file system, do

# nixos-container destroy foo

26.2. Declarative Container Specification

You can also specify containers and their configuration in the host’s configuration.nix. For example, the following specifies that there shall be a container named database running PostgreSQL:

containers.database =
  { config =
      { config, pkgs, ... }:
      { services.postgresql.enable = true;
        services.postgresql.package = pkgs.postgresql92;

If you run nixos-rebuild switch, the container will be built. If the container was already running, it will be updated in place, without rebooting. The container can be configured to start automatically by setting containers.database.autoStart = true in its configuration.

By default, declarative containers share the network namespace of the host, meaning that they can listen on (privileged) ports. However, they cannot change the network configuration. You can give a container its own network as follows:

containers.database =
  { privateNetwork = true;
    hostAddress = "";
    localAddress = "";

This gives the container a private virtual Ethernet interface with IP address, which is hooked up to a virtual Ethernet interface on the host with IP address (See the next section for details on container networking.)

To disable the container, just remove it from configuration.nix and run nixos-rebuild switch. Note that this will not delete the root directory of the container in /var/lib/containers. Containers can be destroyed using the imperative method: nixos-container destroy foo.

Declarative containers can be started and stopped using the corresponding systemd service, e.g. systemctl start container@database.

26.3. Container Networking

When you create a container using nixos-container create, it gets it own private IPv4 address in the range You can get the container’s IPv4 address as follows:

# nixos-container show-ip foo

$ ping -c1
64 bytes from icmp_seq=1 ttl=64 time=0.106 ms

Networking is implemented using a pair of virtual Ethernet devices. The network interface in the container is called eth0, while the matching interface in the host is called ve-container-name (e.g., ve-foo). The container has its own network namespace and the CAP_NET_ADMIN capability, so it can perform arbitrary network configuration such as setting up firewall rules, without affecting or having access to the host’s network.

By default, containers cannot talk to the outside network. If you want that, you should set up Network Address Translation (NAT) rules on the host to rewrite container traffic to use your external IP address. This can be accomplished using the following configuration on the host:

networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "eth0";

where eth0 should be replaced with the desired external interface. Note that ve-+ is a wildcard that matches all container interfaces.

Chapter 27. Troubleshooting

This chapter describes solutions to common problems you might encounter when you manage your NixOS system.

27.1. Boot Problems

If NixOS fails to boot, there are a number of kernel command line parameters that may help you to identify or fix the issue. You can add these parameters in the GRUB boot menu by pressing “e” to modify the selected boot entry and editing the line starting with linux. The following are some useful kernel command line parameters that are recognised by the NixOS boot scripts or by systemd:


Start a root shell if something goes wrong in stage 1 of the boot process (the initial ramdisk). This is disabled by default because there is no authentication for the root shell.


Start an interactive shell in stage 1 before anything useful has been done. That is, no modules have been loaded and no file systems have been mounted, except for /proc and /sys.


Print every shell command executed by the stage 1 and 2 boot scripts.


Boot into rescue mode (a.k.a. single user mode). This will cause systemd to start nothing but the unit, which runs sulogin to prompt for the root password and start a root login shell. Exiting the shell causes the system to continue with the normal boot process.

systemd.log_level=debug systemd.log_target=console

Make systemd very verbose and send log messages to the console instead of the journal.

For more parameters recognised by systemd, see systemd(1).

If no login prompts or X11 login screens appear (e.g. due to hanging dependencies), you can press Alt+ArrowUp. If you’re lucky, this will start rescue mode (described above). (Also note that since most units have a 90-second timeout before systemd gives up on them, the agetty login prompts should appear eventually unless something is very wrong.)

27.2. Maintenance Mode

You can enter rescue mode by running:

# systemctl rescue

This will eventually give you a single-user root shell. Systemd will stop (almost) all system services. To get out of maintenance mode, just exit from the rescue shell.

27.3. Rolling Back Configuration Changes

After running nixos-rebuild to switch to a new configuration, you may find that the new configuration doesn’t work very well. In that case, there are several ways to return to a previous configuration.

First, the GRUB boot manager allows you to boot into any previous configuration that hasn’t been garbage-collected. These configurations can be found under the GRUB submenu “NixOS - All configurations”. This is especially useful if the new configuration fails to boot. After the system has booted, you can make the selected configuration the default for subsequent boots:

# /run/current-system/bin/switch-to-configuration boot

Second, you can switch to the previous configuration in a running system:

# nixos-rebuild switch --rollback

This is equivalent to running:

# /nix/var/nix/profiles/system-N-link/bin/switch-to-configuration switch

where N is the number of the NixOS system configuration. To get a list of the available configurations, do:

$ ls -l /nix/var/nix/profiles/system-*-link
lrwxrwxrwx 1 root root 78 Aug 12 13:54 /nix/var/nix/profiles/system-268-link -> /nix/store/202b...-nixos-13.07pre4932_5a676e4-4be1055

27.4. Nix Store Corruption

After a system crash, it’s possible for files in the Nix store to become corrupted. (For instance, the Ext4 file system has the tendency to replace un-synced files with zero bytes.) NixOS tries hard to prevent this from happening: it performs a sync before switching to a new configuration, and Nix’s database is fully transactional. If corruption still occurs, you may be able to fix it automatically.

If the corruption is in a path in the closure of the NixOS system configuration, you can fix it by doing

# nixos-rebuild switch --repair

This will cause Nix to check every path in the closure, and if its cryptographic hash differs from the hash recorded in Nix’s database, the path is rebuilt or redownloaded.

You can also scan the entire Nix store for corrupt paths:

# nix-store --verify --check-contents --repair

Any corrupt paths will be redownloaded if they’re available in a binary cache; otherwise, they cannot be repaired.

27.5. Network Problems

Nix uses a so-called binary cache to optimise building a package from source into downloading it as a pre-built binary. That is, whenever a command like nixos-rebuild needs a path in the Nix store, Nix will try to download that path from the Internet rather than build it from source. The default binary cache is If this cache is unreachable, Nix operations may take a long time due to HTTP connection timeouts. You can disable the use of the binary cache by adding --option use-binary-caches false, e.g.

# nixos-rebuild switch --option use-binary-caches false

If you have an alternative binary cache at your disposal, you can use it instead:

# nixos-rebuild switch --option binary-caches

This chapter describes how you can modify and extend NixOS.

Chapter 28. Getting the Sources

By default, NixOS’s nixos-rebuild command uses the NixOS and Nixpkgs sources provided by the nixos-unstable channel (kept in /nix/var/nix/profiles/per-user/root/channels/nixos). To modify NixOS, however, you should check out the latest sources from Git. This is as follows:

$ git clone git://
$ cd nixpkgs
$ git remote add channels git://
$ git remote update channels

This will check out the latest Nixpkgs sources to ./nixpkgs the NixOS sources to ./nixpkgs/nixos. (The NixOS source tree lives in a subdirectory of the Nixpkgs repository.) The remote channels refers to a read-only repository that tracks the Nixpkgs/NixOS channels (see Chapter 4, Upgrading NixOS for more information about channels). Thus, the Git branch channels/nixos-14.12 will contain the latest built and tested version available in the nixos-14.12 channel.

It’s often inconvenient to develop directly on the master branch, since if somebody has just committed (say) a change to GCC, then the binary cache may not have caught up yet and you’ll have to rebuild everything from source. So you may want to create a local branch based on your current NixOS version:

$ nixos-version
14.04.273.ea1952b (Baboon)

$ git checkout -b local ea1952b

Or, to base your local branch on the latest version available in a NixOS channel:

$ git remote update channels
$ git checkout -b local channels/nixos-14.12

(Replace nixos-14.12 with the name of the channel you want to use.) You can use git merge or git rebase to keep your local branch in sync with the channel, e.g.

$ git remote update channels
$ git merge channels/nixos-14.12

You can use git cherry-pick to copy commits from your local branch to the upstream branch.

If you want to rebuild your system using your (modified) sources, you need to tell nixos-rebuild about them using the -I flag:

# nixos-rebuild switch -I nixpkgs=/my/sources/nixpkgs

If you want nix-env to use the expressions in /my/sources, use nix-env -f /my/sources/nixpkgs, or change the default by adding a symlink in ~/.nix-defexpr:

$ ln -s /my/sources/nixpkgs ~/.nix-defexpr/nixpkgs

You may want to delete the symlink ~/.nix-defexpr/channels_root to prevent root’s NixOS channel from clashing with your own tree.

Chapter 29. Writing NixOS Modules

NixOS has a modular system for declarative configuration. This system combines multiple modules to produce the full system configuration. One of the modules that constitute the configuration is /etc/nixos/configuration.nix. Most of the others live in the nixos/modules subdirectory of the Nixpkgs tree.

Each NixOS module is a file that handles one logical aspect of the configuration, such as a specific kind of hardware, a service, or network settings. A module configuration does not have to handle everything from scratch; it can use the functionality provided by other modules for its implementation. Thus a module can declare options that can be used by other modules, and conversely can define options provided by other modules in its own implementation. For example, the module pam.nix declares the option that allows other modules (e.g. sshd.nix) to define PAM services; and it defines the option environment.etc (declared by etc.nix) to cause files to be created in /etc/pam.d.

In Chapter 5, Configuration Syntax, we saw the following structure of NixOS modules:

{ config, pkgs, ... }:

{ option definitions

This is actually an abbreviated form of module that only defines options, but does not declare any. The structure of full NixOS modules is shown in Example 29.1, “Structure of NixOS Modules”.

Example 29.1. Structure of NixOS Modules

{ config, pkgs, ... }: 1

  imports =
    [ paths of other modules 2

  options = {
    option declarations 3

  config = {
    option definitions 4

The meaning of each part is as follows.


This line makes the current Nix expression a function. The variable pkgs contains Nixpkgs, while config contains the full system configuration. This line can be omitted if there is no reference to pkgs and config inside the module.


This list enumerates the paths to other NixOS modules that should be included in the evaluation of the system configuration. A default set of modules is defined in the file modules/module-list.nix. These don't need to be added in the import list.


The attribute options is a nested set of option declarations (described below).


The attribute config is a nested set of option definitions (also described below).

Example 29.2, “NixOS Module for the “locate” Service” shows a module that handles the regular update of the “locate” database, an index of all files in the file system. This module declares two options that can be defined by other modules (typically the user’s configuration.nix): services.locate.enable (whether the database should be updated) and services.locate.interval (when the update should be done). It implements its functionality by defining two options declared by other modules: (the set of all systemd services) and systemd.timers (the list of commands to be executed periodically by systemd).

Example 29.2. NixOS Module for the “locate” Service

{ config, lib, pkgs, ... }:

with lib;

  cfg =;
in { = {
    enable = mkOption {
      type = types.bool;
      default = false;
      description = ''
        If enabled, NixOS will periodically update the database of
        files used by the locate command.

    interval = mkOption {
      type = types.str;
      default = "02:15";
      example = "hourly";
      description = ''
        Update the locate database at this interval. Updates by
        default at 2:15 AM every day.

        The format is described in

    # Other options omitted for documentation

  config = { =
      { description = "Update Locate Database";
        path  = [ ];
        script =
            mkdir -m 0755 -p $(dirname ${toString cfg.output})
            exec updatedb \
              --localuser=${cfg.localuser} \
              ${optionalString (!cfg.includeStore) "--prunepaths='/nix/store'"} \
              --output=${toString cfg.output} ${concatStringsSep " " cfg.extraFlags}

    systemd.timers.update-locatedb = mkIf cfg.enable
      { description = "Update timer for locate database";
        partOf      = [ "update-locatedb.service" ];
        wantedBy    = [ "" ];
        timerConfig.OnCalendar = cfg.interval;

29.1. Option Declarations

An option declaration specifies the name, type and description of a NixOS configuration option. It is invalid to define an option that hasn’t been declared in any module. An option declaration generally looks like this:

options = {
  name = mkOption {
    type = type specification;
    default = default value;
    example = example value;
    description = "Description for use in the NixOS manual.";

The function mkOption accepts the following arguments.


The type of the option (see below). It may be omitted, but that’s not advisable since it may lead to errors that are hard to diagnose.


The default value used if no value is defined by any module. A default is not required; in that case, if the option value is never used, an error will be thrown.


An example value that will be shown in the NixOS manual.


A textual description of the option, in DocBook format, that will be included in the NixOS manual.

Here is a non-exhaustive list of option types:


A Boolean.

An integer.


A string.


A string. If there are multiple definitions, they are concatenated, with newline characters in between.


A path, defined as anything that, when coerced to a string, starts with a slash. This includes derivations.


A derivation (such as pkgs.hello) or a store path (such as /nix/store/1ifi1cfbfs5iajmvwgrbmrnrw3a147h9-hello-2.10).

types.listOf t

A list of elements of type t (e.g., types.listOf types.str is a list of strings). Multiple definitions are concatenated together.

types.attrsOf t

A set of elements of type t (e.g., types.attrsOf is a set of name/value pairs, the values being integers).

types.nullOr t

Either the value null or something of type t.

You can also create new types using the function mkOptionType. See lib/types.nix in Nixpkgs for details.

29.2. Option Definitions

Option definitions are generally straight-forward bindings of values to option names, like

config = {
  services.httpd.enable = true;

However, sometimes you need to wrap an option definition or set of option definitions in a property to achieve certain effects:

Delaying Conditionals

If a set of option definitions is conditional on the value of another option, you may need to use mkIf. Consider, for instance:

config = if then {
  environment.systemPackages = [ ... ];
} else {};

This definition will cause Nix to fail with an “infinite recursion” error. Why? Because the value of depends on the value being constructed here. After all, you could also write the clearly circular and contradictory:

config = if then {
  services.httpd.enable = false;
} else {
  services.httpd.enable = true;

The solution is to write:

config = mkIf {
  environment.systemPackages = [ ... ];

The special function mkIf causes the evaluation of the conditional to be “pushed down” into the individual definitions, as if you had written:

config = {
  environment.systemPackages = if then [ ... ] else [];

Setting Priorities

A module can override the definitions of an option in other modules by setting a priority. All option definitions that do not have the lowest priority value are discarded. By default, option definitions have priority 1000. You can specify an explicit priority by using mkOverride, e.g.

services.openssh.enable = mkOverride 10 false;

This definition causes all other definitions with priorities above 10 to be discarded. The function mkForce is equal to mkOverride 50.

Merging Configurations

In conjunction with mkIf, it is sometimes useful for a module to return multiple sets of option definitions, to be merged together as if they were declared in separate modules. This can be done using mkMerge:

config = mkMerge
  [ # Unconditional stuff.
    { environment.systemPackages = [ ... ];
    # Conditional stuff.
    (mkIf {
      environment.systemPackages = [ ... ];

29.3. Meta Attributes

Like Nix packages, NixOS modules can declare meta-attributes to provide extra information. Module meta attributes are defined in the meta.nix special module.

meta is a top level attribute like options and config. Available meta-attributes are maintainers and doc.

Each of the meta-attributes must be defined at most once per module file.

{ config, lib, pkgs, ... }:
  options = {

  config = {

  meta = {
    maintainers = with lib.maintainers; [ ericsagnes ]; 1
    doc = ./default.xml; 2


maintainers contains a list of the module maintainers.


doc points to a valid DocBook file containing the module documentation. Its contents is automatically added to Part II, “Configuration”. Changes to a module documentation have to be checked to not break building the NixOS manual:

$ nix-build nixos/release.nix -A manual

Chapter 30. Building Specific Parts of NixOS

With the command nix-build, you can build specific parts of your NixOS configuration. This is done as follows:

$ cd /path/to/nixpkgs/nixos
$ nix-build -A config.option

where option is a NixOS option with type “derivation” (i.e. something that can be built). Attributes of interest include:

The top-level option that builds the entire NixOS system. Everything else in your configuration is indirectly pulled in by this option. This is what nixos-rebuild builds and what /run/current-system points to afterwards.

A shortcut to build this is:

$ nix-build -A system

The NixOS manual.

A tree of symlinks that form the static parts of /etc.,

The initial ramdisk and kernel of the system. This allows a quick way to test whether the kernel and the initial ramdisk boot correctly, by using QEMU’s -kernel and -initrd options:

$ nix-build -A -o initrd
$ nix-build -A -o kernel
$ qemu-system-x86_64 -kernel ./kernel/bzImage -initrd ./initrd/initrd -hda /dev/null,,

These build the corresponding NixOS commands.


This builds the unit with the specified name. Note that since unit names contain dots (e.g. httpd.service), you need to put them between quotes, like this:

$ nix-build -A 'config.systemd.units."httpd.service".unit'

You can also test individual units, without rebuilding the whole system, by putting them in /run/systemd/system:

$ cp $(nix-build -A 'config.systemd.units."httpd.service".unit')/httpd.service \
# systemctl daemon-reload
# systemctl start tmp-httpd.service

Note that the unit must not have the same name as any unit in /etc/systemd/system since those take precedence over /run/systemd/system. That’s why the unit is installed as tmp-httpd.service here.

Chapter 31. Building Your Own NixOS CD

Building a NixOS CD is as easy as configuring your own computer. The idea is to use another module which will replace your configuration.nix to configure the system that would be installed on the CD.

Default CD/DVD configurations are available inside nixos/modules/installer/cd-dvd. To build them you have to set NIXOS_CONFIG before running nix-build to build the ISO.

$ nix-build -A -I nixos-config=modules/installer/cd-dvd/installation-cd-minimal.nix

Before burning your CD/DVD, you can check the content of the image by mounting anywhere like suggested by the following command:

# mount -o loop -t iso9660 ./result/iso/cd.iso /mnt/iso

Chapter 32. NixOS Tests

When you add some feature to NixOS, you should write a test for it. NixOS tests are kept in the directory nixos/tests, and are executed (using Nix) by a testing framework that automatically starts one or more virtual machines containing the NixOS system(s) required for the test.

32.1. Writing Tests

A NixOS test is a Nix expression that has the following structure:

import ./make-test.nix {

  # Either the configuration of a single machine:
  machine =
    { config, pkgs, ... }:
    { configuration…

  # Or a set of machines:
  nodes =
    { machine1 =
        { config, pkgs, ... }: {  };
      machine2 =
        { config, pkgs, ... }: {  };

  testScript =
      Perl code…

The attribute testScript is a bit of Perl code that executes the test (described below). During the test, it will start one or more virtual machines, the configuration of which is described by the attribute machine (if you need only one machine in your test) or by the attribute nodes (if you need multiple machines). For instance, login.nix only needs a single machine to test whether users can log in on the virtual console, whether device ownership is correctly maintained when switching between consoles, and so on. On the other hand, nfs.nix, which tests NFS client and server functionality in the Linux kernel (including whether locks are maintained across server crashes), requires three machines: a server and two clients.

There are a few special NixOS configuration options for test VMs:


The memory of the VM in megabytes.


The virtual networks to which the VM is connected. See nat.nix for an example.


By default, the Nix store in the VM is not writable. If you enable this option, a writable union file system is mounted on top of the Nix store to make it appear writable. This is necessary for tests that run Nix operations that modify the store.

For more options, see the module qemu-vm.nix.

The test script is a sequence of Perl statements that perform various actions, such as starting VMs, executing commands in the VMs, and so on. Each virtual machine is represented as an object stored in the variable $name, where name is the identifier of the machine (which is just machine if you didn’t specify multiple machines using the nodes attribute). For instance, the following starts the machine, waits until it has finished booting, then executes a command and checks that the output is more-or-less correct:

$machine->succeed("uname") =~ /Linux/;

The first line is actually unnecessary; machines are implicitly started when you first execute an action on them (such as waitForUnit or succeed). If you have multiple machines, you can speed up the test by starting them in parallel:


The following methods are available on machine objects:


Start the virtual machine. This method is asynchronous — it does not wait for the machine to finish booting.


Shut down the machine, waiting for the VM to exit.


Simulate a sudden power failure, by telling the VM to exit immediately.


Simulate unplugging the Ethernet cable that connects the machine to the other machines.


Undo the effect of block.


Take a picture of the display of the virtual machine, in PNG format. The screenshot is linked from the HTML log.


Return a textual representation of what is currently visible on the machine's screen using optical character recognition.

Note: This requires passing enableOCR to the test attribute set.

Send a command to the QEMU monitor. This is rarely used, but allows doing stuff such as attaching virtual USB disks to a running machine.


Simulate pressing keys on the virtual keyboard, e.g., sendKeys("ctrl-alt-delete").


Simulate typing a sequence of characters on the virtual keyboard, e.g., sendKeys("foobar\n") will type the string foobar followed by the Enter key.


Execute a shell command, returning a list (status, stdout).


Execute a shell command, raising an exception if the exit status is not zero, otherwise returning the standard output.


Like succeed, but raising an exception if the command returns a zero status.


Repeat a shell command with 1-second intervals until it succeeds.


Repeat a shell command with 1-second intervals until it fails.


Wait until the specified systemd unit has reached the “active” state.


Wait until the specified file exists.


Wait until a process is listening on the given TCP port (on localhost, at least).


Wait until nobody is listening on the given TCP port.


Wait until the X11 server is accepting connections.


Wait until the supplied regular expressions matches the textual contents of the screen by using optical character recognition (see getScreenText).

Note: This requires passing enableOCR to the test attribute set.

Wait until an X11 window has appeared whose name matches the given regular expression, e.g., waitForWindow(qr/Terminal/).

32.2. Running Tests

You can run tests using nix-build. For example, to run the test login.nix, you just do:

$ nix-build '<nixpkgs/nixos/tests/login.nix>'

or, if you don’t want to rely on NIX_PATH:

$ cd /my/nixpkgs/nixos/tests
$ nix-build login.nix
running the VM test script
machine: QEMU running (pid 8841)
6 out of 6 tests succeeded

After building/downloading all required dependencies, this will perform a build that starts a QEMU/KVM virtual machine containing a NixOS system. The virtual machine mounts the Nix store of the host; this makes VM creation very fast, as no disk image needs to be created. Afterwards, you can view a pretty-printed log of the test:

$ firefox result/log.html

32.3. Running Tests interactively

The test itself can be run interactively. This is particularly useful when developing or debugging a test:

$ nix-build nixos/tests/login.nix -A driver
$ ./result/bin/nixos-test-driver
starting VDE switch for network 1

You can then take any Perl statement, e.g.

> startAll
> testScript
> $machine->succeed("touch /tmp/foo")

The function testScript executes the entire test script and drops you back into the test driver command line upon its completion. This allows you to inspect the state of the VMs after the test (e.g. to debug the test script).

To just start and experiment with the VMs, run:

$ nix-build nixos/tests/login.nix -A driver
$ ./result/bin/nixos-run-vms

The script nixos-run-vms starts the virtual machines defined by test. The root file system of the VMs is created on the fly and kept across VM restarts in ./hostname.qcow2.

Chapter 33. Testing the Installer

Building, burning, and booting from an installation CD is rather tedious, so here is a quick way to see if the installer works properly:

$ nix-build -A
# mount -t tmpfs none /mnt
# ./result/bin/nixos-install

To start a login shell in the new NixOS installation in /mnt:

# ./result/bin/nixos-install --chroot

Chapter 34. Releases

34.1. Release process

Going through an example of releasing NixOS 15.09:

34.1.1. One month before the beta

  • Send an email to nix-dev mailinglist as a warning about upcoming beta "feature freeze" in a month.

  • Discuss with Eelco Dolstra and the community (via IRC, ML) about what will reach the deadline. Any issue or Pull Request targeting the release should have assigned milestone.

34.1.2. At beta release time

34.1.3. Before the final release

34.1.4. At final release time

  • git tag -s -a -m "Release 15.09" 15.09

  • Update and in

  • Get number of commits for the release: git log release-14.04..release-14.12 --format=%an|wc -l

  • Commits by contributor: git log release-14.04..release-14.12 --format=%an|sort|uniq -c|sort -rn

  • Send an email to nix-dev to announce the release with above information. Best to check how previous email was formulated to see what needs to be included.

34.2. Release schedule

Date Event
2016-07-25 Send email to nix-dev about upcoming branch-off
2016-09-01 release-16.09 branch and corresponding jobsets are created, change freeze
2016-09-30 NixOS 16.09 released